| name | pattern-detection |
| description | Detect codebase patterns — commit velocity anomalies, codebase drift, and dependency risks — and persist them as workspace learnings |
| version | 2.0.0 |
| author | kai-agent |
| metadata | {"kai":{"tags":["kai","security","patterns","analysis"]}} |
Pattern Detection
Detect systemic patterns that go beyond individual vulnerabilities. These are structural signals about codebase health, consistency, and risk. They are persisted as workspace learnings (category pattern) so that future cycles — and the Brief page — can reason about them.
Prerequisites
- Kai MCP tools available (connected to Kai backend)
- At least one repository connected to the workspace
kai_workspace_learnings_add available
When to Run
- During daily lifecycle check-ins (after scanning, before proposing actions)
- When a user asks about codebase health or patterns
- After completing a security audit that reveals structural issues
How to persist a pattern
Every detected pattern becomes one kai_workspace_learnings_add call with:
kai_workspace_learnings_add(
workspaceId="...",
category="pattern",
content="[<type>] <title> — <description>. Signal: <1-5>. Repo: <name>. File: <path or n/a>. Detail: <why it matters>.",
repoId="<repoId>" # optional — link the learning to a specific repo
)
Prefix [<type>] with one of: anomaly, codebase_drift, dependency_risk.
Signal strength is a single digit 1-5 embedded in the content string so the
daily-cycle skill can parse it back. Keep each learning to one concrete
pattern — many small learnings beat one mega-entry.
If signal strength ≥ 4, also call lifecycle_actions_create (see bottom of
this file) to queue an investigation action.
Pattern Types
1. Commit Velocity Anomaly
Detect files with unusually high commit frequency, which often signals rushed fixes, logic drift, or accumulated technical debt in critical paths.
How to detect:
-
For each connected repo, use terminal to run:
git log --format='%H %ai' --since='30 days ago' -- <file>
Focus on high-risk files: auth modules, payment handlers, middleware, config files.
-
Use browse_repository_files to list the repo structure and identify security-critical paths.
-
If a file has more than 15 commits in 30 days, or more than 2x the average commit rate for files in the same directory, flag it.
-
Persist as a learning:
kai_workspace_learnings_add(
workspaceId="...",
category="pattern",
content="[anomaly] High commit velocity on src/auth/middleware.ts — 32 commits in 30 days, 4.2x the directory average. Signal: 4. Repo: kai-backend. File: src/auth/middleware.ts. Detail: high churn on security-critical code signals logic drift, incomplete refactors, or accumulated quick fixes.",
repoId="<repoId>"
)
Signal strength guide:
- 3: 15-25 commits (notable)
- 4: 25-40 commits (concerning — queue investigation)
- 5: 40+ commits (critical — audit immediately)
2. Codebase Drift
Detect inconsistent patterns across files in the same module, which often indicates uncoordinated changes from multiple developers or AI tools.
How to detect:
-
Use read_repository_files to sample 3-5 files in the same module (e.g., all route handlers, all middleware, all service files).
-
Compare patterns for:
- Error handling: try/catch vs middleware vs manual propagation
- Logging: different logger libraries or conventions
- Config access: env vars vs config objects vs hardcoded values
- Auth patterns: different validation approaches
-
If 3+ distinct patterns exist for the same concern in the same module, flag it.
-
Persist as a learning:
kai_workspace_learnings_add(
workspaceId="...",
category="pattern",
content="[codebase_drift] 4 error-handling patterns across src/routes/ — Pattern A (try/catch, 3 files), Pattern B (middleware, 2 files), Pattern C (manual propagation, 1 file), Pattern D (silent swallow, 1 file). Signal: 4. Repo: kai-backend. Detail: evidence of uncoordinated AI-assisted edits; recommend unifying on middleware approach.",
repoId="<repoId>"
)
Signal strength guide:
- 2: 2 patterns (minor inconsistency)
- 3: 3 patterns (drift in progress)
- 4: 4+ patterns (significant drift — queue unification action)
3. Dependency Risk
Assess the dependency surface area and identify supply chain risks.
How to detect:
-
Use read_repository_files to read the package manifest:
- Node.js:
package.json
- Python:
requirements.txt, pyproject.toml, Pipfile
- Go:
go.mod
- Rust:
Cargo.toml
-
Count direct dependencies. If possible, use terminal to count transitive dependencies:
npm ls --all --json 2>/dev/null | jq '.dependencies | length'
pip freeze | wc -l
-
Check for:
- Known vulnerable dependencies (cross-reference with
kai_list_vulnerabilities)
- Missing automated update tools (no Dependabot/Renovate config)
- Pinned versions with no range (indicates manual update only)
-
Persist as a learning:
kai_workspace_learnings_add(
workspaceId="...",
category="pattern",
content="[dependency_risk] 42 direct / 1,284 transitive deps in kai-frontend — 3 known vulnerable (including one critical in next@14.x). Signal: 5. Repo: kai-frontend. Detail: no Dependabot/Renovate config detected; last manual audit 73 days ago.",
repoId="<repoId>"
)
Signal strength guide:
- 2: Large dep tree but no known vulnerabilities
- 3: 1-2 known vulnerable dependencies
- 4: 3+ known vulnerable, no automation
- 5: Critical CVE in direct dependency, no automation
After Detection
For any pattern with signal strength ≥ 4, create a lifecycle action for investigation:
lifecycle_actions_create(
workspaceId="...",
type="investigate",
title="Investigate: <pattern title>",
description="<pattern description>",
priority="high" if signal >= 4 else "medium",
reasoning="Detected by pattern analysis. <brief explanation of why this matters>.",
repoId="<repoId>"
)