PRGuard

Pre-PR quality gate for Claude Code. Catches AI code smells, security holes, missing tests, and Claude attribution leaks before you push.

One command. Six checks. Green or red.

/ship

---

Why this exists

Claude Code writes a lot of good code. It also writes code that reviewers reject in seconds:

• Co-Authored-By: Claude stuck in a commit trailer
• Defensive try/catch wrapping code that can't throw
• Comments like // Loop through items
• throw new Error("Failed to fetch data") instead of matching the repo's error style
• A PR description that screams "AI template"
• Zero tests for the new code path

PRGuard runs before git push and catches all of it.

What it checks

Check	What it does
🧬 AI fingerprints	Flags 10 code patterns that mark a diff as AI-generated (defensive overcoding, generic comments, premature abstractions, AI-pattern test names, template PR bodies)
🔒 Security	SQL injection, secrets in code, XSS, unsafe deserialization, hardcoded credentials, exposed API keys
✅ Test coverage delta	Every function/branch you added — is it covered? Points out untested paths
🏷️ Attribution leaks	Greps the diff for Claude, Anthropic, Co-Authored-By, 🤖 Generated — stops the commit if found
🎨 Style match	Compares your diff against recent merged PRs in the same repo — warns if tone/structure diverges
📊 Change scope	Warns if the diff is >400 LOC or touches unrelated files ("while I'm here" refactors)

Each check returns green ✅ or red ❌ with concrete fix instructions. No false positives (confidence-scored, threshold 80+).

Install

1. Via Claude Code plugin marketplace (recommended once listed):

/plugin install prguard

2. Manual install (works today):

git clone https://github.com/Islam0953/prguard ~/.claude/plugins/prguard

Then in Claude Code, skills and commands will be auto-loaded. Verify with /ship --help.

Usage

Basic pre-PR check

/ship

Runs all 6 checks on the current diff (staged + unstaged vs. main/master). Reports results inline.

Individual checks

/ship-security       # security-only sweep
/ship-tests          # coverage delta only
/ship-fingerprint    # AI-fingerprint scan only
/ship-style          # repo-style match

Setup for a new project

/ship-setup

Scans your repo once, learns the style (test framework, error patterns, commit conventions, PR body templates) into .prguard/profile.json. Subsequent /ship runs use this to calibrate checks.

Example output

$ /ship

🔍 PRGuard running on diff (main...HEAD)

🧬 AI fingerprints      ❌ 3 issues
   • app/api/users.ts:42  — generic `throw new Error("Failed to fetch")` in codebase that uses custom `DomainError`
   • app/lib/format.ts:14 — comment `// Initialize the array` — remove, this is obvious
   • tests/users.test.ts   — test names use "should X when Y" pattern; repo uses "X — with Y"

🔒 Security             ✅ clean
✅ Test coverage        ⚠️  1 function untested
   • app/lib/parse.ts:88 — `normalize()` — add unit test
🏷️  Attribution leaks    ✅ clean
🎨 Style match          ✅ matches recent PRs
📊 Change scope         ✅ 127 LOC, focused

Fix 3 fingerprint issues and 1 coverage gap → re-run /ship.

Built with PRGuard + recommended stack

PRGuard is designed to work alongside tools developers actually use. If you're setting up a project, these are battle-tested choices (some are affiliate links — they don't cost you extra, they help keep PRGuard free):

• Hosting: Vercel · Railway · Fly.io
• Error tracking: Sentry — captures what PRGuard can't catch at runtime
• Monitoring & logs: Better Stack
• Security runtime: Arcjet — rate limiting, bot detection, runtime security
• Database: Supabase · PlanetScale
• Cloud: DigitalOcean ($200 free credit)
• Domains: Namecheap

See docs/RECOMMENDED_STACK.md for why each one is picked and setup guides.

Configuration

PRGuard works out of the box. To tune:

// .prguard/config.json
{
  "checks": {
    "fingerprints": { "enabled": true, "strictness": "medium" },
    "security": { "enabled": true },
    "coverage": { "enabled": true, "threshold": 80 },
    "attribution": { "enabled": true },
    "style": { "enabled": true, "compare_against": "main" },
    "scope": { "enabled": true, "max_loc": 400 }
  },
  "exclude_paths": ["dist/**", "migrations/**"]
}

FAQ

Does this replace code review? No. A human reviewer still catches things PRGuard won't — domain logic, product decisions, architecture. PRGuard catches the mechanical stuff that wastes reviewer time.

Does it work with any language? Yes. Checks are language-aware: TypeScript, JavaScript, Python, Go, Rust, Swift, Ruby, Java, PHP. Some checks (fingerprints, attribution, scope) work on any text.

Does it run automatically? Only if you want it to. Add a pre-commit hook (see docs/HOOKS.md) or run manually before git push.

I don't care about AI fingerprints — my team knows I use AI. Disable with "fingerprints": { "enabled": false }. Still useful for security + coverage + attribution checks.

Does it send my code anywhere? No. 100% local via Claude Code. Zero telemetry.

Why "PRGuard"? Because the goal is to ship code that passes review, not code that gets thrown back. Also shorter than "pre-pr-quality-assurance-toolkit".

Roadmap

• Core 6 checks
• Manual install
• Claude Code marketplace listing
• VSCode status bar integration
• Team profiles (shared .prguard/config.json with codebase conventions)
• CI mode: prguard ci for GitHub Actions
• Custom checks API

Contributing

Issues and PRs welcome. See CONTRIBUTING.md.

License

MIT — use it, fork it, sell it. If you build on top, a mention would be nice.

Star ⭐

If PRGuard saves you one PR round-trip, star the repo. It's the only metric that gets features built faster.

---

Built by @Islam0953 · prguard.tech