Code generation is cheap. Code review is the new bottleneck. LLMs produce pull requests in minutes; reviewing them thoroughly still takes hours. Teams either drown in review or switch to YOLO mode — and existing tooling does not close the gap. Linters catch syntax. Unit tests check behavior. OpenShrike goal is systematicall verify that a change follows the architectural decisions, security practices, and engineering standards set by your team.
OpenShrike is a security-first, self-hosted code review tool that fills that
gap. Your standards live in the repo as versioned Markdown checks and policies
in best_practices/. shrike init seeds the selected
policies into repo-local Markdown under .openshrike/checks/, so the checks that
actually run can be reviewed in code review and edited or extended by
maintainers. OpenShrike then executes those project-local checks with OpenCode
and produces findings with evidence, rationale, and remediation — locally or
in CI, against the LLM provider of your choice.
VS Code extention - install from marketplace
- Predictable checks. You know exactly what is verified on every PR, not
whatever a free-form
/reviewprompt decided to look at this time. - Requirements as Markdown. Standards live in the repo, versioned and reviewable — no proprietary DSL, no external dashboard.
- Beyond linters and tests. Enforce architectural boundaries, test discipline, boundary validation, secret hygiene, timeouts and cancellation, observability, and API safety.
- Auto-fix with agents.
shrike fixspawns an agent to repair failing checks before a PR reaches a human reviewer. - BYOK. Bring your own key and model — OpenAI, Anthropic, Bedrock, Azure, Ollama, LMStudio, and anything else OpenCode supports.
- Self-hosted. Runs locally or in CI with
nativeanddockerruntimes. Your code does not leave your infrastructure.
Prerequisite: Node.js 22+.
Install the CLI from npm:
npm install -g @networkperspective/openshrikeInstall the VS Code extension:
code --install-extension networkperspective.openshrikeOr install the latest GitHub release bundle:
curl -fsSL https://raw.githubusercontent.com/Network-Perspective/OpenShrike/main/install | bashOn Windows PowerShell:
irm https://raw.githubusercontent.com/Network-Perspective/OpenShrike/main/install.ps1 | iexAssume shrike is on your PATH. If you are running directly from this
repository, use ./shrike instead.
shrike init
shrike scanshrike initis interactive. It detects the project, helps establish AI provider access, lets you choose defaults, and writes.openshrike/project.json,.openshrike/opencode.json, and seeds.openshrike/checks/.shrike scanuses those saved defaults automatically and reads the Markdown checks from.openshrike/checks/. By default it scans uncommitted changes in the current repository. If there are no uncommitted changes, plainshrike scanasks whether it should run a full-repository scan instead.- Re-run
shrike initwhen you want to seed checks from different policies or change saved model, runtime mode, or parallelism defaults.
Prerequisite: Node.js 22+.
npm install
npm run build
scripts/install-local.sh --source ./shrike --linkIf ~/.local/bin is not on your PATH, add it in your shell profile.
shrike init expects an interactive terminal.
OpenShrike policies are bundles of checks for things like:
- architecture and dependency boundaries,
- behavior-covering and deterministic tests,
- boundary validation and secret hygiene,
- time budgets, retries, and cancellation,
- deployability, health signals, and observability,
- API and data-shaping safety.
The bundled library is documented in best_practices/README.md. The goal is not to duplicate linters. The goal is to enforce the practices that actually keep systems safe, maintainable, observable, and reliable.
Each command has a --help flag with the full option list. The examples below
cover the common cases.
Interactively initialize Shrike defaults in the local .openshrike directory.
shrike init # first-time setup
shrike init --force # re-seed and overwrite existing files
shrike init --help # full referenceRun a check or policy bundle against a repository. After shrike init, a plain
shrike scan uses saved defaults from .openshrike/project.json and executes
the Markdown checks in .openshrike/checks/.
shrike scan # use saved defaults on uncommitted changes
shrike scan --scope branch \
--target main # scan the current branch vs. main
shrike scan --scope pr \
--target develop...HEAD # PR-style diff scan
shrike scan --scope full # scan the whole repository
shrike scan --policy csharp-baseline # run a specific policy
shrike scan --runtime docker # run in an ephemeral container
shrike scan --help # full referenceFix failing checks one by one and recheck them. Useful for closing out the long tail of mechanical violations before a human review.
shrike fix # fix using saved defaults
shrike fix --last-scan # reuse .openshrike/last-scan.json instead of rescanning
shrike fix --scope branch \
--target main # fix changes on the current branch vs. main
shrike fix --help # full reference--output markdownis the default and emits human-readable reports and error messages.--output jsonemits machine-readable reports and error envelopes.- Exit code
0: no failing checks. - Exit code
2: one or more failing checks. - Exit code
1: command or runtime error.
npm run dev -- scan --policy csharp-baseline --path .
npm run build
npm run typecheck
npm testThe ./shrike launcher uses tsx src/cli.ts when available and falls back to
dist/cli.js.
Create a local framework bundle:
scripts/publish.shInstall from the published framework bundle:
scripts/install-local.sh --source .artifacts/publish/framework