This document describes how another AI agent should use aigiscode against a repository.
The short version:
- use it as a local evaluation engine
- consume JSON output
- tune policy in small steps
- verify samples before trusting counts
Install:
uv pip install -e .Optional backends:
export OPENAI_API_KEY=...
export ANTHROPIC_API_KEY=...aigiscode analyze /repoIf the repo was already indexed and only policy changed:
aigiscode report /repoPrimary machine interface:
/repo/.aigiscode/aigiscode-report.json
Each run also archives a timestamped copy under:
/repo/.aigiscode/reports/
If a repository wants agent outputs under a conventional reports path, invoke
commands with --output-dir /repo/reports/aigiscode.
An agent should prefer the JSON report over Markdown for:
- category counts
- per-finding sampling
- downstream planning
- plugin-provided derived metrics under
extensions
Important graph fields:
strong_circular_dependenciesfor architectural cycle triagecircular_dependenciesfor broader runtime/load contextorphan_filesfor higher-signal likely dead filesruntime_entry_candidatesfor loader/front-controller reviewregisteredges in the underlying graph when callback/class-string registration is part of runtime reachability
Important built-in extension:
extensions.contract_inventoryrouteshooksregistered_keyssymbolic_literalsenv_keysconfig_keys
Do not modify policy from totals alone.
Sample:
- structural findings
- dead-code findings
- hardwiring findings
Then classify:
- true positive
- false positive
- uncertain
The intended role of the agent is final-stage review, not first-pass detection. Static analysis produces candidate findings; Codex should confirm, reject, or downgrade them based on code context and contract evidence.
Current validation lesson:
- do not trust a raw hardwiring queue just because the total count went down
- prefer categories that reviewers already consider stronger (
hardcoded_ip_url,hardcoded_entity, and selectedenv_outside_config) - treat
repeated_literalas exploratory unless sampled precision is proven on that repo
If false positives repeat, add:
.aigiscode/policy.json--policy-file--plugin-module
Prefer the smallest change that explains the false-positive pattern.
Common examples:
graph.orphan_entry_patternsgraph.layer_violation_excludesdead_code.abandoned_entry_patternsdead_code.abandoned_dynamic_reference_patternsdead_code.abandoned_languageshardwiring.entity_context_require_regexeshardwiring.entity_context_allow_regexeshardwiring.repeated_literal_skip_regexeshardwiring.magic_string_skip_path_patternshardwiring.magic_string_signal_context_regexeshardwiring.magic_string_noise_context_regexeshardwiring.js_env_allow_names
Re-run report or analyze and compare:
- counts
- strong-vs-total cycle spread
- confidence distribution (
high|medium|low) for hardwiring - sampled precision
- whether any structural metric regressed
- whether
unsupported_source_filesmakes the run partial rather than full-coverage - whether
summary.detector_coverageshows detector-level partial coverage even when indexing coverage is full - whether a clean
--resetrun is needed because parser/indexer behavior changed since the last index
Triage order:
- review
highconfidence findings first - then sample
mediumconfidence findings - treat
lowconfidence findings as exploratory unless repeated business impact is proven - if reviewer sampling shows the
highbucket is still noisy, do not let AI auto-adjudicate the raw queue; narrow categories first
Once policy is reasonable:
aigiscode tune /repo -i 2Treat tune output as a candidate, not automatic truth.
Start minimal:
aigiscode analyze /repo -P genericThen layer project knowledge:
- add built-in plugins if they fit
- add a small
policy.json - add a Python plugin module if behavior depends on repo structure
Example plugin module:
def build_policy_patch(project_path, selected_plugins):
return {
"graph": {
"js_import_aliases": {
"@/": "src/"
},
"orphan_entry_patterns": ["src/bootstrap/**/*.ts"]
},
"dead_code": {
"abandoned_entry_patterns": ["/src/bootstrap/"],
"abandoned_dynamic_reference_patterns": ["src/bootstrap/**/*.ts"],
"abandoned_languages": ["php"]
},
"hardwiring": {
"entity_context_require_regexes": [
"\\b(?:input|query)\\(\\s*['\\\"]entityTypes?['\\\"]\\s*,"
],
"repeated_literal_skip_regexes": [
"^\\s*--[a-z0-9-]+(?:=.*)?\\s*$"
],
"magic_string_signal_context_regexes": [
"\\$(?:mode|status|scope|provider|backend|algorithm|phase|event)\\b"
],
"magic_string_noise_context_regexes": [
"\\[(?:'|\\\")(?:options|relation|type|storage|panel|key)(?:'|\\\")\\]"
],
"js_env_allow_names": ["DEV", "PROD", "MODE"]
}
}If policy is not enough, the same plugin module can also expose:
refine_contract_lookup(...)refine_hardwiring_findings(...)refine_graph_result(...)refine_dead_code_result(...)refine_hardwiring_result(...)build_report_extensions(...)
- Do not accept lower counts without sampling the new findings.
- Do not widen suppressions until the pattern is clear.
- Do not treat AI review as a substitute for reading the referenced code.
- Do not patch
aigiscodecore when policy can express the rule.
- use
reportfor fast re-evaluation after policy changes - use
analyzewhen index or AI review must be refreshed - store project-local policy in
.aigiscode/policy.json - keep plugin modules repository-specific
- treat
summary.detector_coverageas a hard warning before trusting detector totals on a newly supported language - treat
runtime_entry_candidatesas a policy/plugin opportunity, not immediate dead code - inspect
extensions.contract_inventorybefore widening hardwiring suppressions; many “magic strings” are really declared contracts - declared contracts are now already used to suppress generic repeated-literal noise, so inspect what remains before adding more skip rules
- built-in inventory is now runtime-focused and skips test/fixture files, so it is safer to use as evidence for production code analysis
Patch the analyzer itself only when:
- the finding is wrong across multiple codebases
- the bug is in generic parsing or detector logic
- policy cannot represent the distinction cleanly