The Janitor Stop the Slop
Version updated for https://github.com/GhrammR/the-janitor to version v7.4.0.
- This action is used across all versions by ? repositories.
Action Type
This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
Action Summary
The Janitor is a GitHub Action that functions as a structural firewall for AI-generated code, analyzing pull requests to enforce code quality and integrity before merging. It automates the detection of AI-generated vulnerabilities, zombie dependencies, and structural issues, addressing gaps left by traditional linters and static analysis tools. Key capabilities include entropy-based detection of repetitive AI-generated code, cryptographic integrity tracking, and efficient performance with zero-copy execution on local hardware.
Release notes
The Janitor: Structural Firewall for AI-Generated Code
v7.4.0 — Rust-Native. Zero-Copy. Pro-Entropic Resilience at the Gate.
🎥 Watch the 60-Second Terminal Demo →
Sonar finds style violations. The Janitor enforces structural integrity.
82% of open Godot Engine pull requests contain no issue link. 20% introduce language antipatterns. Zero comment scanners caught it. The Janitor did — across 50 live PRs, in under 90 seconds.
The Problem
The Veracode 2025 State of Software Security report established the baseline: AI-assisted code contains 36% more high-severity vulnerabilities than human-written equivalents. Your linter passes Copilot output. Your SAST tool uploads it to a cloud pipeline. By the time the report arrives, the PR is merged.
The threat model has changed. Your enforcement layer has not.
Zero-Friction GitHub Integration
Janitor Sentinel automatically downgrades vetoes when it detects safe patterns (e.g., Dependabot).
The Enforcement Layer
The Janitor is not a linter. It is a structural firewall that runs on your hardware, on every pull request — before the merge button is available.
Pro-Entropic Resilience
The v7.4.0 NCD Entropy Gate compresses every patch blob via zstd and measures compressed_len / raw_len. AI-generated boilerplate is self-similar: it compresses below ratio 0.15. Any blob crossing that threshold triggers HighGenerativeVerbosity (+50 points) before tree-sitter parses a single node.
Two complementary shields eliminate false positives on legitimate non-application content:
- Null-Vector Collision Shield — IaC bypass (
.nix,.lock,.json,.toml,.yaml,.yml,.csv) + 256-byte size guard +DOMAIN_VENDOREDrouter. CVE vendor patches touchingthirdparty/score zero by construction. No legitimate infrastructure change can produce a spurious non-zero score. - Net-Negative Exemption — All score multipliers act exclusively on newly introduced symbols and patterns. Deletion-dominant patches — boilerplate purges, dead API removal, deprecated-code cleanup — mathematically cannot trigger any scoring signal. Score=0 is a proof, not a heuristic.
Zero-Copy Execution
Every analysis executes via memory-mapped file access. Source code is never copied to heap, never serialized, never transmitted. No network call is made during the dead-symbol pipeline.
Benchmark: 3.5 million lines of Godot Engine — 33 seconds, 58 MB peak RAM. On a standard CI runner. Zero panics.
Zombie Dependency Detection
AI generators hallucinate package imports. The Janitor scans package.json, Cargo.toml, requirements.txt, spin.toml, and wrangler.toml against the live symbol reference graph. A package that appears in your manifest but never appears in a reachable import path is a zombie dependency — flagged before merge.
Cryptographic Integrity Bonds
When a pull request clears the slop gate, Janitor Sentinel — our GitHub App — automatically issues a CycloneDX v1.5 CBOM (Cryptography Bill of Materials) for the merge event. The CBOM records every cryptographic operation performed during the scan: the ML-DSA-65 (NIST FIPS 204) attestation signature, the BLAKE3 structural hashes, and the per-symbol audit entries covering {timestamp}{file_path}{sha256_pre_cleanup}. No token flag. No manual step. The proof is issued by the SaaS on a clean merge — a chain of custody for every line of code removed from production.
PR Gate: Live Results
PRs analyzed (Godot Engine, Feb 2026) : 50
Unlinked PRs : 41 (82%)
Antipatterns flagged : 10
AI comment violations : 0
Highest slop score : 70 (PR #116833)
How It Works
- Scan — Static reference graph + 6-stage heuristic pipeline identifies every dead symbol.
- Simulate — Shadow Tree overlays links to dead files. Your test suite runs against simulated deletion.
- Remove — Tests pass? Byte-precise surgical removal, bottom-to-top. Tests fail? Full rollback, zero corruption.
