Project Status & Comparison¶
How lex-align compares¶
Most existing tools catch problems after a PR is open. lex-align is narrower in scope (Python only) but enforces policy before the bytes hit disk, with a closed-enum verdict that AI agents can branch on.
| Feature | Dependabot | Snyk | FOSSA | lex-align |
|---|---|---|---|---|
| CVE checking | ✅ | ✅ | ✅ | ✅ |
| License compliance | ❌ | ✅ | ✅ | ✅ |
| Approved registry enforcement | ❌ | ❌ | ❌ | ✅ |
| Pre-commit interception | ❌ | ⚠️ via plugin1 | ❌ | ✅ |
| AI agent integration | ❌ | ❌ | ❌ | ✅ 2 |
| Language support | 20+ | 10+ | 20+ | Python only |
| Cost | Free 3 | Freemium | Freemium 4 | Free |
| Self-hosted | ⚠️ GitHub Ent.5 | Partial | Partial | ✅ |
The middle rows — approved-registry enforcement, pre-commit interception, and AI-agent integration — are where lex-align differs in kind, not just degree: an approved-registry gate, an edit-time PreToolUse intercept, and an auto-written CLAUDE.md so agents pre-flight every dep without being asked.
Language support is a real limitation. lex-align is Python-only. Organisations running polyglot stacks (Node, Go, Java, Rust, …) will need a separate tool — or multiple tools — for those ecosystems. Dependabot and FOSSA cover 20+ package managers out of the box; Snyk covers 10+. If your codebase is mixed-language, treat the language-support row as the deciding factor before evaluating anything else.
Project status¶
Honest about scope. lex-align does one thing: dependency policy enforcement for Python projects, single-user by default.
| Phase | Status |
|---|---|
| 1. Server core (registry, license, CVE, audit, evaluate) | shipped |
| 2. Thin client (init, check, request-approval, pre-commit, Claude hooks) | shipped |
| 3. Approval workflow UI + reporting endpoints + agent identity | shipped |
| 4. Pluggable org-mode auth | shipped |
| 5. Pluggable approval proposers + hot-reload | shipped |
6. Single-user workflow (quickstart, audit, status, auto-enqueue) | shipped |
Approvals now flow through a pluggable proposer: opens a PR (GitHub backend), commits to a local repo (local-git), writes YAML directly (local-file), or just logs (log-only / evaluation). The server hot-reloads on merge or YAML write — no restarts.
The dashboard's pending queue gained an "implicit candidates" section that surfaces packages your audit log has seen but no one filed an approval request for, with a reason badge per row so you can tell at a glance why something is showing up.
Scope limits to be explicit about:
- Python and
pyproject.tomlonly. Other package ecosystems are not on the roadmap. - The server only talks to PyPI (license metadata) and OSV (CVE feed). The audit log lives on the server's host. Nothing is sent to a third party.
-
Snyk can be wired into pre-commit hooks via the
pre-commitframework (community-maintained hooks exist) or through custom shell wrappers. It is not a first-party, out-of-the-box feature. ↩ -
"AI agent integration" here means a structured, machine-readable verdict (
ALLOWED/PROVISIONALLY_ALLOWED/DENIED) that a coding agent can branch on, plus first-party Claude CodePreToolUsehooks that intercept edits topyproject.tomlbefore bytes hit disk. Other tools have IDE plugins or Copilot integrations, but none expose a closed-enum policy verdict designed for programmatic agent consumption. ↩ -
Dependabot is free within GitHub (github.com or GitHub Enterprise Server). It has no standalone deployment path — if you are not hosting on GitHub, it is not available at any price. ↩
-
FOSSA offers a free tier for open-source projects; paid plans are required for private repositories beyond the free allowance. ↩
-
Dependabot runs inside GitHub's infrastructure. "Self-hosted" is only possible via GitHub Enterprise Server, a paid enterprise product. It cannot be deployed independently of GitHub. ↩