Skip to content

Ground truth for your codebase — and your coding agents

Ground truth for your codebase

How true are your docs?

Hekkos extracts what your repos actually contain, scores every doc against it, and opens the fix as a pull request.

Engineers get cited answers grounded in the real code — and your coding agents get the same verified context as tools over MCP.

Why not just let your agent read the code? →
The full product, free — unlimited members, no credit card, no LLM API key to bring.
Connects to GitHub — more sources coming.
hekkosbot commented · edited just now

2 doc claims out of date with the code

  • README.md documents the --retry-limit flag — removed in this diff (cmd/serve/main.go:88) · a1b2c3d4e5f6
  • new route POST /api/v1/exports isn’t documented anywhere yet · 0f1e2d3c4b5a

critical · warning · info

Comment-only — I won’t block your merge. Reply /hekkos ack a1b2c3d4e5f6 or /hekkos ack README.md to accept.

One comment per PR, edited in place — never a comment wall. It disappears when the drift is fixed.

From connected to first fix in three steps

No configuration marathon. Connect a repo and Hekkos does the rest — you review the output, not the setup.

Connect the GitHub App

Least-privilege access to the repos you choose. Installing the GitHub App needs org-owner rights — or sends an approval request to your admin. GitHub is the first connected source today, with more coming. The first scan sets a silent baseline — no wall of day-one noise.

Hekkos maps & scores every doc

It extracts the real surface of your code and gives each repo a Real-State Trust score. You see, at a glance, which docs are lying.

Review the first fix as a PR

Drift is opened as a pull request you review like any other — and the same verified context answers questions in chat and over MCP.

78%Real-State Trustorg-wide avg
2Problem reposerror or held
12Total reposconnected
2Unscanned> 7 days stale
71%Acceptance ratelast 30d
Critical2
hekkos-org/apicritical61%
hekkos-org/paymentscritical44%
Warning1
hekkos-org/workerwarning78%
Clean1
hekkos-org/webclean94%
The Home dashboard — org-wide Real-State Trust and every repo triaged by severity, with its doc coverage. A product preview.

A live map of what your code actually is

Hekkos connects to your sources — today, the GitHub App — and parses every repo into the real surface of your codebase. That map — not the docs, not a model’s recollection — is the ground truth everything else is built on.

Six languages, six domains

Routes, env vars, functions, types, and flags across Go, TypeScript/JavaScript, Python, Rust, Java, and Ruby — plus Terraform, Kubernetes/Compose config, SQL schema, dependencies, and OpenAPI specs. One queryable map per org.

Parsed, not guessed

AST-first extraction with confidence tiers — facts corroborated across independent files rank higher, and low-confidence findings never block a merge or drive a PR. Static analysis of what’s committed; nothing needs to be running.

File-and-line provenance

Every extracted fact knows exactly where it came from. Every answer built on it carries the citation.

Measure every doc against it — then fix them

Stale context doesn’t get flagged for a human to deal with someday. It gets measured, scored, and repaired — as pull requests your team reviews like any other.

Drift, measured

Every doc claim is diffed against the real map. Drift gets a severity, and each repo gets a Real-State Trust score — Coverage × Accuracy. Not "do docs exist?" — "are they true?"

Fixed as PRs — human-safe

Hekkos writes the corrected doc and opens one pull request. Sections you marked manual are preserved byte-for-byte, PR drift reviews are a single self-updating comment (never a comment wall), and the merge gate is opt-in per repo. Dismiss or ack with /hekkos commands.

Noise-proof by design

Docs carry authority tiers — canonical, reference, historical — so an old plan or superseded spec never reads as current-state drift. The first scan sets a silent baseline. What surfaces is worth acting on.

A standards engine underneath

Per-doc-type section schemas — write your own or adopt from the curated catalogue (README, AGENTS.md, CONTRIBUTING, SECURITY, ADRs, templates). Most sections render deterministically from extracted facts; only explicitly "generated" sections ever touch a model. Draft and validate in Doc Studio before anything lands in a repo.

