How it works
Threat model first, then read the code
Assay's edge is ordering: it builds a threat model before it reads a line of source, so the investigation is hypothesis-driven instead of pattern-matching. Every finding is backed by a verbatim quote, and a post-validator drops anything the model can't prove.
The 5-stage methodology
- Triage — map the artifact: entry points, declared permissions, files worth reading.
- Claim extraction — what does it claim to do?
- Threat model — given the claims, where could it go wrong? (done before reading source code)
- Investigation — read code, gather evidence for each threat, one sub-agent per threat.
- Synthesis — a
safe / caution / unsafe verdict + audit.md with verbatim file:line citations.
Cite or drop. The post-validator physically re-reads every cited file after synthesis; if a quoted snippet isn't there, the evidence is dropped, and a finding with no surviving evidence is dropped entirely. Confabulated findings — the model "remembering" code that isn't in the artifact — are the failure mode this exists to kill.
Two scan modes, one verdict format
- MCP mode (default) —
assay serve spawns claude -p with the Assay MCP server wired in. Your Claude Code session walks the methodology by calling assay_* tools (list_files, read_file, grep, record_finding, finalize_scan…). Uses your subscription; no rate-limit walls.
- Legacy in-process mode (
--scan-mode legacy) — a Go orchestrator calls the Anthropic API directly with automatic 429 retry + backoff. For users without Claude Code, and for CI.
Both produce the same audit.json + audit.md on disk. assay serve --scan-mode fake replays recorded fixtures for demos and offline development — no LLM call.
Threat coverage
Assay reasons about threat classes specific to the AI dev stack, not generic CVEs. Highlights:
- Prompt injection via tool descriptions and responses
- MCP tool poisoning — a server that passes review, then mutates a tool description to smuggle instructions to the agent
- Capability vs. claim mismatch — does the code do more than the README says?
- Credential exfiltration — reads of
~/.aws/credentials, ~/.ssh/, .env
- Hook abuse — shell commands attached to every Claude Code event
- Supply-chain attacks via updates and dependencies
The full catalog lives in docs/threat-model-2026.md and the design in ARCHITECTURE.md.
Out of scope in v0
- Dynamic execution / sandboxing (Assay reads code; it doesn't run it)
- Adversarial prompt-injection fuzzing
- claude.ai connector scanning (closed-source — metadata review only)
- Cross-client adapters (Cursor, Cline, Continue) beyond Claude Code