Scan the graph
Reads your codeindex graph to trace call paths, data flows, and imports. Every function checked against your compliance ruleset — HIPAA, SOC 2, and more.
Graph-aware compliance audit
Compliance watch
for your codebase.
PACE reads your code, scans every function for compliance violations, verifies fixes on an isolated branch, and produces audit-ready evidence — all from the CLI.
$
pip install pace-agents
pace / three commands
Scan
$ pace scan [CRITICAL][PHI-001]: PHI in logs --> patient.py:log_visit [HIGH ][SEC-003]: hardcoded secret --> config/db.py:connect Scan complete — 2 findings
Fix
$ pace fix [fix] PHI-001 (log_visit) ... [fixed] 1 attempt Branch: fix/phi-001-4a1f [fix] SEC-003 (connect) ... [fixed] 2 attempts Branch: fix/sec-003-8b2c Fix complete — 2 fixed, 0 blocked.
Report
$ pace report Report written — 2 finding(s) fixed: 2 .pace/report-20240115T143022.md .pace/report-20240115T143022.json .pace/report-20240115T143022.html
What PACE does
Most compliance tools stop at policies or generic linting. PACE works at the code level and closes the loop from finding to fix to auditor-ready proof.
Verify fixes
Generate patches, apply them to a feature branch, rerun your existing test suite, and re-check findings. A fix only counts when it passes all three gates.
Produce evidence
Generate timestamped markdown, JSON, and HTML artifacts. Each finding maps to its control reference — ready to hand to an auditor without manual formatting.
CI gate:
pace scan --diff HEAD~1 — scans only changed files and exits non-zero when new violations are introduced. Drop it into any pipeline.
Four agents. One loop.
PACE is an acronym. Each letter is a specialist agent with a distinct role in the fix loop — the same separation of concerns you'd want from a human security review.
›
P
Planner
Prioritize & group
Reads the full audit journal and ranks findings by severity. Groups related violations that share a root cause so fixes compound instead of collide.
›
A
Author
Propose the patch
Writes a concrete diff for each finding group using the fix strategy hint and full cross-function audit context. Revises on failure with structured feedback from the Evaluator.
›
C
Coder
Apply & test
Applies the patch to a feature branch and runs the project's existing test suite. Returns pass/fail output. Does not judge correctness — that's the Evaluator's job.
E
Evaluator
Accept or reject
Re-scans the patched branch. Accepts only if tests pass, the original finding is gone, and no new violations were introduced. Rejects with context — the Author retries up to the configured cap.
Loop:
Planner → Author → Coder → Evaluator — on reject, cycles back to Author with failure context. After the retry cap, the finding is flagged needs-human-review and the loop moves on.
Why a skeptical engineering lead should trust it
PACE is designed to be inspectable, conservative, and useful under real audit pressure.
You can review the diff, see the test result, and trace every finding to a specific control and evidence artifact. The code graph comes from codeindex — a deterministic, local index with no inference. Nothing about the workflow depends on blind trust.
- Local-first — no data leaves your machine to find violations.
- Graph-powered scanning via codeindex: real call paths, not heuristics.
- Verified patches: tests must pass before a fix is accepted.
- Stable finding identity across refactors and releases.
- Evidence reports written for auditors, not just engineers.
PACE watches the code.
Find the violation. Verify the fix. Hand over the proof.