The Janitor Stop the Slop

March 22, 2026

Version updated for https://github.com/GhrammR/the-janitor to version v7.8.6.

This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

The Janitor is a GitHub Action designed as a structural firewall that enforces code integrity by detecting AI-generated vulnerabilities, structural issues, and zombie dependencies in pull requests before they are merged. It automates the identification and categorization of risks (e.g., security antipatterns, dead code, or dependency mismanagement) while generating actionable financial and structural impact reports. With zero-copy execution, real-time dashboards, and entropy-based AI detection, it provides robust protection and analysis for maintaining software quality in AI-driven development workflows.

Release notes

The Janitor: Structural Firewall for AI-Generated Code

v7.8.6 — Rust-Native. Zero-Copy. Pro-Entropic Resilience at the Gate.

🎥 Watch the 60-Second Terminal Demo →

Sonar finds style violations. The Janitor enforces structural integrity.

82% of open Godot Engine pull requests contain no issue link. 20% introduce language antipatterns. Zero comment scanners caught it. The Janitor did — across 50 live PRs, in under 90 seconds.

The Problem

The Veracode 2025 State of Software Security report established the baseline: AI-assisted code contains 36% more high-severity vulnerabilities than human-written equivalents. Your linter passes Copilot output. Your SAST tool uploads it to a cloud pipeline. By the time the report arrives, the PR is merged.

The threat model has changed. Your enforcement layer has not.

Zero-Friction GitHub Integration

Janitor Sentinel Demo

Janitor Sentinel automatically downgrades vetoes when it detects safe patterns (e.g., Dependabot).

The Enforcement Layer

The Janitor is not a linter. It is a structural firewall that runs on your hardware, on every pull request — before the merge button is available.

Actuarial Risk Matrix

The Janitor doesn’t just find vulnerabilities — it generates a financial ledger. Every intercepted threat is categorized and billed:

Critical Threat (security antipattern or Swarm collision): $150/incident — CI pipeline poisoned, supply-chain injection vector, or coordinated Agentic Swarm clone.
Necrotic GC (dead-code ghost, bot-closeable): $20/PR — automated garbage collection, no human triage required.
Total Economic Impact = sum of all categorical billings across the audit window.

Audited 33,000 PRs across 22 enterprise repositories on an 8 GB laptop. The ledger is machine-generated, per-PR, and appended to .janitor/bounce_log.ndjson atomically on every merge event.

Integrity Dashboard (WOPR)

janitor dashboard <repo>

Visualize C/C++ compile-time blast radius and track structural Swarm clones in real-time. The WOPR (War Operations Plan Response) dashboard renders the top-10 #include dependency silos ranked by transitive reach — the files whose modification ripples furthest through the compile graph. Built from in-memory libgit2 tree walks; no filesystem checkout required.

Pro-Entropic Resilience

The v7.8.6 NCD Entropy Gate compresses every patch blob via zstd and measures compressed_len / raw_len. AI-generated boilerplate is self-similar: it compresses below ratio 0.15. Any blob crossing that threshold triggers HighGenerativeVerbosity (+50 points) before tree-sitter parses a single node.

Two complementary shields eliminate false positives on legitimate non-application content:

Null-Vector Collision Shield — IaC bypass (.nix, .lock, .json, .toml, .yaml, .yml, .csv) + 256-byte size guard + DOMAIN_VENDORED router. CVE vendor patches touching thirdparty/ score zero by construction. No legitimate infrastructure change can produce a spurious non-zero score.
Net-Negative Exemption — All score multipliers act exclusively on newly introduced symbols and patterns. Deletion-dominant patches — boilerplate purges, dead API removal, deprecated-code cleanup — mathematically cannot trigger any scoring signal. Score=0 is a proof, not a heuristic.

Zero-Copy Execution

Every analysis executes via memory-mapped file access. Source code is never copied to heap, never serialized, never transmitted. No network call is made during the dead-symbol pipeline.

Benchmark: 3.5 million lines of Godot Engine — 33 seconds, 58 MB peak RAM. On a standard CI runner. Zero panics.

Zombie Dependency Detection

AI generators hallucinate package imports. The Janitor scans package.json, Cargo.toml, requirements.txt, spin.toml, and wrangler.toml against the live symbol reference graph. A package that appears in your manifest but never appears in a reachable import path is a zombie dependency — flagged before merge.

Cryptographic Integrity Bonds

When a pull request clears the slop gate, Janitor Sentinel — our GitHub App — automatically issues a CycloneDX v1.5 CBOM (Cryptography Bill of Materials) for the merge event. The CBOM records every cryptographic operation performed during the scan: the ML-DSA-65 (NIST FIPS 204) attestation signature, the BLAKE3 structural hashes, and the per-symbol audit entries covering {timestamp}{file_path}{sha256_pre_cleanup}. No token flag. No manual step. The proof is issued by the SaaS on a clean merge — a chain of custody for every line of code removed from production.

