Nightward

Appearance

ReleaseLatest release npm

NightwardFind AI-tool risks before you sync.

Scan agent configs, MCP servers, and dotfiles for secrets, broad local access, and machine-only state. Local by default. Review-first by design.

Install Nightward
View sample report
GitHub
Nightward logo

Local-first by default

No telemetry, no default network calls, no cloud dashboard, and no live config mutation.

Built for MCP-heavy machines

Scans Codex, Claude, Cursor, VS Code, Cline/Roo, Goose, OpenCode, Raycast, generic MCP files, and workspace AI config.

Reviewable output

Emits redacted JSON, searchable static HTML reports, report diffs, policy badges, SARIF, Trunk output, MCP context, and Raycast status.

Start now

Run a local AI-tool audit in one command.

No account, no telemetry, no default network calls, and no config mutation.

Start with a read-only scannpx @jsonbored/nightward scan

Prefer a persistent CLI? Use npm, GitHub Releases, or a source build, then run nw.

Pick A Path

  • Before syncing dotfiles: classify what belongs in a private repo and what should stay machine-local.
  • Audit an MCP-heavy workstation: review command execution, broad filesystem access, local endpoints, and credential exposure.
  • Run in CI: fail a workflow on policy violations and upload SARIF to code scanning.
  • Use Raycast: keep a menu-bar status surface and jump into findings without opening a terminal.
  • Use MCP: expose local Nightward context to Claude, Cursor, Codex, Antigravity, Windsurf, and other MCP clients without giving them write tools.
  • Verify a release: check signatures, checksums, npm provenance, and install behavior.

Real Fixture Output

The sample report below is generated from the committed testdata/homes/policy fixture home. Hostname, HOME, local paths, timestamps, and secret-looking fixture values are scrubbed before publication.

Scrubbed Nightward HTML report showing fixture MCP findings

Sample scan JSON · Static HTML report · OpenTUI gallery · OpenTUI GIF · Provider reference · Output surfaces

Terminal review flow

Move from posture to evidence without leaving the terminal.

The loop uses the scrubbed fixture report: overview, findings, offline analysis, plan-only fixes, inventory, backup choices, and safety reminders.

Open the TUI guideStar on GitHub

Nightward OpenTUI dashboard from scrubbed fixture output

What Nightward Checks

AreaWhat you get
InventoryPortable, machine-local, secret-auth, runtime-cache, app-owned, and unknown state across HOME or a workspace.
MCP securityFindings for unpinned package executors, shell wrappers, broad filesystem mounts, sensitive env/header exposure, local endpoints, token paths, symlinks, parse failures, and unknown server shapes.
Report historyCompare scan JSON files, inspect latest-report status, render filterable diff-aware HTML, and generate a static local report index.
Policy and CIReason-required ignores, policy badges, SARIF output, GitHub Action mode, and Trunk plugin support.
ProvidersLocal Gitleaks, TruffleHog, and Semgrep; online-gated Trivy, OSV-Scanner, and remote Socket scan creation.
MCP serverRead-only stdio tools/resources for local AI clients; no network listener, no mutation tools, and no online providers in v1.

Trust Posture

Nightward ships through signed GitHub Releases and a no-postinstall npm launcher that verifies GitHub Release checksums before running a cached Rust binary. The project keeps OpenSSF evidence in-repo, runs CodeQL/Scorecard/Gitleaks/OSV/Clippy, and keeps online-capable providers blocked until explicitly enabled.

Nightward does not copy secrets, push to Git, restore configs, sync machines, or apply live mutations in v1.

Local-first. No telemetry. No default network calls. No live config mutation.

Released under the MIT License.

ReleaseLatest release npm