Common Questions & Objections

"I can just review AI diffs myself."

You can. Many developers do. The question is attention and consistency. A senior reviewer checking 40 AI-agent PRs a month may spend 5–10 minutes on each just scanning for risky patterns. This tool automates that pattern scan in under 1 second and flags the specific risk categories so you can prioritize which diffs need the deepest human attention.

It does not replace your review. It triages it.

"We already use CodeRabbit / SonarQube / Copilot Review."

Those tools do different things. CodeRabbit and Copilot Review focus on code suggestions and style. SonarQube scans for known vulnerabilities and code smells. None of them specifically flag AI-agent risk patterns — dependency additions without owner review, source changes without test changes, secret-like literals in diffs, or generated-file rewrites that bury important changes.

This tool fills the gap between general code quality and AI-agent change risk triage. You can run it alongside any of those tools.

"It's just pattern matching — not real analysis."

Correct. It is pattern matching, not deep semantic analysis. It will produce false positives (test fixtures triggering "secret" flags, generated filenames triggering "generated" flags). The value is not perfection — it is consistency. A human reviewer may be tired, rushed, or unfamiliar with the codebase. The tool always checks the same patterns and always produces a score.

Use it as a signal, not ground truth.

"I don't trust tools that claim to find secrets."

Good instinct. This tool does not claim to find real secrets. It flags patterns that look like secrets in diffs — strings matching api_key=, token=, password=, etc. A flagged line might be a test fixture. The recommendation is always: remove the literal, use environment variables, and rotate if there is any chance the value is real.

"It's too simple — I need something more powerful."

The simplicity is the point. It runs in under 1 second, uses only the Python standard library, and requires no API keys or cloud upload. For teams that need deeper static analysis, SAST, or SCA, those tools exist and should be used alongside this. This tool is a fast triage layer, not a replacement for a security pipeline.

"Why pay when I could write this myself?"

You absolutely could write a similar tool — the core logic is not complex. What you get for $5 (Basic) or $19 (Pro) is: ready-to-run code with 11 passing tests, a CI integration template, HTTP API mode, batch audit, team notification templates, an agency checklist, onboarding docs, and a commercial license so you can use it in client work without building from scratch.

The value is in the packaging, testing, documentation, and legal clarity — not a secret algorithm.

"Manual delivery means I have to wait?"

Yes, in the current MVP, delivery is manual after PayPal purchase. The product is a ZIP file with source, tests, and docs. Delivery typically happens within a few hours. If you need instant access, contact us and we will prioritize. Automated delivery is planned once PayPal Business/webhook setup is verified.

"What if it doesn't work for me?"

Contact us within 14 days for a full refund. No questions asked. The tool is honest about what it does and does not do. If your use case falls outside the six risk categories it checks, or if you need deeper analysis, the refund policy covers you.

"Is my code/data safe?"

The CLI and HTTP API run entirely on your machine. No code, diff, or result is ever sent to an external server. The --serve mode binds to localhost only. There are no API keys, no telemetry, no phone-home, and no cloud dependency. You can verify this by reading the source — it is plain Python, standard library only.

Extended FAQ

Can I use this in CI/CD?

Yes. The CLI returns exit code 1 when risk is high. Use it in GitHub Actions, GitLab CI, or any pipeline that can run a Python script. A workflow template is included.

Can I use this as a pre-commit hook?

Yes, in the Pro Pack. A pre-commit hook template runs the audit on staged changes before commit.

Does it support languages other than Python?

The diff analysis works on any unified diff — Python, JavaScript, Go, Rust, etc. The risk patterns (dependency files, auth paths, config files, secrets) are language-agnostic. Some default filename patterns are Python/JS-focused, but you can extend them.

What Python version do I need?

Python 3.10 or later. No external dependencies.

Can I run it on multiple repos?

Yes, in the Pro Pack. The batch audit mode takes a list of repo paths and produces per-repo risk reports.

How does the HTTP API mode work?

Run python agent_change_risk_auditor.py serve --port 8080. It starts a local server on http://127.0.0.1:8080. Send POST /audit with a diff body to get a JSON risk report. GET /audit/schema returns the result schema. GET /health returns service status.

Does it integrate with Slack or Teams?

Yes, in the Pro Pack. A notification template posts risk summaries to Slack or Teams channels via webhook.

Is there a free version?

There is no free tier. The landing page includes a free 6-point checklist you can use without buying anything. The paid product adds automation, CI integration, batch audit, API mode, and commercial licensing.

What license does it use?

Both Basic and Pro Pack include a commercial-use license summary. You can use the tool in commercial projects, including client work at agencies.

Who is this NOT for?

Teams that need enterprise SAST/SCA (use SonarQube, Snyk, etc.), anyone who wants deep semantic code understanding (this is pattern matching), or anyone who needs cloud-hosted analysis (this is local-only).