PR Gate: Live Results

Repos audited         : 22 enterprise repositories (godot, nixpkgs, vscode,
                        k8s, pytorch, kafka, rust-lang/rust, tauri, redis,
                        next.js, home-assistant, ansible, workers-sdk,
                        langchain, deno, rails, laravel, apple/swift,
                        aspnetcore, okhttp, terraform, neovim)
PRs analyzed          : 33,000+  (live production PRs — no synthetic benchmarks)
Hardware              : 8 GB laptop
Engine panics         : 0
OOM events            : 0

Godot Engine alone (50 PRs, Feb 2026): 82% unlinked, 20% antipatterns. Zero false positives.

How It Works

Scan — Static reference graph + 6-stage heuristic pipeline identifies every dead symbol.
Simulate — Shadow Tree overlays links to dead files. Your test suite runs against simulated deletion.
Remove — Tests pass? Byte-precise surgical removal, bottom-to-top. Tests fail? Full rollback, zero corruption.

Quick Start

# Detect dead code (free)
janitor scan ./src

# Find duplicate functions (free)
janitor dedup ./src

# PR enforcement gate — score a diff (free)
janitor bounce ./src --patch diff.patch

# Shadow-simulate + remove dead code (free)
janitor clean ./src --force-purge

Language Support

Language	Dead Functions	Dead Classes	Dead Files	Duplicate Logic
Python	✓	✓	✓	✓
Rust	✓	✓	✓	✓
JavaScript / TypeScript	✓	✓	✓	✓
C++	✓	✓	✓	✓
Go	✓	✓	✓	✓
C# / Java	✓	✓	✓	✓

Runtime Architecture

Subsystem	Technology	Property
AST Engine	Tree-sitter (12 grammars)	O(n) CST construction; byte-range precision per token
Reference Graph	Petgraph directed digraph	Topological dead-symbol filter; in-degree = 0 → candidate
Pattern Matching	Aho-Corasick (single automaton per group)	O(n+m) multi-pattern scan; zero allocation in hot path
Registry Persistence	rkyv + memmap2	mmap-direct deserialization; no heap allocation for reads
Structural Hashing	BLAKE3 (alpha-normalized AST)	Logic-clone detection across identifier rename boundaries
Fuzzy Dedup	AstSimHasher (SimHash over CST tokens)	Classified as `Refactor`, `Zombie`, or `NewCode`
NCD Entropy Gate	zstd level-3 compression ratio	O(N) boilerplate detector; fires before AST parse; ratio < 0.15 → `HighGenerativeVerbosity`
PR Quality Gate	MinHash LSH (64 hashes, 8-band index)	Lock-free ArcSwap index; sub-linear collision detection
Deletion Engine	Bottom-to-top byte-range splice	UTF-8 char-boundary hardened; zero re-parse overhead
Simulation Layer	Symlink overlay (Shadow Tree)	Zero additional disk usage; tests run against simulated state
Audit Attestation	ML-DSA-65 (NIST FIPS 204)	CycloneDX v1.5 CBOMs issued by Janitor Sentinel on clean merge

Pricing

The enforcement is free. The attestation is the product.

Tier	Cost	What You Get
Free	$0	Unlimited scan, clean, dedup, bounce, dashboard, report. No signed logs.
Team	$499/yr	All free features + ML-DSA-65 Integrity Bonds + CycloneDX v1.5 CBOMs + CI/CD Compliance Attestation + Janitor Sentinel GitHub App. Up to 25 seats.
Industrial	Custom	On-Premises Token Server + Keypair Rotation Protocol + SOC 2 Audit Support + Enterprise SLA. Unlimited seats.

Activate Attestation → thejanitor.lemonsqueezy.com

CI Integration

# PR slop gate — runs on every pull request (free)
- id: janitor
  uses: GhrammR/the-janitor@v6
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

# Outputs available downstream:
# steps.janitor.outputs.slop_score
# steps.janitor.outputs.antipatterns

Commands

# Structural dead symbol audit
janitor scan <path> [--library] [--format json]

# PR enforcement gate
janitor bounce <path> --patch <file> --pr-number <n> --author <handle> --pr-body "$BODY"

# Zombie dependency detection (output includes zombie_deps)
janitor scan <path> --format json

# Structural clone detection
janitor dedup <path>

# Shadow-simulate → test → remove dead code
janitor clean <path> --force-purge

# Historical slop / clone / zombie intelligence report
janitor report [--repo <path>] [--top <n>] [--format markdown|json]

# Long-lived daemon (Unix socket, Physarum backpressure)
janitor serve [--socket <path>] [--registry <file>]

# Ratatui TUI dashboard
janitor dashboard <path>

Installation

From source (Rust 1.82+, just required):

git clone https://github.com/GhrammR/the-janitor
cd the-janitor
just build
# Binary: target/release/janitor

Pre-built binary:

# Download from Releases, then:
chmod +x janitor && sudo mv janitor /usr/local/bin/

The Proof

3.5 million lines. 33 seconds. 58 megabytes. Zero panics.
Read the Godot Engine Autopsy →

License

Business Source License 1.1 (BUSL-1.1) — Source Available. Converts to MIT on 2030-02-15.

Scan, cleanup, dedup, bounce, and dashboard are permanently free. Integrity attestation is issued by Janitor Sentinel (Team tier).