Aveloxis Documentation

Aveloxis is a high-performance open source community health data collection platform written in Go. It collects data from GitHub and GitLab with equal completeness, storing it in a shared PostgreSQL schema for cross-platform analysis. It is designed as a companion to (and eventual replacement for) the Augur collection pipeline.

Key Features

• Full GitHub + GitLab parity — same data types collected from both platforms, including MR discussion review comments

• Staged collection pipeline — JSONB staging decouples API speed from DB write contention at 400K+ repos

• Postgres-backed queue — no Redis, RabbitMQ, or Celery. Multiple instances share the same queue via SKIP LOCKED

• Git commit analysis — bare clones + git log --numstat for per-file commit data, parent tracking, and Facade aggregates

• Contributor resolution — resolves git commit emails to GitHub users via noreply parsing, Commits API, and Search API

• Dependency & complexity analysis — scans 15 ecosystems, calculates libyear across 12 package registries, runs scc for code complexity

• Vulnerability scanning — OSV.dev batch API for CVE/GHSA lookup across all dependencies

• SBOM generation — CycloneDX 1.5 + SPDX 2.3 with license capture from 12 registries

• Interactive visualizations — weekly time-series charts, cross-project comparison with Z-score normalization, dependency license analysis

• REST API — JSON endpoints for stats, time series, licenses, SBOM download, and repo search

• 19 materialized views — 8Knot-compatible analytics views, rebuilt weekly

• Dead repo sidelining — permanently archives 404’d repos while preserving data

• Deterministic contributor IDs — Augur-compatible GithubUUID scheme

Getting Started

• Installation
  • Requirements
  • Install via go install (recommended)
  • Install via go build (local binary)
  • PATH troubleshooting
  • Installing optional tools
  • Verifying installation
  • Updating
  • Next steps
• Configuration
  • Creating the config file
  • Full config reference
  • API key sources
  • API key rotation behavior
  • Clone directory
  • Email (Gmail SMTP, optional)
  • v0.25.x distribution-tracking knobs
  • Next steps
• Quick Start
  • Prerequisites
  • Step 1: Create a config file
  • Step 2: Create the database schema
  • Step 3: Store your API keys
  • Step 4: Add repos to the collection queue
  • Step 5: Start the scheduler
  • Check the monitoring dashboard
  • Verify data in the database
  • What happens next
  • Next steps
• Augur Migration
  • Overview
  • Step 1: Point at the existing Augur database
  • Step 2: Create the Aveloxis schemas
  • Step 3: Import API keys
  • Step 4: Import repos
  • Schema coexistence
  • Contributor ID compatibility
  • Running both systems side-by-side
  • Differences from Augur
  • Cleanup (optional)
  • Next steps

