Six stages. One quiet hour.
Everything below the form happens automatically between your $10 payment and the email landing in your inbox. You don’t need to keep a tab open. If anything fails, the charge is refunded.
- 01
Clone
Shallow git clone into a tmpfs scratch directory under a sandboxed unprivileged user. The process can't write outside that scratch, can't gain capabilities, can't open raw sockets, and can't execute /tmp.
audit-pipeline/src/clone.js · single shallow clone, depth=1 - 02
Filter
Drop vendor, build artifacts, lockfiles, minified assets, generated code, binary content, and anything over the per-file size cap. Hard caps applied: 200 MB clone, 5,000 files post-filter, 150k LOC post-filter.
audit-pipeline/src/filter.js · 60+ exclusion patterns - 03
Triage
Claude Haiku reads the file tree and ranks every remaining file by importance — entry points, public APIs, security-sensitive surfaces. A heuristic fallback handles rate-limit errors so triage never blocks the run.
audit-pipeline/src/triage.js - 04
Skim
Claude Sonnet reads the ranked files within a ~150k token budget and produces structured findings, an executive grade, top risks, top actions, and an architecture sketch. JSON-mode output.
audit-pipeline/src/skim-pass.js - 05
Ground
Every finding ships with a file:line citation. We open the cited file and verify the citation resolves. Findings whose citations don't ground are dropped — hallucinated bugs never make it to your report.
audit-pipeline/src/grounding.js - 06
Render
Self-contained HTML report. Last-line-of-defense secret scrubber masks AWS / GitHub / Stripe / OpenAI / Anthropic keys etc. before render. The clone is wiped, an HMAC-SHA256 deletion receipt is signed, and both the report and the receipt are emailed.
audit-pipeline/src/render.js · audit-pipeline/src/scrubber.js
One repo. One email. Ten dollars.
Curious what comes back? See a sample report or run one against a repo you already know.