Auto Code Inspector: Python-first code audit and structure inspection
Project description
ACI
Auto Code Inspector.
ACI (Auto Code Inspector) is a Python-first code audit and structure inspection tool.
Install from PyPI with pip install ac-inspector; run scans with the aci CLI.
pip install ac-inspector
aci scan --target .
What is this
ACI is a Python code inspection tool focused on cross-file structure:
- Native static detectors — 17 detectors covering god classes, spaghetti code, duplicate code, scattered constants, interface drift, resource leaks, exception swallowing, and more (full list in
docs/CI_REFERENCE.md) - External analyzer lane — integrates ruff, pyflakes, mypy, pytest, semgrep, eslint, tsc, shellcheck, and sqlfluff when installed and applicable
- Cataloged opt-in security analyzers — tracks
codeql,gitleaks,osv-scanner, andtrivyas availability-only lanes until a consuming repository wires them locally - Optional domain packs — add project-specific vocabulary and exclusion rules without touching core
ACI provides a normalized finding format, configurable severity gate, suppression/baseline/waiver contract, SARIF and annotation output, and a machine-readable report schema.
Exhaustive scans can now be projected into first-class report views by
scope_class and owner_lane, so runtime, tests, fixtures, docs, and support
shelves can be triaged without post-processing.
The common shelf now also ships a bounded scale-check surface plus continuous
CI verification on Linux, Windows, and macOS.
Product-boundary claim for this common shelf: ACI is a Python-first
native audit tool with polyglot text-scan and external-analyzer evidence lanes,
not a language-general native structural auditor. See
shared/core/aci-product-boundary-and-coverage-policy.md.
The scan CLI supports four scope presets:
source-only- default; excludes common non-runtime shelves such asdocs/,examples/,fixtures/, and scratch/output shelvesdogfood- focuses on common source + test shelves for self-auditself-audit- dedicated ACI self-audit surface for runtime code, tests, maintainer probes, and roadmap evidencefull-repo- scans the full tree, but blocker decisions stay limited toruntime-sourcefindings
What this is not
- Not a single-project-only repository
- Not the project-local runtime gate itself
- Not the final owner of DB writeback or operator workflow
Components
| Component | Role |
|---|---|
shared/core/ |
generic inspection catalog and tool contract |
shared/python/ |
loader, finding helper, signal/profile/wording helper |
domains/ |
optional domain packs |
shared/runtime/ |
quickstart and runtime binding guidance |
shared/report/ |
report contract and public samples |
Language Support
ACI is Python-first. Be aware of the scope before adopting:
| Lane | Languages | Notes |
|---|---|---|
| Native static detectors | Python | All 17 native CI-ID detectors parse Python (AST). This is the only language with full native coverage. |
| Language-agnostic text scans | supported text/code files | A few detectors are text-based rather than Python-AST-based: plaintext-secret and insecure-HTTP (CI-14), and TODO/FIXME/HACK markers (CI-03). Supported suffixes include .py, .js, .jsx, .ts, .tsx, .go, .rs, .java, .cs, .kt, .kts, .sh, .bash, .sql, .tf, .hcl, .md, .txt, .toml, .yml, .yaml, and .json, plus Dockerfile / Containerfile. |
| External analyzers (opt-in) | Python, JS/TS, Shell, SQL, polyglot source | ruff / pyflakes / mypy / pytest (Python); semgrep (bundled baseline polyglot rules); eslint, tsc (JS/TS); shellcheck (Shell); sqlfluff (SQL). full, build-preflight, and build-review automatically run the analyzers that match files/config found in the target; quick-gate keeps the lighter Python pair (ruff, pyflakes). TypeScript type checking via tsc requires a tsconfig.json in the target root. |
Non-Python codebases do not get the Python-native structure detectors. They can still use the supported text scans plus any applicable external analyzers.
Product Boundary
The completed common-shelf product claim is intentionally bounded:
- Python gets the full native structural lane
- non-Python files get text scans plus applicable external analyzers
CI-08,CI-11, andCI-24remain human-judgment-only- deep security analyzers such as
codeql,gitleaks,osv-scanner, andtrivystay opt-in/cataloged until the common shelf owns execution-ready adapters CI-19is only substantively complete when a downstream domain pack provides its vocabulary and tests- CI-14 supply-chain drift currently covers only
requirements*.txt,package.json,Dockerfile/Containerfile, and GitHub workflowuses:refs
This boundary is defined canonically in shared/core/aci-product-boundary-and-coverage-policy.md.
Relationship to ruff and other single-file linters
ACI complements a fast single-file linter like ruff; it is not a replacement.