User Guide

• Commands Reference
  • aveloxis serve
  • aveloxis web
  • aveloxis collect
  • aveloxis add-repo
  • aveloxis add-key
  • aveloxis prioritize
  • aveloxis recollect
  • aveloxis migrate
  • aveloxis refresh-views
  • aveloxis install-tools
  • aveloxis start
  • aveloxis stop
  • aveloxis data-test
  • Mailing-list commands
  • aveloxis version
  • Global behavior
• Web GUI
  • Prerequisites
  • Configuration
  • Starting the Web GUI
  • Login Flow
  • Creating Groups
  • Adding Individual Repos to a Group
  • Adding an Entire GitHub Org or GitLab Group
  • Navigation and Breadcrumbs
  • Comparing Repositories
  • Searching and Pagination
  • How Org Tracking Works
  • How Repos Get Queued for Collection
  • Session Management
  • Running Alongside aveloxis serve
  • Security Considerations
• REST API
  • Endpoints
  • CORS
  • Deployment
• Visualizations
  • Design Principles
  • Requirements
  • Repository Detail Page
  • Comparison Page
  • Performance
  • Technical Implementation
• Collection Pipeline
  • Overview
  • Prelim phase
  • Phase 1: Staging (staged pipeline only)
  • Phase 2: Processing (staged pipeline only)
  • Phase 3: Facade (git)
  • Phase 4: Commit author resolution
  • Phase 5: Contributor enrichment and canonical emails
  • Phase 6: Analysis
  • Periodic tasks
  • Next steps
• Monitoring
  • Dashboard
  • REST API endpoints
  • Log output
  • Checking status via psql
  • Next steps
• CI/CD Pipelines
  • Workflows
  • Status Badges
  • Dockerfile
  • Running in Docker
  • Schema change verification
• Schema-change verification with aveloxis data-test
  • When to use it
  • What it actually verifies
  • Prerequisites
  • Running the harness
  • Interpreting the report
  • Phase-by-phase walkthrough
  • Why full collection (--full)
  • Design decisions worth knowing
  • CI integration
  • Limitations
  • Related
• Scaling
  • Worker count recommendations
  • Rate limit math
  • Horizontal scaling
  • Database connection pool
  • Clone directory sizing
  • Queue behavior
  • Sizing summary
  • Next steps
• Troubleshooting
  • Commits not collected, but Issues and Pull Requests are collected
  • Monitor dashboard renders slowly on a large fleet
  • Search keystrokes freeze the dashboard at 100K repos
  • /api/queue endpoint slow or returns huge JSON
  • Token invalidation (401 vs 403)
  • FK constraint violations
  • “No API keys configured” / Startup failure
  • “Commit resolution FAILED”
  • “No data collected”
  • unsupported Unicode escape sequence (SQLSTATE 22P05)
  • “Pull requests / contributors / events: not found” or “forbidden”
  • Gap-filled historical issues/PRs have no comments
  • Gap-fill failure on large repos persists across multiple cycles
  • Metadata shows issues/PRs but gathered count stays at 0
  • Repeated “unexpected status 301” retries on moved/renamed repos
  • HTTP 410 Gone on individual issues / PRs
  • GitLab repo_info.commit_count is 0 but facade found commits
  • Release collection “not found” errors
  • Git clone exit status 128
  • Garbage timestamps (year 0001 BC)
  • Schema version mismatch warning
  • Null byte errors in text fields
  • Restart procedure
  • Checking queue status
  • Checking status of jobs when you think things are stuck
  • Changed days_until_recollect is being ignored
  • Checking collection status
  • Re-running a failed repo
  • GraphQL PR batch errors on large repos
  • Force-recollect a single repository
  • Dead repo sidelining and un-sidelining
  • Gateway errors (502/503/504)
  • Deadlock errors
  • prepared statement "stmtcache_..." does not exist (SQLSTATE 26000)
  • Restart appears to take days before collection resumes
  • All API tokens exhausted within minutes of restart
  • Repeated duplicate key value violates unique constraint "contributors_pkey" in Postgres logs
  • Orphaned postgres backend after aveloxis stop serve
  • Next steps

Architecture

• Architecture Overview
  • System diagram
  • Three schemas
  • Collection flow
  • Key design decisions vs Augur
  • Project structure
  • Scheduler internals
  • Next steps
• Staged Pipeline Architecture
  • Why staging?
  • Staging writer
  • Envelope types
  • Processing order
  • Error isolation
  • Restart and resume
  • Performance characteristics
  • Comparison with the direct pipeline
  • Next steps
• Contributor Resolution
  • What a contributor record represents
  • Where contributor data comes from
  • Contract rules
  • Resolution flow
  • GithubUUID / PlatformUUID
  • Rename handling: which columns track renames, which don’t
  • Data-quality FAQ
  • Diagnostic queries
  • Intentional limitations
  • GitLab vs GitHub: column-by-column parity matrix (v0.20.3)
  • Related code
  • Next steps
• Facade Commits
  • Bare clone vs full clone
  • Git log parsing
  • Per-file commit rows
  • Commit parents
  • Commit messages
  • Affiliation resolution
  • Facade aggregates
  • Resilience
  • Next steps
• Analysis
  • On-demand full clone design
  • Dependency scanning
  • Libyear calculation
  • Code complexity via scc
  • Disk usage summary
  • Error handling
  • Next steps
• ScanCode Worker (v0.21.0+)
  • 1. What scancode does (and doesn’t)
  • 2. Why the worker was decoupled (the 2026-05-14 incident)
  • 3. Architecture
  • 4. Cadence rationale (180 days default)
  • 5. Crash recovery — the four-state table
  • 6. Graceful shutdown
  • 7. Force-rerun cookbook
  • 8. Configuration reference
  • 9. UX: the “last run” signal
  • 10. Observability — what to grep in aveloxis.log
  • 11. Code map
  • 12. Regression guards
• Distribution Worker (v0.24.0+)
  • 1. The question this subsystem answers
  • 2. Why a dedicated worker (the v0.24.0 design call)
  • 3. The five evidence sources
  • 4. The headline analysis query
  • 5. Schema
  • 6. Worker architecture
  • 7. GitHub-only for v1
  • 8. Operator CLI
  • 9. Config knobs
  • 10. What the subsystem does NOT do
  • 11. Cross-references
  • 12. v0.25.x escape hatches (ephemeral)
• Mailing-List Ingestion (v0.25.7+)
  • 1. The question this subsystem answers
  • 2. Why a dedicated worker
  • 3. email_message — the first-class entity
  • 4. The two archive backends
  • 5. Classification
  • 6. Sender and signaled-repo resolution
  • 7. Schema (v0.25.7)
  • 8. Worker architecture
  • 9. Mirror handling
  • 10. Operator CLI
  • 11. Config knobs
  • 11c. Layer 2 projection — mailing-list → canonical entities (Phase 3)
  • 11d. Forge-less PR-equivalents — the special case (Phase C)
  • 12. Verification (Phase 4) and the collection-ordering caveat
  • 13. What the subsystem does NOT do
  • 14. Cross-references
• Materialized Views
  • Refresh schedule
  • Quick reference
  • Bulk counters
  • Catalog and navigation
  • Contributor activity
  • Commits over time
  • Pull requests
  • Issues
  • Files and code
  • Dependencies
  • Monitoring refresh progress
  • Column stability across releases
  • Troubleshooting
  • Cross-references
• Column Name Mapping (Augur to Aveloxis)
  • Design Philosophy
  • Pull Requests
  • Pull Request Meta
  • Pull Request Reviews
  • Pull Request Labels
  • Pull Request Assignees / Reviewers
  • Issues
  • Issue Events
  • Issue Labels / Assignees
  • Messages
  • Repo Info
  • Repo Clones
  • Table Names
  • Schema Names
  • Libyear Compatibility Note
  • Writing Queries
• Platform Abstraction Layer
  • Interface hierarchy
  • HTTP client (HTTPClient)
  • Key pool (KeyPool)
  • Pagination
  • URL parsing (RepoURL)
  • Adding a new platform
  • Design notes
  • GitHub vs GitLab data gaps
• Database Package (internal/db)
  • Package layout
  • Deadlock retry
  • Batch operations
  • Text sanitization
  • Queue system
  • Group ownership verification

