Skip to content

Repository Auditing and Security

The scan identifies several categories of findings:

  • Oversized files: Code files exceeding a defined line ceiling .

The freshness command allows engineers to inspect the state of the cache, reporting which records are stale, new, or removed relative to the current repository tree .

diagram

To prevent false positives, particularly for destructive actions, the pipeline uses Codex as the sole external judge. The validate command sends candidate findings to Codex for judgment. Engineers can restrict validation to delete candidates using --deletes-only to reduce noise from high-volume, false-positive-prone “clean” findings . By default, flagged content is normalized before being sent to Codex, but the --allow-raw flag permits sending raw content, which is explicitly marked as dangerous .

The validation process includes a “sweep” phase where Codex evaluates the entire repository context to identify missed cleanup opportunities or false deletions. The results are saved to the audit database, updating the status of findings and recording the sweep metadata . The status command provides a summary of the audit, including cache hit rates, backend availability, and the distribution of findings by action type .

The apply command executes cleanup operations (deletion or cleaning) only after human approval and verification. It operates in a disposable worktree to ensure that the main repository tree is not modified until the operation is verified . The --execute flag triggers the actual application, while the default behavior is a dry-run. The --required-only flag restricts the verification to precommit checks .