Documentation Drift Analysis — Microck/jarspect
Task: doc-drift
Repo: Microck/jarspect (Rust — Minecraft mod security scanner)
Analyzed: README.md, AGENTS.md vs src/detectors/*, Cargo.toml, src/main.rs, src/scan.rs
Summary
The README and AGENTS.md are out of sync with the actual codebase in several areas. The most significant drift is the capability detector table: the README documents 8 detectors (DETC-01 through DETC-08) but the codebase now has 11 detector files producing 14 distinct detector IDs.
🔴 HIGH — README Capability Detector Table is Incomplete
Location: README.md, "Capability Detectors" section (lines 93-106)
The README table lists 8 detectors:
| ID |
Documented |
| DETC-01 |
Process execution |
| DETC-02 |
Network I/O |
| DETC-03 |
Dynamic class loading |
| DETC-04 |
Filesystem/JAR modification |
| DETC-05 |
Persistence |
| DETC-06 |
Unsafe deserialization |
| DETC-07 |
Native/JNI loading |
| DETC-08 |
Credential theft |
Missing from README:
| Detector ID |
File |
What it catches |
DETC-02.DISCORD_WEBHOOK |
capability_discord_webhook.rs |
Discord webhook URL patterns (exfiltration vector) |
DETC-03.BASE64_STAGER |
capability_base64_stager.rs |
Base64-encoded payload staging (fractureiser-style) |
DETC-02.REMOTE_CODE_FETCH |
capability_remote_code_load.rs |
Remote code fetching via HTTP |
DETC-03.REMOTE_CODE_LOAD |
capability_remote_code_load.rs |
Dynamic loading of remotely fetched code |
DETC-04.REMOTE_CODE_WRITE |
capability_remote_code_load.rs |
Writing remotely fetched code to filesystem |
Three detector files are completely absent from the README table, and the capability_remote_code_load.rs file emits 3 separate detector IDs (cross-referencing DETC-02, DETC-03, DETC-04).
Impact: Users reading the README will not know about Discord webhook detection, Base64 stager detection, or the remote code load detector. These are security-critical detectors — their absence from documentation undermines trust and transparency.
🟡 MEDIUM — README "8 capability detectors" References Throughout
Locations:
- README.md line 11: "8 capability detectors"
- README.md line 51: "8 detectors (exec, network, dynamic load, fs/jar modify, persistence, deserialization, native/JNI, credential theft)"
- README.md line 75: "8 capability detectors"
- README.md line 95: "Eight detectors run against an EvidenceIndex"
All references say "8" but the actual count is 11 files / 14 detector IDs. Each instance needs updating.
🟡 MEDIUM — AGENTS.md Missing Detector Info
Location: AGENTS.md
The AGENTS.md describes the detector pattern correctly but doesn't list all detectors. AI coding agents using this file won't know about capability_discord_webhook.rs, capability_base64_stager.rs, or capability_remote_code_load.rs.
Additionally, the detector return type is described as Vec<Indicator> but the actual type is Vec<DetectorFinding> (defined in src/detectors/mod.rs). This could confuse agents trying to write new detectors.
🟢 LOW — README "Rust stable toolchain" May Be Insufficient
Location: README.md line 282 (Quickstart section)
States "Prerequisites: Rust stable toolchain" but Cargo.toml uses edition = "2024", which requires Rust 1.85+ (released Feb 2025). Users with older Rust installations will get compilation errors. The quickstart should specify the minimum Rust version.
🟢 LOW — README Static Override Signals May Be Incomplete
Location: README.md lines 189-194 (Static Override Layer)
Lists these static override triggers:
- Production YARA rule match at high/critical
DETC-03.BASE64_STAGER at high/criticalDETC-02.DISCORD_WEBHOOK at high/criticalNET-DISCORD-WEBHOOK signature match at high/critical
The high_confidence_static_reason() function in src/scan.rs (line 360) is the source of truth. The unit tests (lines 455-537) show that DETC-01.RUNTIME_EXEC, DETC-03.DYNAMIC_LOAD, DETC-02.REMOTE_CODE_FETCH, and DETC-03.REMOTE_CODE_LOAD no longer trigger static override (tests explicitly verify this). This matches the README, confirming the documented behavior is correct. However, the two new detectors (BASE64_STAGER, DISCORD_WEBHOOK) that DO trigger override are properly documented.
