enioxt

Posted on Feb 23

I Built 23 AI Agents That Audit Any Codebase in 3 Minutes — For Free

#ai #blockchain #opensource #webdev

What if you could run 23 diagnostic agents on any TypeScript codebase and get a full health report in under 3 minutes — for $0?

I built EGOS, a zero-dependency agent platform that does exactly that. Then I ran it on 5 of the most popular open-source TypeScript projects in the world.

The results surprised me.

Why Another Agent Framework?

Every agent framework (LangChain, CrewAI, AutoGen) starts with: "Here's an LLM, give it tools, let it figure things out."

EGOS starts differently: "Here are the RULES that govern this codebase. Agents enforce them."

	Traditional Frameworks	EGOS
Core primitive	Prompt + LLM + Tools	Rules + Registry + Runner
Agent identity	System prompt (ephemeral)	`.guarani/IDENTITY.md` (persistent)
Dependencies	50-200+ packages	Zero (pure TS + Bun)
Cost to run	$0.01-$1.00/run	$0 (most agents are static analysis)
Install size	100-200MB	~50KB of agent code

The biological metaphor isn't just marketing — it's the architecture:

.guarani/ = DNA — identity, values, immutable principles
.windsurfrules = Epigenetics — context-specific activation rules
Agents = Cells — each specialized for one function
Registry = Nervous system — coordination, discovery
Runner = Metabolism — execution, cost tracking

The Agents

23 registered agents organized in a 5-layer testing architecture:

Layer	Agents	What They Do	Cost
Static Analysis	SSOT Auditor, Security Scanner, Dead Code, Dep Auditor	Find structural problems without running code	$0
Contract Testing	Contract Tester	Verify API routes return correct status codes and schemas	$0
Integration Testing	Integration Tester	Test Supabase RLS policies, SQL injection, XSS	$0
Regression	Regression Watcher	Compare test results over time, detect flaky tests	$0
AI Verification	AI Verifier	Adversarial testing, factual accuracy, safety checks	~$0.01

Plus specialized agents: Rho Calculator (team health), Auth Checker (permission drift), Showcase Writer (case study generator), and an Orchestrator that runs them all.

The Experiment: 5 Famous Repos

For each repository, the SSOT Auditor performed:

AST Extraction — Parse all .ts/.tsx files
Fingerprinting — Generate normalized structural fingerprints for every type
Clustering — Group identical names, compare shapes (EXACT, RELAXED, DIVERGENT)
Drift Classification — Analyze field differences, optionality changes, naming conventions
Codemod Generation — Generate safe, executable fix plans

1. Cal.com — The Open-Source Calendly

Stars: ~32K | Files scanned: 6,660

1,236 actionable declarations across 1,266 clusters
105 cross-package high-risk clusters (419 declarations)
86 codemod plans generated (84 safe to apply instantly)
Top offender: FormValues — defined 35 times across web and features packages

Cal.com's massive monorepo scale has led to significant type duplication. The auditor generated 86 immediate fix plans that could consolidate 198 duplicate actions into canonical imports.

2. NestJS — Progressive Node.js Framework

Stars: ~70K | Files scanned: 1,939

467 actionable declarations across 444 clusters
44 cross-package high-risk clusters (284 declarations)
28 codemod plans (all safe to apply)
Top offender: Type — defined 11 times across common, core, and microservices

Even highly structured frameworks have cross-package drift. The auditor correctly identified 28 consolidation opportunities without breaking the framework's strict architectural boundaries.

3. tRPC — End-to-End Typesafe APIs

Stars: ~35K | Files scanned: 643

165 actionable declarations across 71 clusters
3 cross-package high-risk clusters (41 declarations)
23 codemod plans (all safe)
Top offender: AnyRouter — defined 14 times

A library dedicated to type safety still experiences internal type fragmentation. The examples directory was the worst offender — each example re-defines core types instead of importing.

4. Supabase JS Client

Stars: ~13K | Files scanned: 359

89 actionable declarations across 243 clusters
1 cross-package high-risk cluster
32 codemod plans (all safe)

Despite being a focused client library, internal duplication exists. Fetch defined multiple times across different modules.

