Skip to main content
Back to Blog

What's new in Repotoire 0.7.0

Zach HammadMay 9, 20264 min read
releaseclaude-codeperformanceinternals

TL;DR

  • New claude-hook subcommand: a Claude Code pre-commit quality gate
  • Hand-rolled CSR graph replaces petgraph (and ureq, lasso, ratatui, nalgebra — all gone)
  • repotoire diff now does hunk-level attribution, with rename handling
  • Confidence-scored findings + a new FP/TP feedback loop that learns your codebase's style

A quality gate for Claude Code

AI-generated code is fast. It's also, structurally, frequently worse — GitClear's 2024 analysis of 153 million lines of changed code found that AI-assisted codebases show a 4× increase in code duplication compared to pre-AI baselines.

Repotoire 0.7.0 ships claude-hook: install once, and every commit Claude Code makes is gated against your project's severity threshold.

❯ git commit -m "fix race in worker pool"
⊘ Repotoire blocked this commit
  1 high-severity finding introduced:
    • [taint] cleartext-credentials  src/auth.rs:42
  Score: 88 → 81 (-7)

What makes this different from a generic pre-commit hook: it's the same engine as analyze, with hunk attribution so it only blocks on findings the AI introduced — not pre-existing tech debt.

Read the integration page → · claude-hook docs →

Owning the stack: hand-rolled internals

0.7.0 replaces five major dependencies with hand-rolled equivalents:

| Was | Now | Why | | --- | --- | --- | | petgraph | hand-rolled CSR layout | Cache locality, BFS vertex reordering at freeze, pre-computed graph primitives at O(1) | | lasso | append-only Vec<String> chunks + RwLock | Stable &str references; fewer transitive deps | | ureq | hand-rolled HTTP/1.1 over rustls | Tighter control over connection reuse and timeouts | | ratatui + crossterm | hand-rolled mini TUI framework | The TUI surface is small enough not to pay the dependency cost | | nalgebra | dense matrix + Householder QR | The only matmul we need is for L3 quantized embeddings | | tracing-subscriber | hand-rolled stderr subscriber | Single-binary log routing, no formatter zoo | | bincode 1.3 | bitcode 0.6 | Smaller cache files |

This isn't NIH for its own sake. It's a deliberate choice to keep the binary small (single artifact, no Docker, no Redis), eliminate transitive-CVE surface, and let us specialize algorithms — Tarjan SCC, dominator trees, Louvain — without fighting a library's abstractions. We still depend on rayon, tree-sitter, clap, git2, and a handful of others where the dependency clearly earns its keep. Ownership is a tool, not a religion.

repotoire diff is now precise

Before 0.7.0, diff would surface every finding in any file you'd touched. In 0.7.0, it parses git diff -U0 and attributes findings to specific hunks — so if you fixed a typo in src/auth.rs:200 and the file also has a 6-month-old SQL injection in :42, the diff only flags what's in your hunks. Renames are handled. --all brings back the old behavior when you want it.

Why this matters: it's what makes claude-hook non-annoying. A pre-commit hook that complains about unrelated code is a pre-commit hook everyone disables.

Findings now have confidence — and they learn

Two new enums on every Finding: Confidence (Low / Medium / High) and Attribution (which hunk and author introduced it). The N+1 detector got per-finding confidence scoring with severity adjustment — a noisy heuristic-match no longer fires at the same severity as a high-confidence one.

And: repotoire feedback <id> --tp|--fp labels findings as true/false positives. Those labels are applied during postprocess on the next analyze. Combined with the auto-saved StyleProfile (calibration runs on the first analyze, no opt-in), the tool starts adapting to your codebase's idioms within the first week.

Smaller things worth knowing

  • repotoire findings --accept adopts findings into a baseline — useful for adopting Repotoire on legacy codebases without drowning in pre-existing findings
  • Python aliased-module import resolution (import requests as r; r.get(...)) propagates through the eval/command/pickle/crypto detectors
  • command-injection now detects shell metacharacters in static-literal commands (Command::new("sh -c …"))
  • SARIF region clamping for GitHub Code Scanning compatibility
  • --apply on repotoire fix is now non-interactive and bails on non-tty stdin (safe in CI)

What's next

Two non-commitments: the hand-rolled CSR + graph primitives unlock more graph-aware detectors. The feedback loop unlocks per-codebase confidence calibration. claude-hook is the first integration in what will become a small family — Cursor, Codex, Copilot in some order.

Install with cargo binstall repotoire or brew install repotoire. See the changelog for the full list.

Back to Blog