DEV Community: maruakshay

A Free Claude Code Alternative That Runs 100% on Your Machine

maruakshay — Fri, 15 May 2026 19:10:45 +0000

TL;DR: miii-cli is an open source terminal AI coding assistant powered by local models. No API keys. No cloud. No subscription. One command to install.

AI coding tools are getting expensive.

Claude Code, OpenCode, Kilo — genuinely useful, real cost. $20/month base, API usage on top, and every keystroke, every file, every snippet of a codebase going through someone else's servers.

miii-cli was built to fix that.

Same terminal-native workflow. Same agentic file editing and shell execution. Runs entirely on local hardware via Ollama. Free forever.

What miii actually does

miii is a terminal AI assistant that:

Reads, writes, edits, and runs — the model calls tools autonomously, chaining up to 6 hops deep without manual intervention
Injects files via @filename — type @ anywhere to fuzzy-search and pull any file into context instantly
Remembers sessions — conversations persist across launches, stored at ~/.config/miii/sessions/
Supports custom skills — create custom / commands in Markdown or TypeScript
Works with any OpenAI-compatible API — Ollama, LM Studio, vLLM, Groq, Together, or any self-hosted server

npm install -g miii-cli
miii

That's the entire install. Ollama running, a model pulled, and you're in.

The pain point it solves

Here's the honest comparison:

Feature	miii	Claude Code	OpenCode	Kilo	OpenAI Codex
Local / offline	✅ Ollama	❌	partial	partial	❌
Air-gapped	✅	❌	❌	❌	❌
$0 / month	✅	❌	❌	❌	❌
Switch model live	✅	❌	❌	partial	❌
File checkpoints	✅	❌	❌	❌	❌
MCP client	✅	✅	✅	✅	❌
Skills / npm	✅	plugins	❌	❌	❌

Every other tool in this space requires a cloud account, an API key, or a monthly bill. miii doesn't ask for any of it.

Who it's built for

Privacy-first teams. Healthcare, fintech, defense — code never leaves the machine. Nothing sent to Anthropic, OpenAI, or anyone. Not even metadata.

Cost-sensitive developers. For solo devs or small teams, $20/month + API costs is real money. Ollama is free. miii is free. The only cost is electricity.

Model explorers. Compare Llama 3.3, Qwen2.5-Coder, and Mistral on the same codebase — switch mid-session with /models. No tool-switching, no context loss.

Air-gapped orgs. For environments that literally cannot use cloud AI due to compliance requirements, miii with Ollama is the only full-featured coding CLI that works with zero internet.

How the file context system works

The @ system makes injecting project context frictionless:

❯ review the auth logic in @src/auth/middleware.ts
❯ refactor @src/utils/parser.ts to handle edge cases
❯ does @src/models/user.ts match the schema in @db/migrations/001.sql

Type @ and a fuzzy picker opens over project files. Select what's needed, it gets injected into context. node_modules, dist, .git, lock files, and binaries are automatically excluded.

The model gets full read access to the selected files and can call read_file, edit_file, run_command, and more — autonomously, or with explicit approval gates enabled.

Skills: custom `/` commands

The skills system is the extensibility layer that sets miii apart.

Drop a Markdown file in ~/.config/miii/skills/:

---
name: review
description: review current changes for bugs and improvements
---

Review the code I'm about to share. Look for bugs, edge cases, and improvements.
Be direct and specific. No generic advice.

/review is now a first-class command in every session. TypeScript skill files with an execute function support programmatic behavior — running scripts, fetching context, piping data in.

Community-built skill packs are installable via npm. There's already an AI security skills package covering threat modeling and vulnerability analysis.

Sessions are first-class

Every conversation is saved and resumed automatically.

miii                          # resumes "default" session
miii --session feature-auth   # resumes or creates "feature-auth"
miii -s work -m llama3.2      # short flags, specific model

Switch between projects, come back days later, pick up exactly where things left off. The context is there. The history is there.

Security in 0.1.5

Security is taken seriously — this tool runs shell commands.

Path traversal protection — all file operations restricted to current working directory via guardPath()
Command timeout — run_command enforces a 30-second execution timeout
Config allowlisting — config loading whitelists allowed keys; session data validated before use
Sanitized session names — alphanumeric + hyphens only
Permission gates — writes, shell commands, and tool calls require explicit approval before running The model can only touch what's inside cwd. It can't escape.

The broader miii ecosystem

miii-cli is the terminal core. The project ships two more tools alongside it:

miii web app — browser-based chat UI that connects to local Ollama. No account. No telemetry. No cloud relay. Claude-like UX, locally powered.
mii-ai-security — skill package for security-focused workflows: threat modeling, code review, vulnerability analysis. All three work together. All three are free. Full docs at miii.in.

