Unified local CLI
Install Shipmoor CLI.
Run local AI code integrity checks for free. Catch phantom imports, hallucinated APIs, and placeholder logic before you push. Log in only when you need paid IC, Team, or Enterprise capabilities.
Shipmoor CLI is a single local binary that scans agent-generated code for integrity defects before you push.
Community scans run without an account. Paid capabilities for individuals, teams, and enterprises unlock from the same installed command when you log in. One installer. One shipmoor command. Entitlements decide what is enabled.
- No account required to start
- No telemetry
- No source upload
- Python · TypeScript · JavaScript · Go
- --changed · --staged · --diff · --patch
- JSON · SARIF
- GitHub Actions
- No source upload
$ shipmoor scan --changed ✗ Needs work - 2 of 2 findings block reviewpackage.json detected · 2 files · gate high⊘ blocks the gate · ○ informational────────────────────────────────────────────────────────src/jobs/processor.ts · 1 ⊘ high :12 phantom import typescript.phantom_import Module '@acme/workflows' is imported but not declared in package.json. → Add '@acme/workflows' to dependencies, or remove the import.src/handlers/payment.ts · 1 ⊘ high :47 placeholder implementation typescript.placeholder.stub_handler Handler returns HTTP 200 but body is a hardcoded stub. → Implement the persistence step before merging, or remove the route.────────────────────────────────────────────────────────✗ gate fail · 2 high block at threshold "high" exit 1→ fix the 2 blockers, then re-run shipmoor scan --changed --fail-on high→ drill into one shipmoor explain SHM-a12f9c84d501ee27shipmoor scan --changed after an agent session
Start free
Shipmoor CLI works immediately after install. No account is required for Community scans. Run it in the same repository where your agent produced the change. Shipmoor checks the generated diff before a reviewer spends time on it.
shipmoor scan --changed Use it after Cursor, Claude Code, Codex, Copilot, Aider, or any agent that leaves changes in your working tree.
- Let the agent finish.
- Run shipmoor scan --changed.
- Fix high-confidence integrity findings.
- Push a cleaner diff.
Four commands to know
Use --changed for the normal local workflow, --staged for exactly what will be committed, --diff for branch-based workflows, and --patch when the agent produced a patch you want to inspect before applying.
-
Scan changed files after an agent session
shipmoor scan --changed -
Scan only staged files before commit
shipmoor scan --staged -
Scan a diff against a branch or ref
shipmoor scan --diff main...HEAD -
Scan an agent patch before applying it
shipmoor scan --patch agent-output.patch
What Shipmoor catches before review
Shipmoor focuses on generated-code integrity defects: plausible code that looks reviewable but is not grounded in the real dependency graph, local API surface, or intended behavior. It is not a linter. It is not SAST. It is not a PR reviewer. It checks the defect class AI agents produce when they infer missing context.
- Dependency grounding
Phantom imports
Packages, modules, or local paths that the agent imported but your manifest or filesystem does not contain.
- API surface
Hallucinated API calls
Methods, functions, clients, or endpoints the agent inferred from context but that do not exist in the codebase.
- Intent completion
Placeholder implementations
TODOs, hardcoded success responses, fake IDs, pass statements, and stubbed return values where real logic belongs.
- Side effects
Stub paths
Handlers or functions that return success without performing the required side effect.
- Failure handling
Swallowed errors
Empty catch blocks, bare except handlers, and no-op recovery paths that hide runtime failures.
- Test integrity
Suspicious tests
Tests that pass while mocking away the behavior the agent was asked to implement.
One CLI. Four plan levels.
Shipmoor does not make developers choose between a free binary and a paid binary. There is one installed shipmoor command. Community scans run without login. Paid capabilities unlock from the same command when your local license has the right entitlement.
- Free
Community
Local structural scans for developers who want to check agent output before pushing.
- Local scan modes
- Human, JSON, and SARIF output
- Stable CI exit codes
- No account required
- Individual paid
IC
Individual Pro capabilities for one developer, unlocked with shipmoor login.
- Claim Check for agent changes
- Repair guidance
- IDE extension Pro features
- Agent harness feedback
- Shared policy · coming soon
Team
Team controls for engineering groups standardizing AI code integrity across repos.
- Shared baselines
- Team policy
- PR comments
- Seat management
- Org controls · coming soon
Enterprise
Governance, auditability, and deployment controls for larger engineering organizations.
- SSO/RBAC
- Audit logs
- Self-hosted runners
- Data residency
Upgrade with one login
When you need paid capabilities, run shipmoor login. The same installed shipmoor command unlocks your local entitlements. No second binary. No separate IDE login. No separate harness login.
shipmoor loginshipmoor whoamishipmoor capabilities --json
That is the upgrade path: install once, start free, log in when your workflow needs more.
Local-first by default
Community scans run locally. Paid entitlement checks use license identity, not repository contents. Your source code is not uploaded for install, login, billing, or license validation. That matters because the CLI sits in a sensitive part of the workflow: after an agent has changed code, before the change leaves the developer environment. Shipmoor is designed to preserve that boundary.
Add it to CI when you are ready
Local checks catch generated defects before push. CI catches anything that reaches the pull request.
name: Shipmoor integrity scan
on:
pull_request:
jobs:
shipmoor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Shipmoor
run: curl -fsSL https://dl.shipmoor.dev/install.sh | bash
- name: Run Shipmoor
run: shipmoor scan --changed --format sarif > shipmoor.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: shipmoor.sarif
if: always()
For teams, CI policy turns the same local habit into an enforceable gate.
Where Shipmoor fits
AI agents changed the shape of code review. They produce more code, faster, with defects that look plausible until someone checks the grounding. Shipmoor belongs in the gap between generation and review.
- agent output
- shipmoor scan
- human review
- merge
The goal is not to replace review. The goal is to keep fabricated imports, hallucinated APIs, placeholder logic, and empty success paths out of review. Review should start with real code.
Install once. Start free.
One installer. One shipmoor command. Free Community scans, with paid capabilities unlocked by login when you need them.
Get Shipmoor CLI
One installer. One shipmoor command. Free Community scans.
Questions before installing FAQs
Short answers for developers evaluating the CLI.