- ACI's unique value is cross-file and structural analysis a single-file linter cannot do: duplicate / near-duplicate code across files (CI-05), low-cohesion god classes via LCOM (CI-04), constants/numbers scattered across files (CI-20, CI-06), interface/contract drift (CI-23), and the dataflow/cross-file parts of CI-14/CI-22/CI-25.
- For single-file lint signals, prefer ruff — it already covers broad-except
(CI-21 ≈ ruff BLE), TODO markers (CI-03 ≈ TD/FIX), too-many-arguments
(CI-18 ≈ PLR0913),
globalmutation (CI-26 ≈ PLW0603), and most complexity (CI-02 ≈ C901). When ACI's external lane runs ruff, ACI automatically drops the duplicate native finding so you are not double-reported.
Recommended setup: run ruff for fast single-file lint, and ACI for the cross-file / structural layer on top.
3-Minute Evaluation
To scan a project right away, follow docs/QUICKSTART.md.
For a first look on GitHub, start here:
docs/QUICKSTART.mddocs/CI_REFERENCE.mdshared/core/aci-product-boundary-and-coverage-policy.mddocs/USER_EVALUATION_INDEX.mddocs/ACI_SHELF_CLASSIFICATION.md
Minimum smoke check:
python shared/python/aci_cli.py smoke
Public sample reports are in shared/report/examples/.
Triage guide is in shared/report/README.md and shared/report/aci-generic-report-contract.md.
Maintainer mode selection is in docs/MAINTAINER_SCAN_MODE_RUNBOOK.md.
Advisory-only non-runtime triage flow is in docs/NON_RUNTIME_TRIAGE_WORKFLOW.md.
Contributor hook and verification workflow is in docs/CONTRIBUTOR_WORKFLOW.md.
Generic baseline/suppression/waiver contract is in shared/core/aci-baseline-suppression-waiver-contract.md.
Analyzer catalog bounded contract is in shared/core/aci-analyzer-registry-contract.md.
Profile catalog bounded contract is in shared/core/aci-profile-execution-contract.md.
Downstream adoption bounded contract is in shared/core/aci-downstream-adoption-contract.md.
Analyzer execution bounded contract is in shared/core/aci-analyzer-execution-contract.md.
Setup
1. Try the common shelf first
python shared/python/aci_cli.py smoke
python shared/python/aci_cli.py show-analyzer-catalog
python shared/python/aci_cli.py show-profile-catalog
python shared/python/aci_cli.py show-analyzer-availability
python shared/python/aci_cli.py show-profile-execution-plan
Maintainers who want the continuously verified Python analyzer set should install:
python -m pip install -r requirements-dev-analyzers.txt
python shared/python/aci_cli.py emit-github-summary --report report.json
python shared/python/aci_cli.py installed-package-check
python shared/python/aci_cli.py self-audit-check
This smoke check verifies only:
aci core only(domain packs are optional — load with--domain <id>)- normalized finding emission
For full install verification (automation-smoke, fixture-check, installed-package-check), see shared/runtime/aci-ci-and-automation-contract.md.
For the dedicated ACI self-audit surface, see shared/runtime/aci-self-audit-contract.md.
For scale budgets and multi-OS verification, see shared/runtime/aci-scale-and-platform-contract.md.
2. Next reading
-
docs/CONFIGURATION.md -
docs/USER_EVALUATION_INDEX.md -
shared/runtime/aci-cli-and-config-contract.md -
shared/runtime/aci-ci-and-automation-contract.md -
shared/runtime/aci-fixture-suite-contract.md -
shared/runtime/aci-installed-package-verification-contract.md -
shared/core/aci-analyzer-registry-contract.md -
shared/core/aci-profile-execution-contract.md -
shared/core/aci-analyzer-execution-contract.md -
docs/ACI_DOWNSTREAM_ADOPTION_PACKET.md
Shelves
shared/python/: shared code for generic signals, profiles, and wording; paths, side-program terms, and surfaces are placeholders to be substituted per project- domain pack selector helper:
shared/python/aci_domain_loader.py - external analyzer catalog:
shared/python/aci_analyzers.py - profile catalog:
shared/python/aci_profile_catalog.py
- domain pack selector helper:
shared/core/: domain-independent core inspection catalog and contractsdomains/: location for optional domain packsshared/runtime/: responsible shelf for project-local runtime binding; also holds runtime/operator-facing boundary constantsshared/report/: responsible shelf for owner-facing report contracts
Public File Structure
The only surfaces a user needs to be aware of initially:
README.mdshared/core/shared/python/shared/runtime/shared/report/domains/
Generic vs. Non-Generic Boundary
- generic
ACIcanonical shelf:shared/core/shared/python/shared/runtime/shared/report/
- non-generic:
domains/<domain>/(domain pack body and bridge documents)
- classification list:
docs/ACI_SHELF_CLASSIFICATION.md
Optional Domain Packs
aci core only- generic core only
aci + <domain>- optional domain-specific vocabulary and bridge docs; added in the same pack shape
Entry point for domain packs is domains/README.md.