Get started in 3 steps

1. Install Ollama and pull a model

# Install from ollama.com, then:
ollama pull llama3.2

2. Install miii-cli

npm install -g miii-cli

3. Run it

miii

A model picker opens. Select a model. Start coding.

What's next

MCP server support is live — connect any MCP-compatible tool, database, or API
File checkpoints (state saved before every edit, one command to revert) are shipping
Community skill packs are growing Contributions are welcome — check CONTRIBUTING.md for issues, PRs, and skill pack guidelines.

Links:

I Built a Claude Code-Level Coding Assistant That Runs Entirely on Your Machine

maruakshay — Thu, 07 May 2026 12:11:12 +0000

No cloud. No API keys. No data leaving your machine.

Claude Code is great. But every keystroke, every file, every snippet of your codebase hits Anthropic's servers.

For a lot of developers — those working with client codebases, sensitive projects, or under strict company data policies — that's a deal-breaker.

So I built miii-cli. A terminal-native AI coding assistant powered by local models via Ollama (or any OpenAI-compatible API). Same agentic workflow as Claude Code. Zero cloud.

What it does

miii isn't just a chatbot in your terminal. It's a full agentic loop:

Reads and writes files — edits, creates, overwrites, deletes
Runs shell commands — tests its own output, verifies changes
Chains up to 6 tool calls deep — reads, edits, runs, verifies autonomously
Reads full project context — type @filename to instantly inject any file
Persists session memory — conversations survive across terminal launches
Supports custom slash commands — extend it with your own Markdown or TypeScript skill files It plans the task, executes it, checks the result, and iterates. You don't babysit it.

Why I built this

I couldn't find a local CLI AI tool that actually worked well.

The ones that existed were either too clunky to set up, required cloud APIs, or had terminal output that was genuinely painful to read — weird formatting, broken renders, text that ran together.

I wanted something that felt as clean as Claude Code but ran entirely on local models.

So I built miii.

Install

npm install -g miii-cli

Requirements: Node.js 18+ and Ollama (or any OpenAI-compatible API like LM Studio, vLLM, Groq, Together)

Quick start

# Make sure Ollama is running
ollama serve

# Start miii
miii

On launch, miii opens a model picker. Select your model. Start coding.

miii                          # default session
miii --model codellama        # specific model
miii --session myproject      # named session
miii -s work -m llama3.2      # short flags

File context with `@`

One of my favourite features. Type @ anywhere in your message to fuzzy-search and inject project files into context instantly:

❯ review the auth logic in @src/auth/middleware.ts
❯ refactor @src/utils/parser.ts to handle edge cases

Auto-excluded: node_modules, dist, .git, lock files, binaries, images.

Built-in tools (what the model can call on its own)

Tool	What it does
`read_file`	Read any file
`list_files`	List directory contents
`edit_file`	Create or overwrite a file
`create_folder`	Create a directory
`move_file`	Move or rename
`delete_file`	Delete a file
`run_command`	Run a shell command in cwd

The model chains these automatically — no prompting needed.

Sessions

Every conversation is saved and resumed automatically.

miii                          # resumes "default" session
miii --session feature-auth   # resumes or creates "feature-auth"

Sessions stored at ~/.config/miii/sessions/.

Skills — custom slash commands

Create a Markdown file in ~/.config/miii/skills/:

---
name: review
description: review current changes for bugs and improvements
---

Review the code I'm about to share. Look for bugs, edge cases, and improvements.
Be direct and specific. No markdown.

Then use it:

/review

Skills can also be TypeScript files with an execute function for programmatic behaviour.

Configuration

Works with Ollama by default. Switch to any OpenAI-compatible provider:

Ollama (default):

{
  "model": "llama3.2",
  "provider": "ollama",
  "baseUrl": "http://localhost:11434"
}

OpenAI-compatible (LM Studio, Groq, vLLM, Together, etc.):

{
  "model": "gpt-4o",
  "provider": "openai",
  "baseUrl": "https://api.openai.com/v1"
}

Config loads from .miii.json in your current directory, or ~/.config/miii/config.json.

