# Takumi Guard PyPI Support Released

Takumi Guard now supports **PyPI** alongside npm.

Python projects using **pip**, **uv**, or **poetry** can now route installs through Takumi Guard to block known-malicious packages before they reach your CI or development environment.

## Overview

Takumi Guard is a security proxy that sits between your package manager and the upstream registry. It checks every install request against a real-time threat database and blocks known-malicious packages.

With this release, the same protection that npm users have is now available for the Python ecosystem:

- **Package Blocking**: Malicious PyPI packages are blocked before any code executes
- **Download Tracking**: Records install history for authenticated users
- **[Breach Notifications](/docs/t/guard/features/breach-notifications)**: Get notified if a package you installed is later flagged as malicious
- **[Version-Level Blocking](/docs/t/guard/features/package-blocking)**: Block specific compromised versions while allowing safe versions through

## Getting Started

### pip / uv

Add the following to your shell profile (`.bashrc`, `.zshrc`, etc.):

```bash
# pip
export PIP_INDEX_URL=https://pypi.flatt.tech/simple/

# uv (does not read PIP_INDEX_URL — requires its own variable)
export UV_INDEX_URL=https://pypi.flatt.tech/simple/
```

Or configure in `pip.conf` (`~/.config/pip/pip.conf` on Linux/macOS, `%APPDATA%\pip\pip.ini` on Windows):

```ini
[global]
index-url = https://pypi.flatt.tech/simple/
```

For a one-time install without changing your environment:

```bash
pip install --index-url https://pypi.flatt.tech/simple/ <package>
```

### poetry

Add Takumi Guard as the primary source:

```bash
poetry source add --priority=primary takumi-guard https://pypi.flatt.tech/simple/
```

### GitHub Actions

Add one line to your workflow:

```yaml
steps:
  - uses: actions/checkout@v4
  - uses: flatt-security/setup-takumi-guard-pypi@v1
  - run: pip install -r requirements.txt
```

For full setup options including authentication and breach notifications, see the [PyPI quickstart guide](/docs/t/guard/quickstart/pypi).

### Email Registration (Breach Notifications)

Register your email to receive notifications if a package you installed is later found to be malicious. No account required, free of charge.

**Step 1:** Register your email

```bash
curl -X POST https://pypi.flatt.tech/api/v1/tokens \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com"}'
```

**Step 2:** Click the verification link in the email. You will see a page with your API key and setup instructions.

**Step 3:** Configure your package manager with your token

```bash
export PIP_INDEX_URL=https://token:tg_anon_xxxxxx@pypi.flatt.tech/simple/

# If you use uv, also add:
export UV_INDEX_URL=https://token:tg_anon_xxxxxx@pypi.flatt.tech/simple/
```

Your installs are now tracked, and you will be notified if a downloaded package is later flagged.

## Supported Package Managers

| Package Manager | Supported      |
| --------------- | -------------- |
| pip             | Yes            |
| uv              | Yes            |
| poetry          | Yes            |
| npm             | Yes (existing) |
| pnpm            | Yes (existing) |
| yarn            | Yes (existing) |