5. Excalidraw — Virtual Whiteboard

Stars: ~85K | Files scanned: 750

35 actionable declarations across 128 clusters
4 cross-package clusters
Only 2 codemod plans

Excalidraw is exceptionally clean. Only 2 fix plans were generated, indicating very strong central type management. This is the gold standard.

The Scoreboard

Repo	Files	Actionable Drift	Codemods	Verdict
Cal.com	6,660	1,236	86	Needs governance layer
NestJS	1,939	467	28	Healthy with some drift
tRPC	643	165	23	Examples pollute types
Supabase JS	359	89	32	Minor internal duplication
Excalidraw	750	35	2	Gold standard

Why This Matters

The "Silent Killer" of Monorepos

Duplicate types (interface User defined 5 times differently) break the Single Source of Truth principle. When the database schema changes, developers must hunt down all 5 variants. Miss one → runtime bug.

Automated Remediation, Not Just Complaints

The SSOT Auditor doesn't just find problems — it generates executable AST codemods. In Cal.com, it produced 84 safe-to-apply changes that a developer could execute with a single command.

Bounded Context Awareness

Not all duplicates are bugs. The auditor uses a DDD (Domain-Driven Design) classifier to distinguish between:

Drift Evolution → needs merge (same intent, diverged over time)
Bounded Context Collision → needs rename (AuthUser vs GamificationUser)

How to Try It

# Clone EGOS
git clone https://github.com/enioxt/egos-lab.git
cd egos-lab && bun install

# List all 23 agents
bun agent:list

# Run SSOT Auditor on YOUR repo
bun agent:run ssot_auditor --dry

# Run ALL agents (full diagnostic)
bun agent:all --exec

# Or use the web UI — paste any GitHub URL
# https://egos.ia.br

No API keys needed for static analysis agents. The web UI at egos.ia.br lets you paste any public GitHub repo URL and get a full report.

What We Learned Building This

1. Zero dependencies = maximum portability

No framework overhead means: runs anywhere (CI/CD, local, cloud, Railway), no version conflicts, easy to fork, fast startup (~100ms).

2. Pre-commit hooks are the enforcement layer

We added SSOT governance to our pre-commit:

Scans for new duplicate types (blocking)
Detects select('*') in API routes (warning)
Flags exposed secrets via entropy analysis (blocking)
Validates agent registry integrity (blocking)

3. Rules are more valuable than agents

The agents are just enforcers. The real product is the rules — shareable, composable, community-improvable governance configs in .guarani/ and .windsurfrules.

4. Small, focused agents beat general-purpose ones

Each EGOS agent does ONE thing, in <50ms, produces structured output, costs $0. A general-purpose agent tries everything and does nothing well.

The Diagnostic Kit (5 checks, 3 minutes, $0)

Diagnostic	Time	Cost	What You Learn
SSOT Audit	<1 min	$0	Duplicated data, type drift
Security Scan	<30s	$0	Exposed secrets, PII risks
Rho Score	<10s	$0	Team health, bus factor
Auth Audit	<1 min	$0	Role/permission inconsistencies
Dead Code	<30s	$0	Orphan exports, empty files

Run all 5 with: bun agent:all --exec

What's Next

Self-Service Audit Hub — paste any repo URL at egos.ia.br, get a full report (live now, free tier available)
Rule Marketplace — share .guarani/ configs between projects
npx create-egos-kit — one command to add agents to any project
More case studies — accepting audit requests!

Want a Free Audit?

We're offering free SSOT audits for open-source projects:

Open an issue at github.com/enioxt/egos-lab with your repo URL
We'll run the full 23-agent suite
You get a detailed report with actionable fixes

Or just try it yourself — clone, install, run. Three commands. Three minutes. Zero cost.

Star the repo: github.com/enioxt/egos-lab

Good first issues: #6, #7, #8

Live demo: egos.ia.br

"Small, focused, auditable, democratic. Rules as DNA. Agents as cells. Community as evolution."

DEV Community