The Janitor Stop the Slop

March 23, 2026

Version updated for https://github.com/GhrammR/the-janitor to version v7.9.3.

This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

The Janitor is a GitHub Action designed to enforce structural integrity in AI-generated code by acting as a “structural firewall.” It automates the detection and prevention of vulnerabilities, language antipatterns, and dead code in pull requests, ensuring code quality before merges occur. Key features include real-time risk categorization, financial impact auditing, compile-time dependency analysis, and entropy-based anomaly detection, all executed locally or through a secure cloud model.

Release notes

The Janitor: Structural Firewall for AI-Generated Code

v7.9.3 — Rust-Native. Zero-Copy. Pro-Entropic Resilience at the Gate.

🎥 Watch the 60-Second Terminal Demo →

Sonar finds style violations. The Janitor enforces structural integrity.

82% of open Godot Engine pull requests contain no issue link. 20% introduce language antipatterns. Zero comment scanners caught it. The Janitor did — across 50 live PRs, in under 90 seconds.

The Problem

The Veracode 2025 State of Software Security report established the baseline: AI-assisted code contains 36% more high-severity vulnerabilities than human-written equivalents. Your linter passes Copilot output. Your SAST tool uploads it to a cloud pipeline. By the time the report arrives, the PR is merged.

The threat model has changed. Your enforcement layer has not.

Zero-Friction GitHub Integration

Janitor Sentinel Demo

Janitor Sentinel automatically downgrades vetoes when it detects safe patterns (e.g., Dependabot).

The Enforcement Layer

The Janitor is not a linter. It is a structural firewall that runs on your hardware, on every pull request — before the merge button is available.

Actuarial Risk Matrix

The Janitor doesn’t just find vulnerabilities — it generates a financial ledger. Every intercepted threat is categorized and billed:

Critical Threat (security antipattern or Swarm collision): $150/incident — CI pipeline poisoned, supply-chain injection vector, or coordinated Agentic Swarm clone.
Necrotic GC (dead-code ghost, bot-closeable): $20/PR — automated garbage collection, no human triage required.
Total Economic Impact = sum of all categorical billings across the audit window.

Audited 33,000 PRs across 22 enterprise repositories on an 8 GB laptop. The ledger is machine-generated, per-PR, and appended to .janitor/bounce_log.ndjson atomically on every merge event.

Integrity Dashboard (WOPR)

janitor dashboard <repo>

Visualize C/C++ compile-time blast radius and track structural Swarm clones in real-time. The WOPR (War Operations Plan Response) dashboard renders the top-10 #include dependency silos ranked by transitive reach — the files whose modification ripples furthest through the compile graph. Built from in-memory libgit2 tree walks; no filesystem checkout required.

Pro-Entropic Resilience

The v7.9.3 NCD Entropy Gate compresses every patch blob via zstd and measures compressed_len / raw_len. AI-generated boilerplate is self-similar: it compresses below ratio 0.15. Any blob crossing that threshold triggers antipattern:ncd_anomaly (+10 points) before tree-sitter parses a single node.

Two complementary shields eliminate false positives on legitimate non-application content:

Null-Vector Collision Shield — IaC bypass (.nix, .lock, .json, .toml, .yaml, .yml, .csv) + 256-byte size guard + DOMAIN_VENDORED router. CVE vendor patches touching thirdparty/ score zero by construction. No legitimate infrastructure change can produce a spurious non-zero score.
Net-Negative Exemption — All score multipliers act exclusively on newly introduced symbols and patterns. Deletion-dominant patches — boilerplate purges, dead API removal, deprecated-code cleanup — mathematically cannot trigger any scoring signal. Score=0 is a proof, not a heuristic.

Zero-Copy Execution

Every analysis executes via memory-mapped file access. No network call is made during the dead-symbol pipeline.

Two deployment models — choose based on your security requirements:

Model	Where analysis runs	Source code leaves your environment?
CLI + GitHub Action (`action.yml`)	Your GitHub Actions runner	Never — all analysis is local
Janitor Sentinel (GitHub App)	Janitor’s Fly.io infrastructure	Yes — repo is cloned serverside

The CLI and GitHub Action models provide full zero-upload guarantees. Janitor Sentinel is the managed deployment — source code is analysed on Janitor infrastructure and never retained beyond the duration of the scan.

Benchmark: 3.5 million lines of Godot Engine — 33 seconds, 58 MB peak RAM. On a standard CI runner. Zero panics.

Zombie Dependency Detection

AI generators hallucinate package imports. The Janitor scans package.json, Cargo.toml, requirements.txt, spin.toml, and wrangler.toml against the live symbol reference graph. A package that appears in your manifest but never appears in a reachable import path is a zombie dependency — flagged before merge.

Cryptographic Integrity Bonds

When a pull request clears the slop gate, Janitor Sentinel — our GitHub App — automatically issues a CycloneDX v1.5 CBOM (Cryptography Bill of Materials) for the merge event. The CBOM records every cryptographic operation performed during the scan: the ML-DSA-65 (NIST FIPS 204) attestation signature, the BLAKE3 structural hashes, and the per-symbol audit entries covering {timestamp}{file_path}{sha256_pre_cleanup}. No token flag. No manual step. The proof is issued by the SaaS on a clean merge — a chain of custody for every line of code removed from production.

