Skip to content

semanticRig/cszone38

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github/workflows
.github/workflows
 
 
assets
assets
 
 
bin
bin
 
 
corpus
corpus
 
 
scripts
scripts
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

cszone38

version license node csharp files offline

Three-axis static analysis for C# codebases.
Below IC 0.038, nothing is innocent. Not even C#.

What It Is

cszone38 scans .cs, .csx, and .razor files and scores every file and the whole project across three independent axes:

Axis Name What it catches
A Slop Structural over-engineering, AI-style verbosity, low-signal patterns
B Security Hardcoded credentials, suspicious strings, exposure risk
C Quality Debug residue, weak error handling, maintenance debt

Point it at a project. It tells you what deserves attention.

Why 0.038

The name comes from the Index of Coincidence — a classic cryptanalysis measurement.

Human language is uneven. Letters cluster. Patterns repeat. Natural text drifts toward an IC around 0.065. Random-looking credential material drifts toward 0.038.

That lower number is the boundary this tool guards. When a string crosses into that zone, it stops behaving like ordinary source text and starts behaving like something mathematically foreign.

The Math

cszone38 is a user tool, but its story is math, not magic.

Signal 1 — Shannon Entropy

H(X) = -∑ p(xᵢ) · log₂ p(xᵢ)

Measures how evenly characters are distributed. Low entropy means predictable text. High entropy means the string looks random. Real credentials push upward here.

Signal 2 — Index of Coincidence

IC = ∑ nᵢ(nᵢ - 1) / N(N - 1)

Measures repetition patterns. Human language repeats familiar symbols. Secrets flatten toward uniformity. The closer something gets to 0.038, the less it behaves like ordinary code.

Signal 3 — Normalized Compression Distance

NCD(x, y) = ( C(xy) - min(C(x), C(y)) ) / max(C(x), C(y))

Measures how structurally strange a value is compared with the code around it. A normal config label often resembles its file. A leaked credential usually does not.

cszone38 does not rely on one fragile clue. Three independent mathematical signals triangulate the truth.

Quick Start

npx cszone38 .
npx cszone38 ./src --verbose
npx cszone38 ./Auth.cs --no-slop --json
npm install -g cszone38
cszone38 .

Thresholds and Exit Codes

Exit code 0 means every axis passed. Exit code 1 means at least one axis crossed its threshold.

Axis Default threshold
A — Slop ≤ 50
B — Security ≤ 25
C — Quality ≤ 100

Command Reference

Pick the right command

Goal Command
First pass on any repo npx cszone38 .
Understand why files were flagged npx cszone38 . --verbose
Security only, pre-release npx cszone38 . --axis=B --verbose
Scan a single file npx cszone38 ./Auth.cs
Review only changed files npx cszone38 . --since=origin/main --json
Investigate one flagged line npx cszone38 ./Auth.cs --explain=84
Machine-readable output for CI npx cszone38 . --json
Skip slop for speed npx cszone38 ./Auth.cs --no-slop
Clean obvious noise then rescan npx cszone38 . --fix --verbose
Check deep mode readiness cszone38 doctor
Enable optional deep analysis cszone38 setup deep then cszone38 . --deep
Verify live credentials you own cszone38 . --verify --allow-network

Flags

Everyday

-v, --verbose — Shows detailed output for flagged files. Use it when the default summary tells you a file was flagged but not enough about why.

-a, --all — Shows every file, not only the flagged ones. Use it when you want the complete scan ledger.

-f, --file=NAME — Filters output to one file name. Useful in large repos.

Focus and Filtering

-A, --axis=A,B,C — Limits the scan to selected axes.

npx cszone38 . --axis=B
npx cszone38 . --axis=A,C

-s, --show=SECTION — Shows one output section: hits, secrets, review, exposure, or breakdown.

npx cszone38 . --axis=B --show=secrets

-S, --since=REF — Scans only files changed since a git ref. Best for pull-request workflows.

npx cszone38 . --since=origin/main
npx cszone38 . --since=HEAD~1

Output

-j, --json — Machine-readable JSON. Use for CI, scripting, or custom dashboards.

-o, --open — Opens the interactive hit navigator. Lets you step through findings instead of scrolling a wall of text.

--explain=LINE — Explains the nearest signal around a specific line. Single-file mode only.

npx cszone38 ./Auth.cs --explain=84

-t, --threshold=A:N — Overrides an axis threshold.

npx cszone38 . --threshold=B:10
npx cszone38 . --threshold=A:40,C:30

Cleanup and Speed

--fix — Applies small local cleanup fixes before the scan. Useful before a commit.

--no-slop — Skips Axis A for faster Axis B + C feedback.

Optional Deep Analysis

doctor — Shows whether the normal scan is ready and whether optional deep mode is available.

setup deep — Prepares optional local deep-analysis mode.

Current public deep-bundle release support is Linux x64 only. macOS and Windows bundles are planned later.

To enable deep mode on Linux x64:

  1. Download cszone38-deep-linux-x64.tar.gz from the matching GitHub Release.
  2. Extract the archive.
  3. Run cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64.
  4. Run cszone38 doctor and then cszone38 . --deep.

Windows via WSL2 — If you are on Windows, you can still use --deep through WSL2 by running cszone38 inside a Linux distro such as Ubuntu. This is Linux support inside WSL, not native Windows deep support.

In an elevated PowerShell window:

wsl --install -d Ubuntu

After restart, open Ubuntu and run:

npm install -g cszone38
cszone38 doctor
cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64
cszone38 . --deep

Run these commands inside WSL, not in native PowerShell or cmd.exe. For best performance, keep the repository inside the WSL filesystem rather than under /mnt/c/....

--deep — Adds an optional deeper local pass. Requires setup deep first. Falls back to normal results if unavailable.

--solution=PATH — Tells deep mode which .sln, .slnx, or .csproj to use when a repo has multiple options.

Optional Live Verification

Warning: --verify --allow-network may contact real providers. Use only on credentials you own.

cszone38 . --verify --allow-network

Common Workflows

First pass, safest command:

npx cszone38 .

Security focus before a release:

npx cszone38 . --axis=B --verbose

Pull-request / branch review:

npx cszone38 . --since=origin/main --json

Quick single-file check while coding:

npx cszone38 ./AuthService.cs --no-slop

Clean noise then rescan:

npx cszone38 . --fix --verbose

Enable the optional deep pass:

cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64
cszone38 doctor
cszone38 . --deep

CI

name: cszone38

on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: npx cszone38 . --since=origin/main --json

Library Usage

const { run, renderJson, exitCode } = require('cszone38');

const result   = run('./src');
const json     = renderJson(result.report);
const code     = exitCode(result.report.projectSummary.axes);

Privacy and Network Behavior

The default scan path is entirely local. No telemetry. No network calls.

--deep is optional and still local. --verify is the only mode that may use the network, and only when you explicitly add --allow-network.

The safe default is the normal math-based scan.

Requirements

  • Node.js 18 or later
  • macOS, Linux, or Windows
  • .cs, .csx, or .razor source files

License

Business Source License 1.1 — see LICENSE.

About

Three-axis static analysis for C# codebases.

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

cszone38 v0.1.0 Latest
May 3, 2026

Packages

 
 
 

Contributors

Languages