Score a public repo
Paste a github URL. Score over the last 100 commits, out of 100. Higher is cleaner.
Receipts — slop that shipped to production
Public incidents. Click any card for the full scan.
LiteLLM 1.86.2
May 2026Cache merge appended duplicate data[*].index. ETL crashed downstream.
OpenCode v1.15.13
Jun 2026Refactor dropped mandatory args. Sub-agents NULL'd telemetry for days.
rsync 3.4.3
May 2026Backups silently broke. 36 AI commits between 3.4.1 → emergency 3.4.4.
Faker.js
2026Locale "optimisation" broke seed determinism. CI unpredictable.
How it works
-
1
Stage a diff
Pre-commit hook runs
slop poke --stagedautomatically. No new workflow. -
2
Sub-10ms verdict
Server returns hits + a unified-diff patch. Safe deletes auto-applied. Semantic hits become
// TODO(slop)comments. -
3
Learn as you go
Every
slop learn "…"tunes your catalog. False positives quiet down. Missed slop gets caught next commit.
Pricing
Guard
Pre-commit slop review that learns your style.
- Sub-10ms verdict on every staged diff
- All detectors · 30+ languages
- Adaptive learning per user
- Team-scoped catalog after 30 days
- 30-day money-back · cancel anytime
Install, run slop poke. First metered call returns
a Stripe URL keyed to your SSH key. No signup.
Autopilot
Bi-weekly PRs from your team's catalog.
- Everything in Guard
- Bi-weekly PRs to your default branch
- Trained on 30 days of your Guard history
- Expert senior developer in the loop
- You review + merge · never a direct push
- Per-repo calibration
Guard subscribers get first access.
SSO · on-prem · confidential-compute (TEE)? See Enterprise →
FAQ
What does AI slop cost — and what does sloppoke measure?#
See the Receipts section above for the top incidents (LiteLLM / OpenCode / rsync / Faker.js + the industry signal). One extra entry that fits less neatly into a card:
- C23 / glibc compile-fix wave (early 2026) — LLM "shortest semantic path" patches across legacy C utilities to clear glibc 2.43 errors. Aggressive
const-casts + macro masking → modern GCC/Clang optimise unreachable branches → segfaults, silent memory leaks, buffer holes in decade-stable code. (Generic-git scan support inbound:sourceware.org/git/glibc.gitand other non-GitHub hosts.)
What sloppoke measures:
- Slop density per repo over time (gate merges on a target).
- Hits blocked × 1 hr 56 min × your eng rate = hours/dollars saved.
- Determinism — same diff → same finding, audit-ready.
- Per-category TP / FP, tracked each catalog release.
- Verdict p95 <10 ms (
elapsed_msin every response).
Does sloppoke measure runtime performance or guarantee correctness?#
No. Different tool category. Runtime perf → profilers (perf, flamegraphs) + load tests (k6, wrk, Locust). Correctness → types, tests, formal verification. Density of LLM residue in source is what sloppoke measures — a statistical correlation with the failure modes the FAQ above documents, not a proof of correctness or speed.
Adjacent failure mode it does catch indirectly: "shortest semantic path" compile-fix patches (see the C23 / glibc bullet above) leave the code compiling but push GCC/Clang into UB. The markers fire because the patches drop language-level guarantees, not because we instrument the runtime.
Wait, is this frontend vibecoded?#
Yes — landing, copy, pixel widgets, all agent-sketched. The catalog is not: deterministic ML + ruleset from 15+ yrs regulated engineering. Vibe the visible layer; stay deterministic where it counts.
How do you characterize slop?#
Three flavours: wordy nothing (comments
restating code, vacant names), defensive theatre
(guards for impossible cases, empty catches),
unfinished work shipped (placeholders,
untested branches, AI trailers in commits).
Catalog isn't published and isn't static — every
slop learn tunes yours.
Why no GitHub app or PR bot?#
PR bots fire after the slop is in git history. slop
poke runs on the staged diff before commit. No
force-push cleanup. CI still covered:
slop poke --range $BASE..$HEAD drops into any
pipeline as a one-liner, exits non-zero on SLOP. No
GitHub-App scope on your repo.
Why SSH keys instead of an email signup?#
Reuse what already works. Requests signed by
ssh-keygen -Y sign; fingerprint = account.
Nothing to provision, no email breach target, no marketing
list. Same key in CI: drop in a secret, done.
What does slop actually see about my code?#
Unified diff. Nothing else. No origin URL, no SHA, no OAuth token, no clone. Server processes the patch in memory, returns verdict + apply-patch, persists only learning weights. Diff bytes do contain your literal lines — treat sending them like any code-review tool.
What languages are supported?#
Surface detection on every language. Deep analysis lights up first for Rust, TS/JS, Python, Go. More land continuously server-side — no CLI reinstall.
What if I disagree with a finding?#
slop learn "false positive on … because …".
Quiets next scan for your account + project. We keep the
calibration weights, not the raw text.
Can sloppoke run inside a Trusted Execution Environment?#
Yes, Enterprise. Server runs in AMD SEV-SNP confidential VM; we can't read your diffs even with root on the host. Remote attestation proves the running binary matches our published hash; session key sealed to that measurement. EU residency default; Intel TDX / AWS Nitro on request. Trust the math.
Can I run it on-prem or self-hosted?#
Enterprise. Private-corpus calibration, SSO, SLA, audit trail, server image inside your perimeter. engineering@peeramid.xyz.
Does the CLI work without the cloud API?#
Today: no. Thin client → catalog match runs server-side. On-prem / TEE available under Enterprise. Patches kept 24 h for the learning loop on our own model fleet (no third-party LLM APIs); only anonymised patterns survive after. EU residency, per- account purge on request.