Security

miii 0.1.5 addresses the following out of the box:

Path traversal — all file operations restricted to cwd via guardPath()
@filename references validated against cwd before reading
run_command enforces a 30-second execution timeout
Config loading whitelists allowed keys; session data validated as array

- File paths in context XML attributes properly escaped

What's next

This is early days. I'm working on:

Better model compatibility testing (Qwen2.5-Coder, DeepSeek-Coder)
Improved context window management for large codebases

- More built-in skills out of the box

18 Ways Your LLM App Can Be Hacked (And How to Fix Them)

maruakshay — Wed, 29 Apr 2026 05:47:15 +0000

You spent weeks building your LLM-powered app. You tested the happy path. Users love it.

But did you ask: what happens when someone tries to break it?

Most teams don't. And that's a problem — because LLM apps have a completely new attack surface that traditional security tools don't cover.

Here are 18 real ways attackers go after LLM systems right now.

Prompt Attacks

1. Direct Prompt Injection
User types instructions that override your system prompt. "Ignore previous instructions and..." — classic. Still works on most apps.

2. Indirect Prompt Injection
Malicious instructions hidden inside documents, emails, or web pages your LLM reads. The user never types anything. The attack comes from your data.

3. Jailbreaking
Role-playing, fictional framing, or encoded text used to bypass your safety guardrails. "Pretend you're DAN..."

4. Prompt Leaking
Attacker tricks the model into revealing your system prompt. Your carefully crafted instructions — exposed.

5. Few-Shot Injection
Attacker poisons the examples inside your prompt to shift model behavior across the entire session.

Memory & Context Attacks

6. Memory Poisoning
In apps with persistent memory, attacker plants false beliefs early. The model carries them forward forever.

7. Context Window Stuffing
Flood the context with noise to push your system instructions out. Model forgets who it's supposed to be.

8. Session Hijacking
Steal or reuse another user's conversation context. Read their history. Impersonate them.

9. Cross-Session Leakage
In multi-tenant setups, one user's data bleeds into another's context. Happens more than people admit.

RAG & Tool Attacks

10. RAG Poisoning
Inject malicious documents into your vector store. When retrieved, they manipulate the model's response.

11. Embedding Inversion
Reconstruct original text from vector embeddings. Your "anonymized" data — reconstructed.

12. Tool Abuse
LLM has access to tools (search, code exec, APIs). Attacker crafts inputs that make the model call tools it shouldn't.

13. SQL / Command Injection via LLM
Model generates queries or shell commands from user input. Classic injection — new delivery method.

Agentic & Supply Chain Attacks

14. Agent Hijacking
In multi-agent systems, one compromised agent issues malicious instructions to others. Trust boundary collapse.

15. Privilege Escalation
Agent starts with limited permissions. Attacker chains tool calls to gain broader system access step by step.

16. Model Supply Chain Attack
You download a fine-tuned model or adapter. It has backdoors baked in. You ship it to production.

17. Plugin / MCP Poisoning
Third-party plugins or MCP servers your LLM connects to are compromised. Your app becomes the delivery mechanism.

Output Attacks

18. Insecure Output Handling
LLM output rendered directly in UI without sanitization. Attacker uses the model to generate XSS payloads, malicious links, or social engineering content.

So What Do You Do?

Security for LLM apps isn't one tool. It's a mindset applied at every layer — prompts, memory, RAG, tools, agents, and output.

I built miii-security: a set of 18 SKILL.md packs that cover every category above. Each skill gives your AI system the context to review, audit, and harden LLM applications — mapped to OWASP and MITRE frameworks.

No 50-page whitepapers. No expensive consultants. Just:

npm i miii-security

Fetch a skill → apply its checks → ship safer.

👉 github.com/maruakshay/mii-ai-security
👉 npmjs.com/package/miii-security

If you're building with LangChain, LlamaIndex, OpenAI APIs, or any agentic framework — this is for you. Star the repo, open issues, tell me what I missed.

DEV Community: maruakshay

A Free Claude Code Alternative That Runs 100% on Your Machine

What miii actually does

The pain point it solves

Who it's built for

How the file context system works

Skills: custom / commands

Sessions are first-class

Security in 0.1.5

The broader miii ecosystem

Get started in 3 steps

What's next

I Built a Claude Code-Level Coding Assistant That Runs Entirely on Your Machine

What it does

Why I built this

Install

Quick start

File context with @

Built-in tools (what the model can call on its own)

Sessions

Skills — custom slash commands

Configuration

Security

- File paths in context XML attributes properly escaped

What's next

- More built-in skills out of the box

Links

18 Ways Your LLM App Can Be Hacked (And How to Fix Them)

Prompt Attacks

Memory & Context Attacks

RAG & Tool Attacks

Agentic & Supply Chain Attacks

Output Attacks

So What Do You Do?

Skills: custom `/` commands

File context with `@`