PR Gate: Live Results

Repos audited         : 22 enterprise repositories (godot, nixpkgs, vscode,
                        k8s, pytorch, kafka, rust-lang/rust, tauri, redis,
                        next.js, home-assistant, ansible, workers-sdk,
                        langchain, deno, rails, laravel, apple/swift,
                        aspnetcore, okhttp, terraform, neovim)
PRs analyzed          : 33,000+  (live production PRs — no synthetic benchmarks)
Hardware              : 8 GB laptop
Engine panics         : 0
OOM events            : 0

Godot Engine alone (50 PRs, Feb 2026): 82% unlinked, 20% antipatterns. Zero false positives.

How It Works

Scan — Static reference graph + 6-stage heuristic pipeline identifies every dead symbol.
Simulate — Shadow Tree overlays links to dead files. Your test suite runs against simulated deletion.
Remove — Tests pass? Byte-precise surgical removal, bottom-to-top. Tests fail? Full rollback, zero corruption.

Quick Start

# Detect dead code (free)
janitor scan ./src

# Find duplicate functions (free)
janitor dedup ./src

# PR enforcement gate — score a diff (free)
janitor bounce ./src --patch diff.patch

# Shadow-simulate + remove dead code (free)
janitor clean ./src --force-purge

Language Support

Language	Dead Functions	Dead Classes	Dead Files	Duplicate Logic
Python	✓	✓	✓	✓
Rust	✓	✓	✓	✓
JavaScript / TypeScript	✓	✓	✓	✓
C++	✓	✓	✓	✓
Go	✓	✓	✓	✓
C# / Java	✓	✓	✓	✓

Runtime Architecture

Subsystem	Technology	Property
AST Engine	Tree-sitter (12 grammars)	O(n) CST construction; byte-range precision per token
Reference Graph	Petgraph directed digraph	Topological dead-symbol filter; in-degree = 0 → candidate
Pattern Matching	Aho-Corasick (single automaton per group)	O(n+m) multi-pattern scan; zero allocation in hot path
Registry Persistence	rkyv + memmap2	mmap-direct deserialization; no heap allocation for reads
Structural Hashing	BLAKE3 (alpha-normalized AST)	Logic-clone detection across identifier rename boundaries
Fuzzy Dedup	AstSimHasher (SimHash over CST tokens)	Classified as `Refactor`, `Zombie`, or `NewCode`
NCD Entropy Gate	zstd level-3 compression ratio	O(N) boilerplate detector; fires before AST parse; ratio < 0.15 → `antipattern:ncd_anomaly` (+10 pts)
PR Quality Gate	MinHash LSH (64 hashes, 8-band index)	Lock-free ArcSwap index; sub-linear collision detection
Deletion Engine	Bottom-to-top byte-range splice	UTF-8 char-boundary hardened; zero re-parse overhead
Simulation Layer	Symlink overlay (Shadow Tree)	Zero additional disk usage; tests run against simulated state
Audit Attestation	ML-DSA-65 (NIST FIPS 204)	CycloneDX v1.5 CBOMs issued by Janitor Sentinel on clean merge

Pricing

The enforcement is free. The attestation is the product.

Tier	Cost	What You Get
Free	$0	Unlimited scan, clean, dedup, bounce, dashboard, report. No signed logs.
Team	$499/yr	All free features + ML-DSA-65 Integrity Bonds + CycloneDX v1.5 CBOMs + CI/CD Compliance Attestation + Janitor Sentinel GitHub App. Up to 25 seats.
Industrial	Custom	On-Premises Token Server + Keypair Rotation Protocol + SOC 2 Audit Support + Enterprise SLA. Unlimited seats.

Activate Attestation → thejanitor.lemonsqueezy.com

CI Integration

# PR slop gate — runs on every pull request (free)
- id: janitor
  uses: GhrammR/the-janitor@v6
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

# Outputs available downstream:
# steps.janitor.outputs.slop_score
# steps.janitor.outputs.antipatterns

Commands

# Structural dead symbol audit
janitor scan <path> [--library] [--format json]

# PR enforcement gate
janitor bounce <path> --patch <file> --pr-number <n> --author <handle> --pr-body "$BODY"

# Zombie dependency detection (output includes zombie_deps)
janitor scan <path> --format json

# Structural clone detection
janitor dedup <path>

# Shadow-simulate → test → remove dead code
janitor clean <path> --force-purge

# Historical slop / clone / zombie intelligence report
janitor report [--repo <path>] [--top <n>] [--format markdown|json]

# Long-lived daemon (Unix socket, Physarum backpressure)
janitor serve [--socket <path>] [--registry <file>]

# Ratatui TUI dashboard
janitor dashboard <path>

Installation

From source (Rust 1.82+, just required):

git clone https://github.com/GhrammR/the-janitor
cd the-janitor
just build
# Binary: target/release/janitor

Pre-built binary:

# Download from Releases, then:
chmod +x janitor && sudo mv janitor /usr/local/bin/

The Proof

3.5 million lines. 33 seconds. 58 megabytes. Zero panics.
Read the Godot Engine Autopsy →

License

Business Source License 1.1 (BUSL-1.1) — Source Available. Converts to MIT on 2030-02-15.

Scan, cleanup, dedup, bounce, and dashboard are permanently free. Integrity attestation is issued by Janitor Sentinel (Team tier).