# Quickstart {#quickstart} Takumi Guard protects your development environment by blocking malicious packages before they reach your machine. It works as a transparent proxy for **npm** and **PyPI** — no code changes required, just a one-time registry configuration. ## Choose Your Setup Level {#setup-levels} Takumi Guard offers three levels of access. Pick the one that fits your needs: | Level | What You Get | Requires | | ------------------ | ------------------------------------------------------------------------------------------ | ------------------------------------- | | **Anonymous** | Malicious package blocking | Registry URL only | | **Email-Verified** | Blocking + download tracking + [breach notifications](/docs/t/guard/features/breach-notifications.md) | Email registration (free) | | **Organization** | Everything above + team-wide visibility | Shisho Cloud account + GitHub Actions | Most individual developers should start with **email-verified access** — it takes under a minute and unlocks breach notifications at no cost. ## One Token, All Ecosystems {#cross-ecosystem} When you register with your email, you receive a single API key (e.g., `tg_anon_abc123…`). This key works across **all** Takumi Guard ecosystems: - **npm** — npm, pnpm, yarn, bun - **PyPI** — pip, uv, poetry You only need to register once. Use the same token to configure as many package managers as you need. If you already set up npm and want to add PyPI (or vice versa), you do **not** need to register again — just configure the additional package manager with the same key. :::tip Already registered via npm and want to add PyPI? Skip registration and go straight to the [PyPI setup guide](/docs/t/guard/quickstart/pypi.md#setup-email-verified) — use the same API key you already have. If you need to find your existing key, see [Finding Your Token](/docs/t/guard/features/token-management.md#finding-token). ::: ## Ecosystem Setup Guides {#setup-guides} Follow the guide for each ecosystem you want to protect: ### npm {#npm-guide} Covers npm, pnpm, yarn, and bun. Includes local development, `.npmrc` configuration, and GitHub Actions setup. **[Set up npm →](/docs/t/guard/quickstart/npm.md)** ### PyPI {#pypi-guide} Covers pip, uv, and poetry. Includes local development, environment variable configuration, and GitHub Actions setup. **[Set up PyPI →](/docs/t/guard/quickstart/pypi.md)** ## Quick Reference {#quick-reference} Already have your token? Here are the one-line commands for each package manager: ### npm ecosystem {#quick-npm} ```bash # npm / pnpm npm config set registry https://npm.flatt.tech/ npm config set //npm.flatt.tech/:_authToken tg_anon_YOUR_TOKEN ``` ```yaml # yarn (v2+) — add to .yarnrc.yml npmRegistryServer: "https://npm.flatt.tech/" npmAuthToken: "tg_anon_YOUR_TOKEN" ``` ```toml # bun — add to bunfig.toml [install] registry = { url = "https://npm.flatt.tech/", token = "tg_anon_YOUR_TOKEN" } ``` ### PyPI ecosystem {#quick-pypi} ```bash # pip (persists to disk) pip config set global.index-url https://token:tg_anon_YOUR_TOKEN@pypi.flatt.tech/simple/ # uv — add to shell profile (uv does not read pip config) export UV_INDEX_URL=https://token:tg_anon_YOUR_TOKEN@pypi.flatt.tech/simple/ ``` ```bash # poetry poetry source add --priority=primary takumi-guard https://pypi.flatt.tech/simple/ poetry config http-basic.takumi-guard token tg_anon_YOUR_TOKEN ``` ## Verify Your Setup {#verify} After configuring any package manager, test that Takumi Guard is working by attempting to install a known blocked package: ```bash npm install @panda-guard/test-malicious ``` If Takumi Guard is configured correctly, the install will fail with a `403 Forbidden` error. ## Next Steps {#next-steps} - **[Token Management](/docs/t/guard/features/token-management.md)** — Rotate, recover, or revoke your API key - **[Breach Notifications](/docs/t/guard/features/breach-notifications.md)** — Get notified when a package you downloaded is flagged - **[Package Blocking](/docs/t/guard/features/package-blocking.md)** — Learn how Takumi Guard's blocklist works