YAMTAM ENGINE Guide
Personal Agent OS for Claude Code — security gates, 2,353 skills, Rust runtime.
Installation
Three components, install what you need:
# Claude Code plugin (hooks, skills, agents wired automatically)
npm install yamtam-engine
npx yamtam-install # wire hooks into .claude/
# Rust runtime (scan, hunt, watch, ci, map…)
cargo install yamtam-rt
# Python CLI (legacy commands)
pip install yamtam-enginenpx yamtam-install once after npm install — it wires the PreToolUse / PostToolUse hooks into your .claude/settings.json.First Scan
Scan your project for agent security risks in 30 seconds:
cd your-project
yamtam-rt scan .
# JSON output
yamtam-rt scan . --json
# Only show critical/high findings
yamtam-rt scan . --fail-on high
# Scan only changed files since main
yamtam-rt scan . --diff origin/mainScanner checks: hardcoded secrets, SSRF vectors, path traversal, supply chain, prompt injection, tool poisoning, and 40+ other categories.
Gate System
YAMTAM intercepts every Claude tool call through a layered gate pipeline:
| Gate | Layer | Blocks |
|---|---|---|
| L0 | Audit chain | Log tampering, replay attacks |
| L1 | Anti-evasion | base64 decode→exec, pipe-to-shell, eval |
| L2 | Sanitize | Subshell injection, LD_PRELOAD, env hijack |
| L2.5 | Overlay sandbox | Write to core/ without signature |
| L3 | Runtime isolation | Docker/nsjail sandbox escape |
| L4 | Supply chain | Unvetted package installs |
| L5 | UI quality | Arbitrary hex colors, missing dark mode |
npx yamtam-install.yamtam-rt scan
Full security audit of your .claude/ setup and source files.
yamtam-rt scan . # full scan
yamtam-rt scan . --only secrets # secrets only
yamtam-rt scan . --markdown out.md # write report
yamtam-rt scan . --sarif out.sarif # SARIF for GitHubyamtam-rt hunt
Active scanner — goes deeper into code vulnerabilities and supply chain.
yamtam-rt hunt run . # full hunt
yamtam-rt hunt secrets . # secrets only
yamtam-rt hunt deps . # dependency audityamtam-rt ci
CI/CD workflow security check — unpinned actions, missing permissions, secret exposure.
yamtam-rt ci check .github/workflows/
yamtam-rt ci check .github/workflows/deploy.ymlyamtam-rt watch
Live file watcher — prints changes to skills, agents, rules as they happen.
yamtam-rt watch start # watch default dirs
yamtam-rt watch start --dirs core/skills,src # custom dirs
yamtam-rt watch start --interval 5 # poll every 5syamtam-rt init
Auto-setup YAMTAM in any project — creates hooks, config, and settings skeleton in one command.
yamtam-rt init run . # setup current directory
yamtam-rt init run ~/my-app # setup another project
yamtam-rt init dry . # preview without writing filesCreates: .claude/settings.json, .claude/hooks/pre-tool-use.sh, .yamtam/config.toml. Skips files that already exist.
All Commands
| Command | Description |
|---|---|
| init | Auto-setup YAMTAM in any project — hooks, config, settings |
| scan | Security audit of agent setup + source |
| hunt | Active code vulnerability scanner |
| ci | CI/CD workflow health check |
| map | Agent blast radius — what AI can reach |
| fix | Auto-apply safe fixes for known finding IDs |
| score | Audit score with deduction breakdown |
| doctor | Environment and dependency health |
| watch | Live file monitor for skills/agents/rules |
| graph | Knowledge graph — build/search/diff |
| vault | Vietnamese-first knowledge vault |
| bus | Agent message bus — emit/read/reply |
| memory | L3 shared memory across sessions |
| task | Task lifecycle with evidence |
| cost | Token usage and spend tracking |
Using Skills
Skills are slash commands for Claude Code. With yamtam-engine installed, 2,353 skills are available.
# In Claude Code chat:
/security-review # OWASP review of current diff
/tdd-cycle # Red → Green → Refactor loop
/debug # Systematic debugging
/code-review # Code quality review
/wrap-up # End-of-session summaryBrowse all skills at skills.html or search at search.html.
Agent Teams
93 specialized agents auto-routed by /agent-router. Key agents:
| Agent | When used |
|---|---|
| planner | Before any 3+ file feature |
| code-reviewer | After writing code |
| security-reviewer | Before merge on sensitive code |
| tdd-guide | Test-driven development workflow |
| database-reviewer | Schema changes, migrations |
| build-error-resolver | When build fails |