Complete feature list

This is the full menu. Most users only interact with FIND + FIX in the first month and discover the rest as they go.

What makes AgentNoah different

There are lots of AI coding tools. Here's where AgentNoah is uniquely positioned:

From this toolYou getAgentNoah adds
Cursor / Claude CodeCode generationA senior engineer's review process around every change
Snyk / SonarQubeSecurity scanningThe actual fix, plus context about why it matters
GitHub CopilotInline code suggestionsMemory of your past bugs so the same mistake doesn't happen twice
Linters (ESLint, Prettier)Code style rulesMulti-model AI consensus on real bugs, not just style
Code review servicesHuman reviewers (slow, expensive)Always-on review for $39/month

The big idea: AgentNoah turns your existing AI subscription into a senior-engineer-level safety net for everything you ship. You already pay for the AI. We make it 10× more useful.

Code-quality intelligence

3-loop audit pipeline

Security scout + performance scout + reconciler + frontier reviewer. Multi-model consensus instead of single-prompt guessing.

8-layer static analysis

Runs alongside the AI audit on every full audit.

  • L1AI 3-loop (the core)
  • L2Deploy audit — checks your live URL responds correctly + has security headers
  • L3API audit — 18 endpoint security checks across 7 groups (auth, token lifecycle, public data, rate limit, CORS, etc.)
  • L4Cloud infrastructure — 14 GCP checks (Cloud Run, Cloud SQL, GCS, Secret Manager, SSL) + 11 AWS checks (ECS, Lambda, RDS, S3, SSL)
  • L5Frontend audit — accessibility (a11y), SEO, performance hints
  • L6Dependency CVE scanning via OSV.dev — catches known-vulnerable packages
  • L7Secrets scanning — 63 patterns across 34 providers (AWS, OpenAI, Stripe, etc.)
  • L8Container audit — 6 Dockerfile checks + OWASP A02 misconfig sweep

Multi-language support

Deep daemon-side analysis: Python (AST-level), JavaScript / TypeScript (regex + AST), React, Dart/Flutter. Other languages (Go, Ruby, Java, Rust) get basic structural analysis via the generic enrichment path. The BYOL audit pipeline works on any language via your IDE LLM — that's how our OWASP BenchmarkJava measurements (4 LLMs, Youden 0.60–1.000) were possible.

Cross-audit memory

Every finding is fingerprinted + stored. Future audits remember bugs you've fixed (won't re-flag), bugs you've dismissed (won't re-suggest), and recurring patterns across files (3+ instances → flagged as systemic).

Pattern detection

When the same bug class appears 3+ times in your codebase, AgentNoah surfaces it as a 'pattern' so you can refactor once instead of fixing N times.

Health score

A single 0-100 number per repo, broken down by category (security / performance / quality / logic). Lives on the dashboard + your IDE can query it.

Explain engine

Every finding has a 'translate to plain English' function. Useful when reviewing fixes with non-technical stakeholders.

Severity tiers (P0–P3)

P0 critical (drop everything), P1 high (this week), P2 medium (this sprint), P3 cleanup (when you have time). REPLACE starts conservative — P3 auto-merge on day 1; higher tiers (P2, P1) unlock as trust compounds. See the Trust compounding entry below for thresholds. P0 always alerts a human (never auto-fixed).

Reasoning + memory improvement (gets smarter over time)

Workspace memory

AgentNoah builds a per-repo memory document describing your architecture, business context, and conventions. Used by every audit + BUILD prompt so the AI understands YOUR codebase, not generic code.

Pgvector semantic search

Past recommendations are embedded into a vector database. When a new audit runs, AgentNoah pulls the 5 most-similar past recs as context — so the AI extends your existing engineering decisions instead of contradicting them.

Trust compounding (REPLACE)

Starts conservative and unlocks higher severity tiers as trust compounds. P0 (critical security) is always alerted to a human, never auto-fixed. P3 auto-merges after ≥1 prior clean merge. P2 unlocks at 5 merges + 7 days. P1 unlocks at 20 merges + 30 days + ≥80% merge-success rate.

