TheAuditor in the agent stack

AI coding agents hallucinate for a boring reason: they read a few files and infer the rest. TheAuditor removes the guessing. It indexes your whole codebase into queryable, deterministic facts, so an agent asks a question and gets an answer grounded in your actual code — not a plausible-sounding invention.

That same deep understanding powers two disciplines at once: code intelligence for agents, and polyglot security analysis for you. One platform, ground truth for both.

The four it works with

• Warden turns that ground truth into safe action — it’s the agent that edits and runs, with TheAuditor’s facts already in context.
• Arbiter orchestrates analysis and runs across providers.
• Curator is the natural complement: facts about your code, paired with memory about you.
• BenchProctor is the independent yardstick that proves SAST findings hold up.

What TheAuditor brings

Deterministic, database-first context — call graphs, cross-language data flows, blast-radius — served to agents over MCP. Polyglot SAST across 12 languages, including the infrastructure layer most tools stop short of (Terraform/HCL, AWS CDK, GitHub Actions). Taint analysis across seven languages catches the real classes — SQL injection, command injection, XSS, SSRF, XXE, path traversal. Findings get higher confidence when multiple independent signals converge, and the results stand up to public corpora: 100% true-positive / 0% false-positive on OWASP Java, OWASP Python, and Juice Shop. Detection is framework-aware across 21 frameworks, not import-name guessing.

We don’t ship risk scores or subjective ratings. We provide facts.

Where it stands

TheAuditor is pre-launch — the binary is being packaged and cleared against the OWASP corpora. Get launch updates, or read why agents should query a database instead of reading files and how it pairs with Warden.