the short version: i was doing a routine security review at work, caught an anomaly that traced back to a transitive dependency nobody had audited. not the package we installed. something three layers deep. went looking for a tool that just watched silently and flagged it. didn't find one. built trawld instead.
it's fully open source. one install, watches every project on your machine, no config needed.
most dependency scanners run in CI. trawld runs on the machine. install the agent once globally and it watches every project you have, npm and pip, cross-references against the OSV database, and streams findings to a live dashboard across all your machines. no config, no pipeline setup. it also queues remediation commands through the agent's heartbeat loop so fixes reach machines without needing persistent server connections. built for developers who vibe-code fast and forget to audit.
