eyre

Eyre is a realtime policy and governance layer for software dependencies. We sit between your code and package ecosystems and dependency scanning tools, and let you control what enters your codebase.

We are NOT a package scanner. Plenty of other startups are trying to solve that problem. Instead, we are the orchestration mesh which gathers and collates information about packages.

Finally, our JIT policy engine decides, at wire speed, if a package is allowed at the time a package is pulled.

Image generated by ChatGPT with explicitly-defined data

Modern software moves too quickly for static governance. We’ve seen multiple supply chain attacks per month just in 2026, and these risks are accelerating and worsening. In fact, while developing Eyre, we were nearly impacted by the TanStack attack in May 2026.

Developers regularly introduce hundreds to thousands of transitive dependencies into production systems, often with little visibility into:

• package age
• maintainer trust
• install scripts
• dependency explosion
• known vulnerabilities
• organizational policy compliance

Existing tooling often focuses on scanning and reporting after the fact. Eyre focuses on gating what enters in the first place, and biasing software to use higher quality dependencies.

We bring policy and dependency chain analysis closer to engineering, who intimately understand their application, what it does, and its risk posture.

Image generated by ChatGPT

Initially, Eyre is focused on:

• startups: high dependency churn, fast dev cycles, no dedicated AppSec team
• platform & infrastructure: engineering groups needing inline control over deps ithout destroying local build times
• security-conscious orgs: engineering teams who cannot compromise on software supply chain integrity

Long-term:

• Scale-up enterprises: orgs requiring complex, multi-tenant policy federation and deep visibility across code registries
• Distributed conglomerates: multi-product parent companies managing divergent operational risk profiles across distinct business units.

Founder’s Note: I [Yash] engineered Eyre specifically to solve the structural architectural friction I faced with dependencies and compliance at both SpaceX and American Express. It is built for teams that demand maximum security without sacrificing execution speed.

Our goal is to make this product free for the most vulnerable organizations. We provide a full, generous, free tier for small companies because free does not have to mean compromised.

Eyre commercializes transparently when an organization’s size, organizational hierarchy, and compliance burdens demand multi-tenant governance.

We monetize the administrative overhead of scaling infrastructure, not the basic security primitives:

• Federated Policy Routing: dynamically evaluating context-specific, nested JIT policy trees across separate corporate subsidiaries or newly acquired business units.
• Unified Audit + Telenetry: aggregating high-throughput decision logging and deep runtime telemetry streams into a centralized pane for global security operations compliance.

And most importantly, we aim to do this all without performance degradation.

We give you a blank canvas to build highly complex, deeply customized organization-specific policies. Our JIT policy engine makes this possible without significant performance impact.

Our core philosophy is simple: We don’t lock you in, but we let you lock yourself in.

• Zero Infrastructure Capture: The Eyre package gateway core is completely open*.
• Install & Delete fast: set it up in an hour, onboard an app or two, and delete it in an hour if you decide not to go with our product.
• High Logic Stickiness: As your team uses Eyre, it naturally becomes deeply integrated info your SDLC / SCLC (supply chain lifecycle).

You are never trapped by a rigid vendor roadmap. You are protected by the customized, high-performance security runtime that you designed yourself.

*License undecided. Goal is to allow internal use and modification while restricting redistribution, commercial resale, and competing hosted offerings.

When a package is introduced into Eyre, integrated scanners and analysis tools evaluate:

• package metadata
• dependency structure
• install scripts
• known vulnerabilities
• organizational policy requirements

The resulting analysis data is stored and associated with the package.

Developers configure package managers such as npm, pip, Cargo, and others to fetch dependencies through Eyre.

When a dependency is requested:

• Eyre retrieves the relevant package intelligence
• evaluates organizational policies
• computes a realtime decision to allow or reject the package

The goal is to keep dependency governance inline with existing developer workflows while minimizing operational friction.

We’re still evaluating the deployment options for Eyre. We’re trying to support multiple deployment methods:

• Eyre cloud / first party cloud offering
• On premise
• Third party cloud / resellers / integrators

Our v0/v0.1 prototype will be on-prem only though.

If you’re interested in infrastructure, platform engineering, or software supply chain security, we’d love to chat.

Eyre is currently in active development. Defined below is our critical path to v0.

v0: prove architecture

• UI/UX - ~2 weeks
• Control plane - ~2 weeks
• Package gateway - ~1 week (built, not yet tested)
• Prototype policy engine, JITing, unoptimized, unhardened - ~4 weeks
• Barebones basic package static analyzer (just enough to show the architecture works) - ~2 weeks

v0.1: make it fast, safe & robust

• Hardened, optimized and accelerated JITing policy engine
• OSS license decision for the package gateway
• Potential partnership with another startup building a dependency scanner

We’re looking for companies who we can work with as design partners to validate our hypotheses and calibrate our product to solve pain points.

Eyre is currently founder-funded and in active development.

We’re focused on building the product and working with early design partners. That said, we’re always happy to connect with people in the space.

If you’re interested in more information, please reach out to Yash <[email protected]>