Complete reference for the audit pipeline. Start with the
main README for the quickstart; this directory is the deep
reference.
| Doc | What's inside |
|---|---|
| Architecture | The pipeline graph, data flow, and the loop logic |
| Stages | All 8 stages — inputs, outputs, schemas, models, prompts |
| CLI reference | Every command and flag: auth-check, run, status, report |
| Configuration | config/stages.yaml, environment variables, loop counts |
| Authentication | Subscription OAuth, gateways (OpenRouter), API key, scrubbing |
| Live-target reproduction | Pointing agents at a running deployment |
| Scope notes | Excluding intentional-by-design surfaces |
| State & artifacts | The SQLite schema, results/ JSONL, work/ scratch dirs |
| Programmatic API | Using the library from your own TypeScript |
| Troubleshooting | Quota, schema failures, resume, cost control |
audit runs many narrow agents instead of one big one. Recon maps the repo
and emits tightly-scoped Hunt tasks (one attack class each). Hunters look for
exactly their assigned bug and try to prove it. A different model then tries
to disprove each finding (Validate). Survivors are clustered by root cause
(Dedupe) and put through the gate that matters most — can an attacker actually
reach this sink? (Trace). Reachable bugs seed new hunts for the same pattern
elsewhere (Feedback), and only confirmed-and-reachable findings make the final
Report. Every agent output is validated against a JSON Schema, every run is
checkpointed in SQLite, and the whole thing is billed to your Claude
subscription.