Recommendations
- Update the Capability Detectors table in README.md to include all 14 detector IDs across the 11 detector files
- Update all "8 detectors" references to the actual count
- Fix AGENTS.md return type from
Vec<Indicator> to Vec<DetectorFinding>
- Add minimum Rust version to Quickstart (1.85+ for edition 2024)
- Consider adding a DETC-09+ ID scheme for the sub-detectectors (DISCORD_WEBHOOK, BASE64_STAGER, REMOTE_CODE_*) to make the numbering clearer in documentation
Created by nightshift — autonomous code quality bot.
Documentation Drift Analysis — Microck/jarspect
Task: doc-drift
Repo: Microck/jarspect (Rust — Minecraft mod security scanner)
Analyzed: README.md, AGENTS.md vs src/detectors/*, Cargo.toml, src/main.rs, src/scan.rs
Summary
The README and AGENTS.md are out of sync with the actual codebase in several areas. The most significant drift is the capability detector table: the README documents 8 detectors (DETC-01 through DETC-08) but the codebase now has 11 detector files producing 14 distinct detector IDs.
🔴 HIGH — README Capability Detector Table is Incomplete
Location: README.md, "Capability Detectors" section (lines 93-106)
The README table lists 8 detectors:
Missing from README:
DETC-02.DISCORD_WEBHOOKcapability_discord_webhook.rsDETC-03.BASE64_STAGERcapability_base64_stager.rsDETC-02.REMOTE_CODE_FETCHcapability_remote_code_load.rsDETC-03.REMOTE_CODE_LOADcapability_remote_code_load.rsDETC-04.REMOTE_CODE_WRITEcapability_remote_code_load.rsThree detector files are completely absent from the README table, and the
capability_remote_code_load.rsfile emits 3 separate detector IDs (cross-referencing DETC-02, DETC-03, DETC-04).Impact: Users reading the README will not know about Discord webhook detection, Base64 stager detection, or the remote code load detector. These are security-critical detectors — their absence from documentation undermines trust and transparency.
🟡 MEDIUM — README "8 capability detectors" References Throughout
Locations:
All references say "8" but the actual count is 11 files / 14 detector IDs. Each instance needs updating.
🟡 MEDIUM — AGENTS.md Missing Detector Info
Location: AGENTS.md
The AGENTS.md describes the detector pattern correctly but doesn't list all detectors. AI coding agents using this file won't know about
capability_discord_webhook.rs,capability_base64_stager.rs, orcapability_remote_code_load.rs.Additionally, the detector return type is described as
Vec<Indicator>but the actual type isVec<DetectorFinding>(defined insrc/detectors/mod.rs). This could confuse agents trying to write new detectors.🟢 LOW — README "Rust stable toolchain" May Be Insufficient
Location: README.md line 282 (Quickstart section)
States "Prerequisites: Rust stable toolchain" but
Cargo.tomlusesedition = "2024", which requires Rust 1.85+ (released Feb 2025). Users with older Rust installations will get compilation errors. The quickstart should specify the minimum Rust version.🟢 LOW — README Static Override Signals May Be Incomplete
Location: README.md lines 189-194 (Static Override Layer)
Lists these static override triggers:
DETC-03.BASE64_STAGERat high/criticalDETC-02.DISCORD_WEBHOOKat high/criticalNET-DISCORD-WEBHOOKsignature match at high/criticalThe
high_confidence_static_reason()function insrc/scan.rs(line 360) is the source of truth. The unit tests (lines 455-537) show thatDETC-01.RUNTIME_EXEC,DETC-03.DYNAMIC_LOAD,DETC-02.REMOTE_CODE_FETCH, andDETC-03.REMOTE_CODE_LOADno longer trigger static override (tests explicitly verify this). This matches the README, confirming the documented behavior is correct. However, the two new detectors (BASE64_STAGER,DISCORD_WEBHOOK) that DO trigger override are properly documented.Recommendations
Vec<Indicator>toVec<DetectorFinding>Created by nightshift — autonomous code quality bot.