v1.58.0
Minor Changes
-
ee46d89: New routed workflow #10 codebase-health (backed by health-retest): a project health check-up on demand, at the same tier as pentest and design-test. Say "check my project's health" and paqad scans for six kinds of junk — dead code, unused packages, outdated or risky packages, leaked secrets, stale docs, and copy-paste AI slop — and lands every finding in one report with proof (real tool output, never an AI opinion), a plain-words reason it matters, and what to do about it.
Detection is a single deterministic verb,
paqad-ai health run, that costs zero model tokens: it reuses the code-knowledge index (dead code, unused deps), the 9-ecosystem dependency inventory, OSV/native-audit vulnerability data, registry deprecation metadata, and the chunk-similarity index, shelling out toosv-scanner,gitleaks,jscpd, andknipwhen they are on PATH and degrading gracefully (labelled fallbacks orblocked_checks) when they are not. Findings carry stable content-addressedHL-ids, split honestly into a "Proven" section (deterministic) and a "Needs judgment" section (ai-judged, confidence-scored), and never expose secret bytes — only a file:line + rule + fingerprint.Finding fingerprints use SHA-256 (a stable content-addressed dedup key, not a security primitive; secret bytes never reach it). All scanners are invoked from Node, so the workflow is cross-platform (Windows included). A baseline ratchet marks findings
new-since-baselinevspre-existingso a legacy project isn't drowned,--offlineskips the network categories, andpaqad-ai health retestre-runs the evidence and reclassifies each findingfixed | still-open | needs-manual-verificationby its stable id. The workflow is classifier-routed (health phrasings route to codebase-health; pentest phrasings still route to pentest), surfaces in the dashboard, and its run summaries flow to the SIEM export.