evilsocket/audit

audit is a command-line agent that looks for security bugs in a code repository by running Claude through an eight-stage pipeline. Instead of asking one large model to find everything, the project breaks the work into many small, focused agents that ask narrow questions, then has a second agent on a different model try to disprove the first one. Findings only pass the gate if the agent can show that an attacker-controlled input actually reaches the suspect code path. The pipeline is a from-scratch reimplementation of an architecture Cloudflare described in a blog post called Project Glasswing. The eight stages are: Recon to map the repo and spawn hunt tasks, Hunt to attack one bug class at a time and build proofs of concept, Validate to adversarially re-read with a different model, Gapfill to re-queue thin areas, Dedupe to cluster findings by root cause, Trace to prove reachability, Feedback to spawn new hunts from confirmed bugs, and Report to emit a schema-validated final document. The project is MIT licensed and is built on the official Claude Code Agent SDK. By default it bills against the user's existing Claude Pro or Max subscription through the same OAuth login the regular Claude CLI uses, so no separate API key is needed. The README spends some space on cost control: you can cap concurrency, cap initial hunt fanout, and set a dollar budget that the runner enforces between and within stages. A typical codebase produces 15 to 50 hunt tasks and 25 or more findings to validate, so the controls matter. There is an optional mode where the agents reproduce findings against a live deployment of the target instead of a local proof of concept, with network access restricted to that one host. Other supported setups include routing through OpenRouter or a custom Anthropic-compatible gateway, and per-stage model overrides in a YAML config. By default the Recon, Validate, and Trace stages use Opus 4.7, while Hunt, Gapfill, Dedupe, Feedback, and Report use Sonnet 4.6.