Documentation Index
Fetch the complete documentation index at: https://docs.mains.dev/llms.txt
Use this file to discover all available pages before exploring further.
Dependency guards intercept package install commands during agent runs and check them against a security service before allowing the install to proceed. If a package is flagged as risky, the install is blocked and the agent is told to use a safer alternative.
How It Works
When an agent runs a package install command (e.g., npm install, pip install, cargo add), Mains intercepts the command, extracts the package names, and checks them against the configured guard service. If any package fails the security check, the command is denied before it executes.
This works across all three agent runtimes:
| Agent | Mechanism |
|---|
| Claude | PreToolUse hook on Bash commands |
| Copilot | Pre-tool-use hook on shell/bash tools |
| Codex | Dynamic tools check before execution |
Supported Ecosystems
Guards detect install commands for multiple package managers:
| Ecosystem | Commands detected |
|---|
| npm | npm install, npm add, yarn add, pnpm add |
| Python | pip install, pip3 install |
| Cargo | cargo add, cargo install |
| Go | go get, go install |
| RubyGems | gem install, bundle add |
Socket.dev
Mains uses Socket.dev as the guard provider. Socket analyzes packages for supply chain risks, known vulnerabilities, and suspicious behavior.
Setup
Get an API key
Create a Socket.dev account and generate an API key from your organization settings.
Connect in Mains
Go to Settings > Apps and click Connect next to Socket.dev. Enter your API key.
Guards activate automatically
Once connected, guards are active for all agent runs. No per-workspace configuration needed.
What Gets Checked
For each package, Socket.dev returns:
| Field | Description |
|---|
| Overall score | 0-1 health score based on multiple risk factors |
| Risk level | critical, high, medium, low, or none |
| Alerts | Specific security issues (malware, typosquat, etc) |
