Maintainability gate and AI remediation prompt generator for CI.
Project description
Maintainability Agent
A deterministic CI gate + bounded remediation prompt generator for repos that use AI coding agents (Claude, Codex, Cursor, Copilot, Windsurf, …).
Why this exists
AI-written code fails in recognizable ways: speculative refactors, duplicated helpers, broad rewrites for narrow bugs, stale comments that sound confident, tests that assert implementation details instead of behavior, architecture drift across modules. SonarQube / CodeClimate / Qlty / ESLint / Ruff / Radon all catch some of this. None of them ship a bounded prompt back to the agent that says "fix only these specific findings, do not refactor outside this scope."
That's the point of this tool:
- Run a deterministic local audit — file size, function size, approximate cyclomatic complexity, duplication, configurable risk patterns, ISO/IEC 25010-inspired 0–5 score.
- Emit Markdown, JSON, SARIF, a PR comment, and a baseline for incremental adoption.
- Generate an AI remediation prompt scoped to the actual findings — bounded, with explicit "don't rewrite the codebase" rules.
- Hand that prompt to your agent. Get a small, reviewable fix instead of a 600-line speculative cleanup PR.
The remediation prompt is the differentiator. Every other tool in this space stops at "here's a list of findings."
Who it's for
- Teams running AI agents in the dev loop who are tired of unbounded agent rewrites and want a CI gate that actively constrains follow-up scope.
- Repos that want a maintainability gate without paying for SonarQube / CodeClimate / Qlty or sending code to a third party.
- Solo devs who want a single-binary deterministic audit they can pin in a Makefile, a pre-commit, or a local CI script.
Design principles
- Deterministic first, AI optional. The audit never calls an LLM by default. The remediation prompt is a generated artifact that you choose to hand to an agent.
- Bounded scope. The remediation prompt explicitly tells the agent to fix the listed findings only — not to embark on architecture cleanup.
- No vendor lock-in. All outputs (Markdown, JSON, SARIF, PR comment) are plain files. Pair this tool with mature analyzers (ESLint, Ruff, Radon, Semgrep, SonarQube, Qlty/Code Climate) — don't replace them.
- Pass-the-cost-of-disclosure. A finding that's "just a warning" never blocks CI alone. Hard gates are configurable + opt-in.
See docs/philosophy.md for the longer version.
Self-Audit
This repo eats its own dogfood — the tool is run against this codebase as part of CI, and the latest report is checked in at docs/self-audit.md:
| Metric | Value |
|---|---|
| Overall score | 5.0 / 5 (A+) |
| File warnings | 0 |
| Function warnings | 0 |
| Duplicate blocks | 0 |
| Risk findings | 0 |
| Hard gate failures | 0 |
All five ISO/IEC 25010 categories (modularity, reusability, analyzability, modifiability, testability) score 5.0. Regenerate with maintainability-agent --config maintainability-agent.json --output docs/self-audit.md (see the file's preamble for the path-sanitization step).
Install
Run directly from source:
python3 -m maintainability_audit \
--root . \
--config maintainability-agent.json \
--output maintainability-report.md
Or install editable during development:
python3 -m pip install -e .
maintainability-audit --root . --config maintainability-agent.json
maintainability-agent --root . --config maintainability-agent.json
Quick Start
Copy the example config to your repo root as maintainability-agent.json:
cp maintainability-audit.example.json maintainability-agent.json
Run:
maintainability-agent \
--config maintainability-agent.json \
--format markdown \
--output maintainability-report.md
Fail CI on hard gates:
maintainability-agent \
--config maintainability-agent.json \
--fail-on-gate \
--output maintainability-report.md \
--prompt-output maintainability-remediation-prompt.md \
--comment-output maintainability-pr-comment.md
What It Analyzes
The deterministic scanner reads code from your repo (no LLM calls) and produces signals on:
- largest files (warn / fail thresholds configurable per-repo)
- approximate function/class size
- approximate cyclomatic complexity
- duplicate blocks (≥ N consecutive non-trivial lines, configurable)
- configurable risk patterns (regex matchers — TODO/FIXME,
eval(,exec(, custom) - expected files present (README, LICENSE, etc. — opt-in hard gate)
- expected test/lint commands declared in the config (opt-in hard gate)
- worktree-clean state at audit time (opt-in hard gate)
- ISO/IEC 25010-inspired 0–5 score per category + overall letter grade
The analyzer is intentionally conservative and dependency-free. Mature repos should pair this with native tools (ESLint, Ruff, Radon, Semgrep, SonarQube, Qlty / Code Climate) — not replace them. SARIF input from those tools can be folded into this tool's report via --sarif-input.