Standalone Repo View
- current physical home is this repository root
- public-facing commands and file paths in this shelf are written repo-relative
- keep
README.md,shared/, anddomains/at the repo root
Packaging and Install Proof
Package metadata and packaged CLI entrypoint: pyproject.toml.
Installed-package proof surface: shared/runtime/aci-installed-package-verification-contract.md.
Editable install proof surface: shared/runtime/aci-editable-install-proof-contract.md.
Built wheel proof surface: shared/runtime/aci-built-wheel-install-proof-contract.md.
Source distribution proof surface: shared/runtime/aci-source-distribution-proof-contract.md.
Usage
- substitute placeholders in the generic code with project-specific paths, scopes, and surfaces to create a runtime copy
- bring in templates from
shared/runtime/templates/andshared/report/templates/ - replace only the project-specific paths, scopes, surfaces, and result writeback targets
- verify expected behavior against samples in
shared/report/examples/
Downstream Adoption
Carry/customize boundary for downstream maintainers: docs/ACI_DOWNSTREAM_ADOPTION_PACKET.md.
Repository Community Files
SUPPORT.md.github/ISSUE_TEMPLATE/.github/PULL_REQUEST_TEMPLATE.md.github/CODEOWNERS
Rules for the Generic Shelf
- Do not assume specific project import paths
- Do not hardcode specific project or tool names in signal rules
- Do not place operational artifacts such as current registers, operator manuals, or validation results
What Not to Write
- project-specific current registers
- project-specific operator manuals
- project-specific validation records
Return Point
- To return to the entry point of this shelf:
README.md - When reading as a standalone repo, start from this
README.md
Domain Pack Bridge Documents
Bridge documents under domains/<domain>/ are not part of the generic ACI canonical shelf.
They contain domain-specific vocabulary and integration rules and are maintained by the domain pack owner.
See domains/README.md for the list of available domain packs.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ac_inspector-0.1.8.tar.gz.
File metadata
- Download URL: ac_inspector-0.1.8.tar.gz
- Upload date:
- Size: 92.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fb02c081a2061a5014147858d8a6c3b8e0e30b0911e972aefb60f9d17ac65f52
|
|
| MD5 |
d918272ecc019c6b2ebf9c59e3df0324
|
|
| BLAKE2b-256 |
128564134eea82080e6642c93e3066e36d6d459aaaa08b4ecdf653816fd67f8e
|
Provenance
The following attestation bundles were made for ac_inspector-0.1.8.tar.gz:
Publisher:
ci.yml on maruwork/aci
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ac_inspector-0.1.8.tar.gz -
Subject digest:
fb02c081a2061a5014147858d8a6c3b8e0e30b0911e972aefb60f9d17ac65f52 - Sigstore transparency entry: 1856711694
- Sigstore integration time:
-
Permalink:
maruwork/aci@1bfd8fb6617943dcf2082b23521ece04d043166c -
Branch / Tag:
refs/tags/v0.1.8 - Owner: https://github.com/maruwork
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@1bfd8fb6617943dcf2082b23521ece04d043166c -
Trigger Event:
push
-
Statement type:
File details
Details for the file ac_inspector-0.1.8-py3-none-any.whl.
File metadata
- Download URL: ac_inspector-0.1.8-py3-none-any.whl
- Upload date:
- Size: 122.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
934e3c7a4f323511f7df1cb4beab4721bb8d783cc568df1a8ab4dd18b399bcb7
|
|
| MD5 |
70aa3f78d806f222534fc83d223f318b
|
|
| BLAKE2b-256 |
b229f276165765ba0b10947125151c2104e4f9c4397ebb1614f582f754c8dbdc
|
Provenance
The following attestation bundles were made for ac_inspector-0.1.8-py3-none-any.whl:
Publisher:
ci.yml on maruwork/aci
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ac_inspector-0.1.8-py3-none-any.whl -
Subject digest:
934e3c7a4f323511f7df1cb4beab4721bb8d783cc568df1a8ab4dd18b399bcb7 - Sigstore transparency entry: 1856711828
- Sigstore integration time:
-
Permalink:
maruwork/aci@1bfd8fb6617943dcf2082b23521ece04d043166c -
Branch / Tag:
refs/tags/v0.1.8 - Owner: https://github.com/maruwork
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@1bfd8fb6617943dcf2082b23521ece04d043166c -
Trigger Event:
push
-
Statement type: