Automated CPG Pipeline for Safe AI Coding
Claude generated 47 files and 1,900 lines of code—including refactoring and migration—in just 38 minutes. AI speed outpaces human review capacity, leading to technical debt accumulation without automated safeguards.
The CPG pipeline solves this: it analyzes every commit, provides code graph context before generation, and evaluates risks in PRs. This transforms reckless AI coding into a controlled process.
Core Challenges of Reckless AI Coding
Unverified AI generation leads to recurring issues:
- Logic duplication instead of shared modules, increasing code volume and branching.
- Invisible call graphs: editing one file impacts dozens of dependencies.
- Documentation drift: mismatches between text and code numbers—found in 14 cases during audit.
CPG Pipeline Architecture
The pipeline leverages Claude Code hooks across five stages:
- Session Start: Project snapshot—method count, file count, average cyclomatic complexity.
- Prompt Processing: Context extraction per class (location, method complexity, incoming/outgoing calls).
- Pre-Edit Warnings: High complexity, TODOs in file, public endpoints.
- Post-Commit Analysis: Quality and change radius assessment.
- Session End: Post-analysis of complexity and volume changes.
Commit Analysis Details: commit_analysis.py
The key hook commit_analysis.py runs after git commit:
- Checks CPG freshness via commit hash vs HEAD.
- Incremental update:
gocpg update. - Quality analysis: cyclomatic complexity, TODO/FIXME, debug code, deprecated methods.
- Impact analysis: calling methods, access interfaces.
Model receives report: "4 files changed, 12 methods affected, complexity rose from 8 to 12, 8 callers at risk".
Benefits of Pre-Generation Context
CPG context before prompts changes model behavior. Without it—blind edits. With it: awareness of complexity (8), calls (8 direct), TODOs, interfaces (CLI, not REST).
This reduces compatibility risks and boosts generation accuracy.
Git Hooks for Graph Freshness
CPG degrades with every commit. Hooks post-commit, post-merge, post-checkout run gocpg update asynchronously:
- Full parse: 85 seconds.
- Incremental for 2 files: 2–5 seconds.
- For 10–20 files: 5–12 seconds.
Developer doesn’t wait—the graph updates in the background.
Integration in CI/CD
In CI: build GoCPG, restore cache, sync from base branch, publish to PR comment + SARIF annotations.
Reviewer sees:
- Number of changed files and graph nodes.
- Cache hits.
- Risks and security findings.
Claims_validator.py for Documentation Integrity
Validator scans markdown for numeric claims (e.g., "95 handlers"), cross-references with SQL queries against CPG. Detects discrepancies in seconds.
Case Study: Validating User Stories
Task: Verify coverage of 83 stories across 5 interfaces (CLI, REST, TUI, MCP, ACP).
AI generated StoryValidationRunner (450 lines, 39 tests—all green).
First run: 0 coverage due to bugs (Windows/Unix path handling, interactive vs batch mode).
After fixes: 46 full, 32 partial, 2 not found, 3 not applicable.
Next: false positives from regex (first path segment, missing stop words). Accuracy improved; "full coverage" metric dropped from 49 to 46—a sign of better precision.
Unit tests missed real graph issues.
Advanced Checks in Code Review
Pipeline expanded to 13 checks:
- Warnings for public methods (CLI/REST/MCP).
- Registration of new handlers.
- Cross-module dependencies.
- Git diff analysis.
- Dedicated Go CPG.
- Test validation for new files.
- Transitive call analysis.
- Story coverage delta.
Quality History Stored in DuckDB
Snapshots post-analysis: methods, complexity, TODOs, dead code. Weekly: +46 methods, stable complexity, heavy methods ↓.
Key Takeaways
- Pre-generation CPG context reduces errors before AI writes.
- Incremental graph updates take seconds.
- Automated PR reports focus reviews on risks.
- Doc number validation prevents factual drift.
- DuckDB quality metrics reveal project trends.
— Editorial Team
No comments yet.