A map of your codebase
Skein reads your codebase and builds a deterministic map of its real behavior: which routes reach which data, services, and secrets, and how. Then AI explains the map in plain terms, citing every line.
No commits to your repo · Public and private repos · Code stays in an ephemeral sandbox
The map
Skein resolves your code into a graph of nodes and edges. Entry points on the left; the data, services, and secrets they reach on the right; the call path in between. Same code in, same graph out, byte for byte.
Read directly from a real codebase. No model produced this graph; it is computed.
Skein splits the two jobs most tools blur together: establishing the truth, and explaining it.
01 — Determinism
Skein resolves symbols and call paths into one graph of real behavior. Same commit in, same graph out, byte for byte. It learns the helpers your team wraps around databases, queues, and HTTP, and follows them through the call graph. No model decides what your code does.
02 — Honesty
The graph is the only thing the AI may talk about. Every sentence must cite a real line from it. If a claim can't be grounded, it refuses out loud instead of guessing. We re-check every citation after generation, so a hallucinated file or line never reaches you.
Once the map exists, each question is a deterministic query with a plain-language answer. Security is one of them, not the whole product.
explain
What an endpoint actually touches: stores, services, secrets, gated or not.
data-map
For any table or service, every entry point that reaches it, and through what path.
change-radar
Not the diff: the behavior. New data reached, a path added, a gate removed.
leak
Public routes that reach a secret with no auth gate anywhere on the path.
Real runs
POST /api/checkout reaches
→ users read
→ Stripe API send
→ env.STRIPE_KEY read
gate: requireAuth
In plain terms
Checkout reads the user record, calls Stripe, and uses the Stripe secret key. checkout.ts:24
The route is behind the requireAuth gate. checkout.ts:21
"I can't say whether the Stripe call is correct; the map only shows that it happens."
It restates what the map shows, cites each line, and refuses to judge what it can't see.
base → head
GET /api/reports
now also reaches
→ customers read
new edge in head, absent in base
In plain terms
This change makes GET /api/reports read the customers table for the first time. reports.ts:40
In the base branch this route did not touch customer data at all. reports.ts:40
The diff just added a function call. Skein reports the consequence: a reporting route now reads customer data it never touched before.
GET /api/config reaches
→ env.SENDGRID_KEY read
gate: none
entry routes/config.ts:12
secret lib/mailer.ts:6
In plain terms
The public route GET /api/config reaches the SendGrid secret key with no auth gate on the path. config.ts:12
The secret is read inside the mailer the route calls into. mailer.ts:6
"I can't recommend a fix; the analysis didn't establish one."
Security is just one question for the map. Same shape: a finding, every claim cited, an honest refusal.
01
Add the GitHub App to a repo, public or private. No config, no commits to your code.
02
On each PR, Skein clones into an ephemeral sandbox, builds the behavior map, and diffs it against base.
03
A plain-language note on the PR: what the behavior now is, every claim cited, an honest refusal where it can't prove more.
Real codebases wrap their own helpers around everything. Skein learns yours, version controlled, and follows them through the call graph. A guessing tool re-guesses on every run. Skein gives the same map twice.
Skein is opening up soon. Join the waitlist and we'll map your repo.
By joining you agree to our privacy policy.