Appearance
Security & Privacy
Caliper is a CLI tool that runs in your local environment. Here's exactly what stays local, what leaves your machine, and when.
What runs locally
These operations never make network calls:
- Convention checks (
caliper check) — compiled grep patterns, AST analysis, and file structure checks run entirely in your shell. No code is transmitted. No API key required. - Config scaffolding (
caliper init) — reads your project structure and writes.caliper/files locally. IfANTHROPIC_API_KEYis set, init also runscaliper refreshto compile your CLAUDE.md into checks (this calls the Anthropic API — see below). Without an API key, init still works but skips convention compilation. - State management — pipeline state, trace files, and review history are stored in
/tmp/caliper/on your machine.
What calls the Anthropic API
These operations send code to Anthropic's API for AI analysis:
| Operation | What is sent | When |
|---|---|---|
caliper refresh | CLAUDE.md file contents | One-time setup (rerun when conventions change) |
caliper review | Staged diff + function context around changes | Each local AI review |
caliper <pr> | PR diff + function context + file metadata | Each PR review |
What is NOT sent: Your full codebase, git history, environment variables, secrets, or .env files. Only the diff and surrounding function context for changed files are transmitted.
Anthropic's data retention policy applies. API inputs are not used to train models.
What calls the GitHub API
These operations use the GitHub API via the gh CLI:
| Operation | API calls |
|---|---|
caliper <pr> | Fetch PR metadata, diff, and existing comments |
| Posting findings | Create review comments on the PR |
--ci mode | Delete stale comments from previous runs |
The gh CLI uses your existing GitHub authentication. Caliper does not store or manage GitHub tokens directly.
Credentials
| Credential | Used by | Storage |
|---|---|---|
ANTHROPIC_API_KEY | AI review + convention compilation | Your shell environment — never written to config files |
gh auth | PR fetching + comment posting | Managed by GitHub CLI (gh auth login) |
Caliper never writes credentials to .caliper/ config files, state files, or trace logs.
Air-gapped / offline mode
If you cannot send code to external APIs, you can still use convention enforcement:
- Run
caliper refreshonce in an environment where the API key is available - Commit the generated
.caliper/checks.jsto your repo - Run
caliper checkanywhere — it executes the compiled checks with zero network calls
This gives you deterministic convention enforcement on every agent turn with no external dependencies at runtime.
Licensing
Caliper is proprietary software — see the LICENSE file in the repository root. The @caliperai/caliper npm package is publicly available on npm.
Data flow summary
Your repo
│
├─ caliper check → Local only (grep/AST)
│
├─ caliper refresh → CLAUDE.md contents → Anthropic API
│ → .caliper/checks.js written locally
│
├─ caliper review → Staged diff → Anthropic API
│ → Findings displayed in terminal
│
└─ caliper <pr> → PR diff → Anthropic API
→ PR metadata ← GitHub API
→ Review comments → GitHub API