See the repair working

Insights shows acceptance by document type, why suggestions get dismissed, and where Real-State Trust stands — so you can tell whether the loop is actually paying off, not just running.

Cited answers for your team. Tools for your agents.

The point of ground truth is that everything downstream can rely on it — an engineer asking how something works, or a coding agent about to act on it. Included on every plan: each answer, from the web chat or an agent, draws from your org’s monthly allowance.

Ask the real code

Chat grounded in the actual code, not just the docs — every answer cites its sources, shows both sides on a doc-vs-code conflict, and refuses rather than guesses. Paste a ticket or spec to see how it could be built with what you already have.

Tools for your agents

query_knowledge, ask_real_state, get_real_state, list_drift, validate_doc and more — the same org-scoped, permission-checked surface as the web app, as MCP tools for Cursor, Claude Code, or any MCP client.

Agent-written docs that pass review

Agents can fetch your org’s doc standard, scaffold a conformant draft, and validate it — so machine-written docs land right the first time.

How does authentication work in the API?

Auth in hekkos-org/api uses GitHub OAuth, issuing a short-lived JWT as an httpOnly session cookie. Every request re-validates membership against org_members, so a removed member loses access immediately — no stale-token window.

internal/auth/oauth.go internal/auth/middleware.go docs/security.md
Answers are grounded in the real code — every claim cites its source, and it refuses rather than guesses. A product preview.

Why not just let the agent read the code?

Because it reads one repo, on demand, with no memory — it fixes nothing for whoever asks next, and you pay, every time, for context the org already had.

On-demand isn’t continuous

An agent re-derives your codebase from scratch inside every context window — paying full price for context the org already had. Hekkos extracts it once, deterministically, keeps the map current on every merge, and serves it over MCP: the cached answer, reused by every run.

One repo isn’t your org

An agent sees the repo it’s working in. Hekkos holds the cross-repo map — and the org’s doc standard — for everything you ship.

Reading isn’t repairing

An agent that notices a stale README moves on — or worse, is misled by it and ships plausible, wrong code you pay to generate, then review, then rewrite. Hekkos opens the fix as a pull request, so every human and agent after it starts from truth.

Onboarding without the interviews

Every stale runbook turns a new hire’s first weeks into meetings with senior engineers — two salaries paying for one answer, again. With docs held to a standard and verified against the real code, ramping engineers ask Hekkos and get cited answers.

Maintenance that isn’t engineer-hours

Keeping docs current by hand is skilled time spent on chores. Hekkos does the deterministic parts with no model cost at all, and the rest lands as a PR to review — minutes, not afternoons.

It never shows up as a line item — it shows up as tokens spent re-learning your own codebase, plausible-but-wrong code in review, and senior engineers answering the same question twice. Back-of-the-envelope: a 20-engineer org where each person loses just 30 minutes a week to a wrong or missing doc is ~40 engineer-hours a month — a quarter of a salary — before agents multiply how often those docs get read. Your numbers will differ; they’re rarely smaller.

Built for orgs that read the fine print

The short version is below; the full posture — isolation, encryption, retention, testing, and our honest compliance status — is at hekkos.com/security.

Tenant-isolated by design

Every query is scoped to your org and respects per-document access. Your docs are never mixed with anyone else’s — verified by cross-org tests.

Never trained on without consent

Your content stays org-scoped and is never pooled or used for training unless you explicitly consent. Any cross-org export is operator-restricted and audited.

Scrubbed and short-lived

Secrets are redacted from anything Hekkos stores, and stored content expires automatically after 180 days.

Hardened — or fully yours

Encrypted secrets (AES-256-GCM), signature-verified webhooks, an adversarial security audit with fixes verified end-to-end. Or self-host with a local model — air-gap friendly, license verified offline, nothing leaves your infrastructure.

Pricing is coming soon

We’re putting the finishing touches on our plans. In the meantime, tell us what you’re building and we’ll help you get started.

Contact us

Give your team — and your agents — ground truth

Start free — the full product, no credit card.