What It Produces
Each run can emit any combination of:
maintainability-report.md— the full Markdown report with summary, score, hotspots, duplicates, risk findings, external (SARIF) findings.maintainability-remediation-prompt.md— bounded AI prompt scoped to the run's findings.maintainability-pr-comment.md— short body suitable for agh pr commentpost.maintainability.sarif— SARIF 2.1.0 output for GitHub Code Scanning ingestion.maintainability-baseline.json— fingerprints of current findings, for--fail-on-newincremental adoption.- Per-tool agent instruction files (
AGENTS.md,CLAUDE.md,.cursor/rules/maintainability.mdc,.github/copilot-instructions.md,.windsurf/rules/maintainability.md,AI-MAINTAINABILITY.md) via--init-agent-standards.
AI Remediation Prompt
The runner can generate a bounded prompt for a human developer to give to Claude, Codex, or another coding assistant:
maintainability-agent \
--config maintainability-agent.json \
--output maintainability-report.md \
--prompt-output maintainability-remediation-prompt.md
The prompt is designed for AI-written or AI-assisted code reviews. It tells the assistant to:
- fix only the highest-value maintainability issues
- keep the patch small and reviewable
- preserve existing architecture and behavior
- add tests where behavior changes
- report false positives instead of rewriting blindly
This makes the CI artifact actionable without letting the audit turn into an unbounded refactor request.
PR and Baseline Workflows
PR-only audits, baseline grandfathering, AI-agent instruction generation, and reusable agent-standard file generation are covered in PR and Baseline Workflows.
Running Tests
# Sandbox-friendly invocation (works with PYTEST_DISABLE_PLUGIN_AUTOLOAD=1):
PYTHONPATH=src python3 -m pytest
# With coverage gate (matches CI):
PYTHONPATH=src python3 -m pytest \
--cov=maintainability_audit --cov-fail-under=92
# With ruff lint + pip-audit (matches CI):
python3 -m pip install -e ".[dev]"
ruff check src tests
pip-audit
PYTHONPATH=src python3 -m pytest --cov=maintainability_audit --cov-fail-under=92
Coverage is intentionally NOT in [tool.pytest.ini_options].addopts so the
sandbox-friendly invocation (PYTEST_DISABLE_PLUGIN_AUTOLOAD=1) doesn't choke
on --cov flags it can't load. Pass coverage flags explicitly when you want
the gate.
Scoring Standard
The audit model is based on ISO/IEC 25010 maintainability:
- modularity
- reusability
- analyzability
- modifiability
- testability
See docs/standard.md.
Documentation
- CLI reference
- Config schema
- Philosophy
- Analyzer adapters
- External quality tools
- IDE and agent integration
- PR and baseline workflows
- Roadmap
GitHub Action
This repo includes action.yml, so it can be used as a composite action after publishing:
- uses: marshallguillory86/maintainability-agent@v0.1.0
with:
config: maintainability-agent.json
changed-only: main...HEAD
GitHub Actions
After publishing, copy .github/workflows/maintainability.yml into the target repo or adapt it for your local CI.
IDE and Agent Integration
See docs/ide-agent-integration.md for VS Code tasks and integration notes for Copilot, Cursor, Codex, Claude Code, Windsurf, generic agents, local CI, and GitHub Actions.
Local CI
For repos that do not use GitHub Actions, use:
examples/local-ci.sh
The local CI script enforces test coverage at >=92% and writes coverage.xml for SonarQube Cloud, Qlty, Codacy, or any other tool that can ingest Python coverage.
Get in Touch
- Bug reports / feature requests / general questions — open a GitHub Issue.
- Discussion / ideas — use the Discussions tab (enable in repo settings if not visible yet).
- Security vulnerabilities — see
SECURITY.mdand use the private security advisory flow. Do not post vulnerabilities in public issues.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file maintainability_agent-0.1.0.tar.gz.
File metadata
- Download URL: maintainability_agent-0.1.0.tar.gz
- Upload date:
- Size: 23.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86d8db7c37cd778412fae44ce88efd828674802feaf31433bb95230c70de4850
|
|
| MD5 |
f38d9cf6f7af1a9e578e315ab977b74a
|
|
| BLAKE2b-256 |
c2fa0a2e20b7e453cad1f328b6e6a291344414d2d652ebcd3ebc68c5fb7b63bc
|
File details
Details for the file maintainability_agent-0.1.0-py3-none-any.whl.
File metadata
- Download URL: maintainability_agent-0.1.0-py3-none-any.whl
- Upload date:
- Size: 22.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9640ceb421e1756e8a51421d4030cda70258a545efc5dc89c510eb877937e89e
|
|
| MD5 |
e3fb41e1a4a5a5f4d90cd10963564cc5
|
|
| BLAKE2b-256 |
5bc7e4520c58df20f6b42b51d4b7efff12574b2d05293d2d7c67442cab63dc1f
|
