Repository Auditing and Security
AI-Cached Metadata and Classification
Section titled “AI-Cached Metadata and Classification”The scan identifies several categories of findings:
- Oversized files: Code files exceeding a defined line ceiling .
The freshness command allows engineers to inspect the state of the cache, reporting which records are stale, new, or removed relative to the current repository tree .
LLM Validation and Baseline Management
Section titled “LLM Validation and Baseline Management”To prevent false positives, particularly for destructive actions, the pipeline uses Codex as the sole external judge. The validate command sends candidate findings to Codex for judgment. Engineers can restrict validation to delete candidates using --deletes-only to reduce noise from high-volume, false-positive-prone “clean” findings . By default, flagged content is normalized before being sent to Codex, but the --allow-raw flag permits sending raw content, which is explicitly marked as dangerous .
The validation process includes a “sweep” phase where Codex evaluates the entire repository context to identify missed cleanup opportunities or false deletions. The results are saved to the audit database, updating the status of findings and recording the sweep metadata . The status command provides a summary of the audit, including cache hit rates, backend availability, and the distribution of findings by action type .
Security Scanning and Gate Management
Section titled “Security Scanning and Gate Management”Safe Cleanup and Application
Section titled “Safe Cleanup and Application”The apply command executes cleanup operations (deletion or cleaning) only after human approval and verification. It operates in a disposable worktree to ensure that the main repository tree is not modified until the operation is verified . The --execute flag triggers the actual application, while the default behavior is a dry-run. The --required-only flag restricts the verification to precommit checks .