Contributing

• Contributing to Aveloxis
  • What Aveloxis is
  • How the codebase is laid out
  • Chapters
  • What to read for a given task
  • The single-most-important rule
• Local development setup
  • Prerequisites
  • 1. Clone and build
  • 2. Run the unit test suite
  • 3. Set up a local PostgreSQL
  • 4. Configure aveloxis.json
  • 5. Run the migration
  • 6. (Optional) Install scc + scorecard
  • 7. (Optional) Add API keys
  • 8. Run the binary
  • 9. Run integration tests
  • 10. Set up your editor
  • Common problems
  • Next steps
• Code conventions
  • SPDX headers (mandatory)
  • Package layout
  • Imports
  • Naming
  • Error handling
  • Logging (slog)
  • Version bumping (mandatory)
  • Commit messages
  • CLAUDE.md is the canonical record
  • Don’t add features beyond what the task requires
  • Don’t write comments that restate the code
  • Don’t write to files in ways that surprise
  • CLI command style
  • What NOT to do
• Testing
  • The three tiers
  • TDD discipline
  • The source-contract pattern
  • The behavioral test pattern
  • The integration test pattern
  • What to test
  • Naming
  • Run patterns
  • What good test failures look like
  • Writing tests for code that depends on time
  • Writing tests for goroutines
  • Writing tests for HTTP clients
  • CI
• Schema migrations
  • The two sources of truth
  • The fail-closed contract (v0.19.4)
  • Adding a column
  • Adding an index
  • Adding a backfill
  • Adding a foreign key
  • Migration ordering
  • Materialized views
  • The aveloxis migrate --skip-views flag
  • Version-bump checklist for a schema-touching change
  • What v0.21.5 made explicit: who can run migrations
  • When NOT to write a migration
• Adding a new platform
  • What “a platform” means in Aveloxis
  • Bugzilla — the worked example
  • API choice: REST vs XML-RPC
  • The end-to-end inventory: what you’ll touch
  • The capability design call
  • Step-by-step walkthrough
  • What you’ll discover during implementation
  • Don’ts
  • A reasonable order of operations
  • Final note
• Adding a REST endpoint
  • Where the API lives
  • Existing endpoints (as of v0.23.5)
  • Walkthrough: add GET /api/v1/repos/{repoID}/contributors
  • Patterns to follow
  • What NOT to do
  • Wiring to the web GUI
• Adding a collection phase
  • The pipeline shape
  • When to add a phase vs extend an existing one
  • Patterns by phase type
  • The staging writer contract
  • Error handling discipline
  • Testing phases
  • Order-of-operations checklist
  • A real example to study
• Adding a visualization
  • How visualizations work today
  • Walkthrough: add a “contributor activity” chart
  • Patterns to follow
  • What NOT to do
  • Testing visualizations
  • Updating the comparison page
  • Documentation

Reference

• Aveloxis Schema Documentation
  • Overview
  • Metadata Columns
  • aveloxis_data Schema
  • aveloxis_ops Schema
  • Indexes