AI Hygiene Report — scan a project for plan rot, dep CVEs, and ungrounded reasoning in your AI sessions.
Project description
nucleus-scan
One-screen AI Hygiene Report for your repo. Surfaces plan rot, dep CVEs, and ungrounded reasoning in under 30 seconds.
Install / Run
uvx nucleus-scan # scan cwd
uvx nucleus-scan /path/to/repo
uvx nucleus-scan --json # machine-readable
uvx nucleus-scan --fail-under 70 # CI gate
uvx --with pip-audit nucleus-scan # enable the CVE engine
The CVE engine shells out to pip-audit. If you don't pass it via --with,
the engine reports N/A and its weight redistributes across the other
two — the rest of the report is unaffected. You can also install the
bundled extra: pip install 'nucleus-scan[cve]'.
What it checks
| Engine | Weight | Signal |
|---|---|---|
| plan_rot | 40% | plans under plans/, .claude/plans/ missing ## Verification or with drifted referenced files |
| cve | 40% | pip-audit -r requirements.txt — project-scoped, not global |
| intel | 20% | ungrounded corrections mined from ~/.claude/projects/<repo>/*.jsonl |
An engine that doesn't apply (no requirements.txt, no plans dir, no Claude
Code sessions) is reported as N/A and its weight redistributes across the
remaining engines. If all three are N/A, the score is "Insufficient signal"
rather than a misleading 100/100.
Exit codes
0— success (or score ≥--fail-under)1— score below--fail-under N2— guard violation (refused to scan$HOMEor/, or bad path)
CI integration
pre-commit
# .pre-commit-config.yaml
repos:
- repo: https://github.com/eidetic-works/nucleus-scan
rev: v0.1.2
hooks:
- id: nucleus-scan
nucleus-scan must be on PATH (install via pipx install nucleus-scan or
uv tool install nucleus-scan). The hook runs nucleus-scan --fail-under 70
against the repo; tune by editing entry in your local config.
GitHub Actions
Copy nucleus-scan/.github/workflows/nucleus-scan.yml into your repo at
.github/workflows/nucleus-scan.yml. It runs uvx --with pip-audit nucleus-scan --fail-under 70 on every PR and push to main. Override the
threshold via repo variable NUCLEUS_SCAN_FAIL_UNDER.
Status
v0.1.2 — adds pre-commit + GitHub Actions templates. Requires pip-audit
on PATH (or uvx --with pip-audit) for the CVE engine.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nucleus_scan-0.1.3.tar.gz.
File metadata
- Download URL: nucleus_scan-0.1.3.tar.gz
- Upload date:
- Size: 18.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d781d5666a7c55aa52e7bf6b43282f9a681fd7e5f86d2e6b48fec8ca42fa30ef
|
|
| MD5 |
d5af832a404d9b33ec8c5e7b8f7dec1a
|
|
| BLAKE2b-256 |
d5c259389521343d97376ac8ae5d3ba6423cd44daeed710766514cc9cc7c1531
|
File details
Details for the file nucleus_scan-0.1.3-py3-none-any.whl.
File metadata
- Download URL: nucleus_scan-0.1.3-py3-none-any.whl
- Upload date:
- Size: 16.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
791e7b50dd2d9d6a9e49d3c4395375b245569fe0327bb217eefe07f6ffbd1c2e
|
|
| MD5 |
c49d68755c67aa72b14b0901ed0e53ef
|
|
| BLAKE2b-256 |
8b5bef7acdc3388cb782b01be382c3941aae96048f3886e5a6d273ce009cfca4
|
