Software creation jumped 10–100x. Library discovery didn't.

Starlog is the capability index your AI agent is missing — it shows Claude Code, Cursor, Copilot, and Codex which proven libraries already solve the task, so they stop hand-rolling custom code or guessing from stale training data.

$npm install -g starloghq
Star on GitHub
The Problem

Your agent can't find the library. So it ships you the maintenance burden.

AI coding agents can't see what already exists, so they default to custom code. Every reinvented wheel is technical debt you didn't choose — unreviewed, unmaintained, and yours to own.

Without Starlog

You ask “add authentication” — your agent hand-rolls it:

150-line custom JWT handler

Hardcoded bcrypt rounds

No session management

No MFA, no OAuth, no breach recovery

Technical debt you now own, review, and maintain.

With Starlog

Your agent reaches for what already exists:

Clerk / Auth0 / Supabase Auth

A few lines of integration code

Built on SOC 2–compliant infrastructure

MFA, OAuth, breach recovery included

Maintained, reviewed, and battle-tested by someone else.

83%1

of the time, agents pick different libraries for an identical project-setup task

60%2

of capability categories, agents default to custom over existing libraries (12 of 20)

49%3

of AI-imported dependencies carry known vulnerabilities

96%4

of open-source CVEs hit dependencies outside the 20 most-used — the obscure long tail agents reach for

Stop building custom. Install Starlog

1 Twist et al. — “LLMs Love Python” (arXiv:2503.17181, King’s College London) — 32–39 unique libraries, 83% inconsistency across 8 models. 2 amplifying.ai — “What Claude Code Actually Chooses” (2,430 recommendations, 20 categories). 3 Endor Labs — “State of Dependency Management 2025”. See also Socket.dev on slopsquatting — AI-hallucinated packages weaponized as supply-chain attacks. 4 Chainguard — “The State of Trusted Open Source” (Mar 2026).

Vet before you install

Same package. One agent reads the receipts. And catches the compromise.

Before your agent installs a dependency, Starlog puts a sourced, dated fact record in front of it — CVEs, license, maintenance, supply-chain incidents, and your org's own policy. Here it flags the ua-parser-js takeover and the xz backdoor, clears a clean package, and enforces an internal deny rule.

STARLOG — FACTS
Terminal recording: starlog facts vets four packages — the ua-parser-js supply-chain takeover, the xz-utils backdoor (CVE-2024-3094), a clean SAFE verdict for chalk, and an org-private DENY policy on an internal package
See every fact →
The Fix

What becomes scarce is not code. It's knowing what's already been built.

01

Capability Manifests

Not documentation. Not READMEs. Structured, machine-readable descriptions of what each indexed library actually solves — which stacks they fit, when to skip them, and what hosted alternatives cost less than building custom.

02

Capability-Aware Search

Your agent asks ‘I need auth for a Next.js SaaS’ and gets ranked results with integration effort, health signals, and a concrete comparison: ‘Clerk eliminates 2–4 weeks of auth infrastructure work.’

03

One-Command Setup

npx starloghq init. MCP server configured. PostToolUse hook installed. Your agent starts using Starlog for dependency decisions — in our benchmark it called the tool on every one.

25 libraries across 7 capability categories

How Starlog works, in depth →

Need a capability, not a named package? Starlog ranks the proven libraries that already solve it — so your agent reaches for one instead of hand-rolling. See the ranking →

Proof

240 runs. 4 vendors. Facts an agent can't recall.

The same blind spot that makes an agent hand-roll auth makes it pick the wrong package. Here's that second failure, measured.

78%

correct decisions with facts (from 20%)

In our own benchmark — synthetic packages, a best-case ceiling, not a deployment estimate.

Opus 4.8GPT-5.5Gemini 3 ProDeepSeek V4 Pro
Full methodology and tables →
Get Started

Three steps. Under a minute. Every agent.

Next time your agent needs auth, it'll reach for Clerk — not hand-roll a JWT parser. Keyword ranking works offline out of the box; no key, no account.

1

Install

npm install -g starloghq
starlog init

Requires Node 20+. Wires the MCP server, the install hook, and per-agent instruction files. Just trying it? npx starloghq init works too — but install globally for a permanent setup (npx paths are temporary and get cleared).

2

Restart your agent

Claude Code, Cursor, Copilot, and Codex pick up the new MCP server and instructions on restart.

3

Verify

starlog doctor

Shows the active ranking mode and flags anything missing — corpus, MCP server, hook, and agent configs in one pass.

See it work

starlog search "auth for Next.js" --top-k 3

A ranked answer with a vs custom rationale — in your terminal now, not next time.

Coverage & ranking: keyword search runs offline on the 25-library core — no key, no account, and the ranking is identical with or without one. The key is for vetting, not search: it unlocks hosted org-private facts — your internal packages, license rules, and policy — via starlog init --api-key <key>. get a key → Details →

Scope: the starlog_search tool runs in Claude Code; Cursor, Copilot, and Codex get instruction files. The starlog CLI works in any terminal.

Update: npm i -g starloghq@latest. Full reference →