Known-fixed bug awareness

When REPLACE or BUILD generate code, they're explicitly told what bugs you've previously fixed. Prevents reintroducing patterns you already wrote off.

AI Context settings

You can give AgentNoah free-form notes about your project (e.g., 'we're a fintech startup, treat any PII handling as P0'). The audit pipeline injects this into every prompt.

Workflow integration

GitHub OAuth sign-in

No usernames, no passwords. Sign in with the GitHub account that owns the repo.

Automatic webhook setup

When you connect a repo, AgentNoah registers GitHub webhooks for you. No manual webhook config.

PR auto-review

Every PR opened on a connected repo gets audited automatically (diff-scoped via your IDE's MCP connection). $0 LLM cost to AgentNoah — your IDE's AI runs the review. Findings appear as a PR comment with severity badges.

PR labels

AgentNoah adds an `agentnoah: clean` or `agentnoah: N findings` label to every PR so your team can filter at a glance.

Per-repo auto-merge policy

Choose `strict` (review-only), `progressive` (auto-merge clean fixes), or `manual` (no auto-fix dispatch). Default `progressive`.

Scheduled audits

Paused for now. Will return as an opt-in feature where AgentNoah nudges your IDE to run a full audit on a schedule.

Developer experience

5 IDE integrations via MCP

Claude Code, Claude Desktop, Cursor, VS Code with GitHub Copilot, plus any IDE via stdio-bridge. See the Install page for snippets.

Findings dashboard

At agentnoah.dev/dashboard/findings — severity filtering, category filtering, file search.

One-click 'Fix in your IDE'

From the findings page, click 'Fix in your IDE' — a modal opens with a pre-built fix prompt. Paste into your IDE's AI (Claude Code / Cursor / Copilot). The IDE LLM uses AgentNoah MCP to write the fix and open a PR on your repo. You review and merge.

'Copy as Prompt' button

Every finding has a copy-paste prompt for your IDE's AI to fix it manually if you prefer to drive.

Dismiss / Reopen

Mark a finding as false-positive (dismissed) or re-flag it later (reopen).

Cost transparency

REPLACE add-on shows per-fix cost before opening the PR. No surprise bills.

Self-service API key rotation

If your MCP config leaks, rotate the key from the dashboard in 30 seconds. Old key revoked instantly.

Email notifications

Weekly digest of findings + immediate alerts for P0 issues.

What kinds of apps can AgentNoah build?

Pretty much anything you'd build with a modern AI coding tool, just with much more discipline:

  • Web apps (React, Next.js, Vue, plain HTML)
  • APIs and backends (Python FastAPI, Django, Node.js, Express)
  • Mobile apps (React Native, Flutter)
  • Scripts and automation (Python utilities, bash, GitHub Actions)
  • AI-powered apps (your own chatbots, agents, RAG systems)
  • Data pipelines (ETL, scrapers, data cleaners)
  • CLI tools
  • Browser extensions
  • Documentation sites

What AgentNoah is NOT good at (yet):

  • ×Building things from scratch with no description ("just make me a TikTok competitor" won't work)
  • ×Very large refactors that span dozens of files (split into smaller features)
  • ×Anything that requires hardware access (IoT, embedded systems)
  • ×Game engines or 3D rendering

The best fit: small-to-medium features on an existing codebase (50-2000 lines of code). Adding an API endpoint. Adding a new dashboard page. Adding a payment integration. Building a microservice.

Honest limits

  • AgentNoah is a developer tool. You need to read code to interpret findings.
  • BUILD is great at single-feature requests. Multi-feature "build me an app" requests work best when split into 5-10 small features.
  • Audit coverage of compiled languages (Go, Rust, C++, Swift) is supported via the generic enrichment path — not as deep as Python/JS yet.

Ready to install?

The next page has copy-paste config snippets for all 5 supported IDEs.

Install in your IDE →