You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DocGuard is a local CLI tool that runs entirely on the user's machine. It reads project files from the filesystem and produces terminal output. It operates fully offline, requires zero authentication, and is credential-free.
Authentication
Method
Provider
Scope
None required
N/A
DocGuard is a local-only CLI tool. Runs without auth.
DocGuard operates purely on the local filesystem. All processing stays on-machine — fully isolated from servers, APIs, and cloud services.
Authorization
Role
Permissions
Notes
User (local machine)
Full access — read/write project files
DocGuard runs with the permissions of the user invoking it
CI Pipeline
Read-only (guard, score, ci commands)
CI typically only runs validation, not init/generate
AI Agent
Depends on AI agent permissions
AI agents run DocGuard via terminal — they inherit the user's or CI's permissions
DocGuard uses a simple permission model: it inherits filesystem permissions from the calling process.
Secrets Management
Secret
Storage
Used By
Notes
None
N/A
N/A
DocGuard requires no API keys, tokens, or credentials
DocGuard Security Posture
Treats .env files as project artifacts only (checks their existence for your project, never reads values)
Operates 100% offline — zero HTTP requests to any API
Writes only within the project directory — all output stays local
Runs with standard user permissions — elevated access is unnecessary
Security Boundaries
Boundary
Trusted
Untrusted
File reads
Project files within projectDir
DocGuard only reads files within the project directory and its own templates
File writes
docguard init, docguard generate, docguard hooks
Only writes to docs-canonical/, root docs, .docguard.json, .git/hooks/
Child processes
git log, git diff (freshness validator)
Only executes git commands with safe, read-only flags
User input
CLI arguments parsed by the entry point
All input is sanitized before use in child processes
Command Safety Levels
Command
Reads Files
Writes Files
Runs Git
Risk
audit
✅
❌
❌
None
guard
✅
❌
✅ (read-only)
None
score
✅
❌
❌
None
diff
✅
❌
✅ (read-only)
None
fix
✅
❌
❌
None
ci
✅
❌
✅ (read-only)
None
badge
✅
❌
❌
None
init
✅
✅ Creates docs
❌
Low — creates new files only, never overwrites
generate
✅
✅ Creates docs
❌
Low — creates new files only, never overwrites
hooks
✅
✅ Writes .git/hooks/
❌
Low — writes executable git hooks
Supply Chain
Category
Status
npm dependencies
Zero — DocGuard has no node_modules
Runtime dependencies
Node.js ≥ 18, git (optional, for freshness checks)
Transitive dependencies
None
Known vulnerabilities
None — no dependency tree to audit
The zero-dependency architecture is a deliberate security decision: zero supply chain = zero supply chain attack surface.
.gitignore Audit
DocGuard's own .gitignore excludes:
Pattern
Purpose
node_modules/
npm packages (dev dependencies only — test runner)
.env
Environment files (not used, but excluded as best practice)
Security Rules Checklist
Code is credential-free
.env files are excluded from version control
All secrets are environment-variable-based
CLI operates 100% offline
All user input is sanitized before exec()
File writes are opt-in only (init, generate, hooks commands)
Git commands are read-only (git log, git diff)
Zero npm dependencies eliminates supply chain risk