Intent Scanner and Fable
Software is generated and changed faster than humans can understand it. The Intent Scanner closes
that gap for a project's intent: it turns a repository's .intent files into one shared semantic
representation , Intent IR , and a set of explainable findings grouped
by risk. Deterministic, no AI, no key required; the whole pipeline runs locally.
intent scan .
intent scan .: 6 finding(s) across 1 mission(s) in 1 file(s)
severity 1 blocker, 0 error, 4 warning, 1 info , Intent IR: 3 nodes
risk themes:
4 Intent risk
1 Implementation risk
1 Security risk (1 blocker)
highest-impact remediation first:
[blocker] IL-SEC-001 (1x) , Remove the secret from the surface, or gate it behind an auth requirement; ...
The pipeline
intent scan is a staged pipeline: discover → parse → normalize into Intent IR → run
deterministic Fable rules → produce findings → group into risk themes → report. Pass --json
for the machine-readable intent-scan-v1 report, or --ir <path> to write the Intent IR the rest
of the ecosystem (Atlas, Repo Mastery, OpenThunder) consumes.
Fable , the rule authority
Findings come from Fable, the versioned, explainable rule authority. Fable is not a new rule engine; it is a rule-metadata layer over IntentLang's shipped diagnostics catalog, adding what a finding needs: a risk category, a detection strategy (deterministic vs inferred), required evidence, remediation, and suppression / risk-acceptance policy. The universal pack covers every catalog rule; technology, domain, and organization packs extend it.
The finding model
Every finding is explainable , never "AI detected a possible issue." Each carries:
| Field | Meaning |
|---|---|
ruleId / ruleVersion |
which Fable rule fired |
category |
one of the canonical risk categories (Intent, Security, Privacy, Reliability, ...) |
detected / why |
what was found and why it matters |
evidence |
the source location(s) the check fired on |
affectedNodes |
the Intent IR nodes involved |
severity / confidence |
how bad, and how sure (deterministic checks are Observed) |
detectionType |
deterministic or inferred |
remediation / suggestedVerification |
how to fix it and how to prove it stays fixed |
humanReviewRequired |
true only when the detection is inferred, not deterministic |
suppressed / riskAccepted |
governance state |
Deterministic findings are trustworthy on their own; inferred findings are flagged for review, so an AI-suggested issue is never presented as a confirmed fact.
Risk themes and remediation order
Findings roll up into risk themes (one per risk category) and a highest-impact remediation sequence , blockers first, then the most common rules , so a team knows what to fix first. The Scanner is the deterministic spine; inferred rules and role-aware explanations layer on top.
Continuous drift , Intent Guardian
The Scanner tells you the risk in a project now. Intent Guardian tells you what a change
did to it. Given a before and after state, intent guardian <before> <after> answers the one
question drift monitoring exists for:
what changed, what intent it affects, what risk it introduced, what must be reverified, and what learning content should be refreshed.
intent guardian old/ new/
intent guardian: NEEDS-ATTENTION (before.intent -> after.intent)
changed +0 / -1 / ~1 nodes
affected CreateInvoice
introduced risk (2):
[warning] guarantee-without-verification , Guarantee "no duplicate invoice" has no verification.
[blocker] IL-SEC-001 , Event "Charged" payload field "token" is a Secret; secrets must not ...
must reverify (2):
Guarantee no duplicate invoice , contract element changed, its verification no longer holds
learning to refresh:
CreateInvoice , a governing intent artifact changed, lessons for it may be stale
It compares the two states by mission identity (not file path, so it survives a rename),
composing the semantic diff with the Scanner: findings present after but
not before are introduced risk; contract elements (guarantees, never-rules, verifications,
decisions) that changed must be reverified; and the missions whose intent changed have lessons
that are now stale. needs-attention fires only when a change introduces blocking risk , an
improvement that merely adds a test is review, not an alarm. --json for the machine report;
exit is non-zero on needs-attention, so it gates a pull request.
Look forward , Intent Simulator
Guardian looks back at a change that happened. Intent Simulator looks forward at one that has
not: intent impact <base> <proposed> estimates what a proposed change would touch before you
build it.
intent impact current/ proposed/
intent impact: REVIEW (base -> proposed)
change touches 2 node(s); ripples to 3 dependent(s)
deterministic impact by type: 1 Mission, 1 Outcome, 1 Metric
risk it would introduce (2):
[warning] guarantee-without-verification , ...
[blocker] IL-SEC-001 , Event "Charged" payload field "token" is a Secret; ...
release risk: 1 blocking finding(s)
The Simulator computes a blast radius , the transitive reach of the change over the intent graph , so you see which missions, outcomes, requirements, components, and tests a change would ripple into. Crucially, it keeps the four kinds of impact the directive requires separate and honest:
- deterministic dependency impact , the blast radius, traced over real relationships;
- rule-derived risk , the findings the proposed state would introduce;
- AI-predicted impact , explicitly
nullin deterministic mode (never fabricated); - unknown impact , changed nodes whose ripple cannot be traced deterministically (non-factual classification, or no relationships), surfaced rather than hidden.
A change that introduces a release blocker or a contradiction is REVIEW (exit non-zero); a purely
additive, safe change is SAFE. Run it in a pull request to see the impact before the merge.
Remember why , Intent Ledger
Scanner, Guardian, and Simulator all reason about intent at a point in time. Intent Ledger keeps the part a project loses as it moves through time: the memory of why. It is an append-only, hash-chained record of a project's meaning and decisions , provenance, assumptions, approvals, rejections, corrections, accepted risks, verifications, and stale lessons.
intent ledger project.ledger.json --subject CreateInvoice
intent ledger project.ledger.json , CreateInvoice (chain VALID)
why built:
- chose an idempotency key to prevent duplicate charges
approved by: pm
corrections (inferred intent fixed): 1
accepted risks: 1
verifications: 2
change history: 6 entries
Every entry hashes over the previous one, so the ledger is tamper-evident: you cannot quietly
rewrite history. intent ledger <file> verifies the whole chain and, if it was altered, locates the
break to the exact entry:
intent ledger project.ledger.json: 6 entries, chain BROKEN at #1 , entry 1 hash does not match its content (tampered)
It answers the questions a project forgets over time , why was this built, who approved it, what
did we assume, which inferred intent did a human correct, which risks did we accept, what proved it,
which lessons went stale. The Ledger is deterministic (the caller supplies timestamps, so the record
is reproducible and testable) and append-only , record returns a new ledger rather than mutating
the old one. --json emits the machine-readable intent-ledger-v1 report; exit is non-zero when the
chain does not verify, so a broken audit trail fails CI.