Quick Start
# Detect dead code (free)
janitor scan ./src
# Find duplicate functions (free)
janitor dedup ./src
# PR enforcement gate — score a diff (free)
janitor bounce ./src --patch diff.patch
# Shadow-simulate + remove dead code (free)
janitor clean ./src --force-purge
Language Support
| Language | Dead Functions | Dead Classes | Dead Files | Duplicate Logic |
|---|---|---|---|---|
| Python | ✓ | ✓ | ✓ | ✓ |
| Rust | ✓ | ✓ | ✓ | ✓ |
| JavaScript / TypeScript | ✓ | ✓ | ✓ | ✓ |
| C++ | ✓ | ✓ | ✓ | ✓ |
| Go | ✓ | ✓ | ✓ | ✓ |
| C# / Java | ✓ | ✓ | ✓ | ✓ |
Runtime Architecture
| Subsystem | Technology | Property |
|---|---|---|
| AST Engine | Tree-sitter (12 grammars) | O(n) CST construction; byte-range precision per token |
| Reference Graph | Petgraph directed digraph | Topological dead-symbol filter; in-degree = 0 → candidate |
| Pattern Matching | Aho-Corasick (single automaton per group) | O(n+m) multi-pattern scan; zero allocation in hot path |
| Registry Persistence | rkyv + memmap2 | mmap-direct deserialization; no heap allocation for reads |
| Structural Hashing | BLAKE3 (alpha-normalized AST) | Logic-clone detection across identifier rename boundaries |
| Fuzzy Dedup | AstSimHasher (SimHash over CST tokens) | Classified as Refactor, Zombie, or NewCode |
| NCD Entropy Gate | zstd level-3 compression ratio | O(N) boilerplate detector; fires before AST parse; ratio < 0.15 → HighGenerativeVerbosity |
| PR Quality Gate | MinHash LSH (64 hashes, 8-band index) | Lock-free ArcSwap index; sub-linear collision detection |
| Deletion Engine | Bottom-to-top byte-range splice | UTF-8 char-boundary hardened; zero re-parse overhead |
| Simulation Layer | Symlink overlay (Shadow Tree) | Zero additional disk usage; tests run against simulated state |
| Audit Attestation | ML-DSA-65 (NIST FIPS 204) | CycloneDX v1.5 CBOMs issued by Janitor Sentinel on clean merge |
Pricing
The enforcement is free. The attestation is the product.
| Tier | Cost | What You Get |
|---|---|---|
| Free | $0 | Unlimited scan, clean, dedup, bounce, dashboard, report. No signed logs. |
| Team | $499/yr | All free features + ML-DSA-65 Integrity Bonds + CycloneDX v1.5 CBOMs + CI/CD Compliance Attestation + Janitor Sentinel GitHub App. Up to 25 seats. |
| Industrial | Custom | On-Premises Token Server + Keypair Rotation Protocol + SOC 2 Audit Support + Enterprise SLA. Unlimited seats. |
Activate Attestation → thejanitor.lemonsqueezy.com
CI Integration
# PR slop gate — runs on every pull request (free)
- id: janitor
uses: GhrammR/the-janitor@v6
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Outputs available downstream:
# steps.janitor.outputs.slop_score
# steps.janitor.outputs.antipatterns
Commands
# Structural dead symbol audit
janitor scan <path> [--library] [--format json]
# PR enforcement gate
janitor bounce <path> --patch <file> --pr-number <n> --author <handle> --pr-body "$BODY"
# Zombie dependency detection (output includes zombie_deps)
janitor scan <path> --format json
# Structural clone detection
janitor dedup <path>
# Shadow-simulate → test → remove dead code
janitor clean <path> --force-purge
# Historical slop / clone / zombie intelligence report
janitor report [--repo <path>] [--top <n>] [--format markdown|json]
# Long-lived daemon (Unix socket, Physarum backpressure)
janitor serve [--socket <path>] [--registry <file>]
# Ratatui TUI dashboard
janitor dashboard <path>
Installation
From source (Rust 1.82+, just required):
git clone https://github.com/GhrammR/the-janitor
cd the-janitor
just build
# Binary: target/release/janitor
Pre-built binary:
# Download from Releases, then:
chmod +x janitor && sudo mv janitor /usr/local/bin/
The Proof
3.5 million lines. 33 seconds. 58 megabytes. Zero panics.
License
Business Source License 1.1 (BUSL-1.1) — Source Available. Converts to MIT on 2030-02-15.
Scan, cleanup, dedup, bounce, and dashboard are permanently free. Integrity attestation is issued by Janitor Sentinel (Team tier).