ENGINEERING · MAY 20, 2026 · 8 MIN READ
Inside the audit: six agent groups and a deterministic scanner
How Hyrax reads every file in a repository — combining six specialized agent groups with a deterministic scanner so nothing depends on a single model's mood.
Coverage is the first thing a code audit gets wrong. A tool that samples files, or stops at a token budget, produces findings that are technically real and practically useless — because the issue that bites is rarely in the sampled slice. The audit reads every file in the repository. Coverage is a property of the system, not a setting someone forgot to raise.
Why one model is not enough#
A single model asked to "find problems" produces a single model's idea of a problem, flattened into one undifferentiated pass. Security issues, dead code, performance traps, and missing tests are different questions that reward different attention. Asking them all at once means each gets answered poorly.
So the audit splits the work across six specialized agent groups. Each group carries its own context and looks for a distinct class of issue. The groups run against the same fully-read tree, and their findings stay labeled by origin rather than merging into a generic list.
A deterministic scanner runs alongside#
Not every issue should depend on a model. Some are mechanical: a hardcoded secret, an unsafe call, a dependency with a known advisory. For those, a deterministic scanner reads the same files and reports the same findings every time it runs. Determinism matters because a security check that returns different results on identical input is not a check — it is a guess.
| Layer | Strength | Catches |
|---|---|---|
| Agent groups | Judgment, context | Design issues, subtle defects, missing coverage |
| Deterministic scanner | Repeatability | Secrets, unsafe calls, known advisories |
The two layers cover each other. The scanner never misses the mechanical issues the agents might reason their way past, and the agents see the structural issues a pattern matcher cannot describe.
Findings are not only failures#
An audit that reports only severe defects trains people to ignore it between fires. The audit also surfaces easy wins and code-quality observations — the small, safe improvements that compound. A finding carries its severity honestly, so a reviewer can sort by what actually threatens the system rather than wading through noise pitched at one volume.
Every model call runs on Amazon Bedrock. Repository content is never used to train a model.
What the audit hands back#
The result is a labeled, severity-ranked set of findings backed by full coverage: every file read, mechanical issues caught deterministically, and judgment issues raised by the group equipped to recognize them. That set is what the fix pipeline draws from when it decides what to remediate — which is a separate problem, and the subject of its own writeup.