Quickstart
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
Takumi Guard protects your development environment by blocking malicious packages before they reach your machine. It works as a transparent proxy, with no code changes required — just a one-time registry configuration.
Choose Your Usage Tier
Takumi Guard offers four usage tiers. Pick the one that fits your scenario, scope of operation, and budget.
| Tier | Price | Requirements |
|---|---|---|
| Anonymous | Free | Registry URL configuration only |
| Anonymous (email-verified) | Free | Email registration (tg_anon_ token issued) |
| Organization | Paid | A Shisho Cloud organization + a Guard-enabled base subscription + tg_org_ token |
| Organization (GitHub Action) | Free | A Shisho Cloud organization + the flatt-security/setup-takumi-guard-* Action (GitHub Actions OIDC) |
Each tier is described below, along with when it is recommended.
Anonymous
The minimal configuration — just point your registry URL at Takumi Guard, and malicious-package installs are blocked. No Shisho Cloud account or email registration is required, and it is completely free.
This tier is a good fit if you:
- Do individual development and only want to block malicious-package installs for now.
- Want to validate Takumi Guard's behavior on a test machine before rolling it out to your work environment.
Note that download tracking and breach notifications for previously downloaded packages are not available. If you need those, choose the Anonymous (email-verified) tier or higher.
Anonymous (email-verified)
Register an email address and use the issued tg_anon_ token. In addition to the blocking provided by the anonymous tier, you get install tracking tied to your registered email and personal breach notifications (via email). No Shisho Cloud account is required, and it is still free.
This tier is a good fit if you:
- Are an individual developer (this is the most recommended tier for personal use).
- Want to be notified if a package you previously downloaded on your own development machine is later found to be malicious.
Note that install history and notifications are tied to your registered email address, so install history cannot be aggregated at the team or organization level.
Organization
Use a tg_org_ token issued from your Shisho Cloud organization. You can track installs across the entire organization, receive organization-level breach notifications (Slack, webhooks, etc.), and manage tokens and users from the Shisho Cloud console. Using this tier requires a Guard-enabled base subscription.
This tier is a good fit if you:
- Want to centrally manage developer machines used by multiple developers across your company from a single console.
- Want to aggregate install-history reports and breach notifications at the organization level.
- Want to combine Takumi Guard with automated machine provisioning (MDM, etc.) — see Admin Deployment.
Getting started follows the steps below. You need a Shisho Cloud organization with an active base subscription attached.
- Enable Guard in the Shisho Cloud console — open the Guard section and toggle the feature on.
info
Enabling the feature does not incur any immediate additional charge. The paid portion of Guard is billed as metered usage based on packages fetched via the tokens you issue. See Guard Pricing for the full pricing model.
- Issue an org user token (
tg_org_) — go to Guard > Tokens to issue one. See Token Management for details on issuing and managing tokens. - Configure each machine / CI — use the issued token to configure your package manager as described in Setting Up Each Machine below.
Organization (GitHub Action)
Connect your Shisho Cloud organization to GitHub Actions OIDC and use the flatt-security/setup-takumi-guard-* Action to obtain short-lived tokens. You do not need to keep long-lived secrets in your CI environment — a fresh short-lived token is issued for every job run.
This tier is a good fit if you:
- Want to use Takumi Guard from a GitHub Actions CI workflow.
- Do not want to store long-lived tokens in Secrets.
- Want to combine this with the Organization tier (
tg_org_tokens on developer machines and OIDC on CI).
Note that CI platforms other than GitHub Actions (e.g. CircleCI) cannot directly use this OIDC integration. From CircleCI and similar systems, pass a tg_org_ token issued by your organization via Secrets instead.
Setting Up Each Machine
For the actual setup steps in each ecosystem and each environment (local development, GitHub Actions, etc.), see the per-ecosystem quickstart.
- Set up npm → (npm, pnpm, yarn, bun)
- Set up PyPI → (pip, uv, poetry)
- Set up RubyGems → (Bundler)