Yana AI Guide
Everything you need to install, configure, and run Yana AI.
Installation
Three components, install what you need:
# Claude Code plugin
npm install yana-ai
npx yana-ai-install # wire hooks into .claude/ (required)
# Rust runtime (scan, hunt, watch, ci, map…)
cargo install yana-rt
# Python CLI (legacy commands)
pip install yana-ainpx yana-ai-install once after npm install — it wires the PreToolUse / PostToolUse hooks into your .claude/settings.json. From npm v12 (July 2026) install scripts no longer run automatically, so this step is required — the postinstall fallback only fires on npm ≤ 11.First Scan
Scan your project for agent security risks in 30 seconds:
cd your-project
yana-rt scan .
# JSON output
yana-rt scan . --json
# Only show critical/high findings
yana-rt scan . --fail-on high
# Scan only changed files since main
yana-rt scan . --diff origin/mainScanner checks: hardcoded secrets, SSRF vectors, path traversal, supply chain, prompt injection, tool poisoning, and 40+ other categories.
Gate System
Yana AI intercepts every Claude tool call through a layered gate pipeline:
| Gate | Layer | Blocks |
|---|---|---|
| L0 | Audit chain | Log tampering, replay attacks |
| L1 | Anti-evasion | base64 decode→exec, pipe-to-shell, eval |
| L2 | Sanitize | Subshell injection, LD_PRELOAD, env hijack |
| L2.5 | Overlay sandbox | Write to core/ without signature |
| L3 | Runtime isolation | Docker/nsjail sandbox escape |
| L4 | Supply chain | Unvetted package installs |
| L5 | UI quality | Arbitrary hex colors, missing dark mode |
npx yana-ai-install.yana-rt scan
Full security audit of your .claude/ setup and source files.
yana-rt scan . # full scan
yana-rt scan . --only secrets # secrets only
yana-rt scan . --markdown out.md # write report
yana-rt scan . --sarif out.sarif # SARIF for GitHubyana-rt hunt
Active scanner — goes deeper into code vulnerabilities and supply chain.
yana-rt hunt run . # full hunt
yana-rt hunt secrets . # secrets only
yana-rt hunt deps . # dependency audityana-rt ci
CI/CD workflow security check — unpinned actions, missing permissions, secret exposure.
yana-rt ci check .github/workflows/
yana-rt ci check .github/workflows/deploy.ymlyana-rt watch
Live file watcher — prints changes to skills, agents, rules as they happen.
yana-rt watch start # watch default dirs
yana-rt watch start --dirs core/skills,src # custom dirs
yana-rt watch start --interval 5 # poll every 5syana-rt init
Auto-setup Yana AI in any project — creates hooks, config, and settings skeleton in one command.
yana-rt init run . # setup current directory
yana-rt init run ~/my-app # setup another project
yana-rt init dry . # preview without writing filesCreates: .claude/settings.json, .claude/hooks/pre-tool-use.sh, .yana-ai/config.toml. Skips files that already exist.
All Commands
| Command | Description |
|---|---|
| init | Auto-setup Yana AI in any project — hooks, config, settings |
| scan | Security audit of agent setup + source |
| hunt | Active code vulnerability scanner |
| ci | CI/CD workflow health check |
| map | Agent blast radius — what AI can reach |
| fix | Auto-apply safe fixes for known finding IDs |
| score | Audit score with deduction breakdown |
| doctor | Environment and dependency health |
| watch | Live file monitor for skills/agents/rules |
| graph | Knowledge graph — build/search/diff |
| vault | Vietnamese-first knowledge vault |
| bus | Agent message bus — emit/read/reply |
| memory | L3 shared memory across sessions |
| task | Task lifecycle with evidence |
| cost | Token usage and spend tracking |
Using Skills
Skills are slash commands for Claude Code. With yana-ai installed, 3,457 skills are available.
# In Claude Code chat:
/security-review # OWASP review of current diff
/tdd-cycle # Red → Green → Refactor loop
/debug # Systematic debugging
/code-review # Code quality review
/wrap-up # End-of-session summaryBrowse all skills at skills.html or search at search.html.
Agent Teams
95 specialized agents auto-routed by /agent-router. Key agents:
| Agent | When used |
|---|---|
| planner | Before any 3+ file feature |
| code-reviewer | After writing code |
| security-reviewer | Before merge on sensitive code |
| tdd-guide | Test-driven development workflow |
| database-reviewer | Schema changes, migrations |
| build-error-resolver | When build fails |