Quickstart

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

Takumi Guard protects your development environment by blocking malicious packages before they reach your machine. It works as a transparent proxy for npm and PyPI — no code changes required, just a one-time registry configuration.

Choose Your Setup Level

Takumi Guard offers three levels of access. Pick the one that fits your needs:

Level	What You Get	Requires
Anonymous	Malicious package blocking	Registry URL only
Email-Verified	Blocking + download tracking + breach notifications	Email registration (free)
Organization	Everything above + team-wide visibility	Shisho Cloud account + GitHub Actions

Most individual developers should start with email-verified access — it takes under a minute and unlocks breach notifications at no cost.

One Token, All Ecosystems

When you register with your email, you receive a single API key (e.g., tg_anon_abc123…). This key works across all Takumi Guard ecosystems:

npm — npm, pnpm, yarn, bun
PyPI — pip, uv, poetry

You only need to register once. Use the same token to configure as many package managers as you need. If you already set up npm and want to add PyPI (or vice versa), you do not need to register again — just configure the additional package manager with the same key.

Already registered via npm and want to add PyPI?

Skip registration and go straight to the PyPI setup guide — use the same API key you already have. If you need to find your existing key, see Finding Your Token.

Ecosystem Setup Guides

Follow the guide for each ecosystem you want to protect:

npm

Covers npm, pnpm, yarn, and bun. Includes local development, .npmrc configuration, and GitHub Actions setup.

Set up npm →

PyPI

Covers pip, uv, and poetry. Includes local development, environment variable configuration, and GitHub Actions setup.

Set up PyPI →

Quick Reference

Already have your token? Here are the one-line commands for each package manager:

npm ecosystem

# npm / pnpm
npm config set registry https://npm.flatt.tech/
npm config set //npm.flatt.tech/:_authToken tg_anon_YOUR_TOKEN

# yarn (v2+) — add to .yarnrc.yml
npmRegistryServer: "https://npm.flatt.tech/"
npmAuthToken: "tg_anon_YOUR_TOKEN"

# bun — add to bunfig.toml
[install]
registry = { url = "https://npm.flatt.tech/", token = "tg_anon_YOUR_TOKEN" }

PyPI ecosystem

# pip (persists to disk)
pip config set global.index-url https://token:tg_anon_YOUR_TOKEN@pypi.flatt.tech/simple/

# uv — add to shell profile (uv does not read pip config)
export UV_INDEX_URL=https://token:tg_anon_YOUR_TOKEN@pypi.flatt.tech/simple/

# poetry
poetry source add --priority=primary takumi-guard https://pypi.flatt.tech/simple/
poetry config http-basic.takumi-guard token tg_anon_YOUR_TOKEN

Verify Your Setup

After configuring any package manager, test that Takumi Guard is working by attempting to install a known blocked package:

npm install @panda-guard/test-malicious

If Takumi Guard is configured correctly, the install will fail with a 403 Forbidden error.

Next Steps

Token Management — Rotate, recover, or revoke your API key
Breach Notifications — Get notified when a package you downloaded is flagged
Package Blocking — Learn how Takumi Guard's blocklist works

Choose Your Setup Level​

One Token, All Ecosystems​

Ecosystem Setup Guides​

npm​

PyPI​

Quick Reference​

npm ecosystem​

PyPI ecosystem​

Verify Your Setup​

Next Steps​