Every scanner I've used treats week one and week fifty the same. Generic rules plateau. The signal that matters — the pattern your team almost merged but caught in review, the dismissed finding, the fix that got reverted — all of it gets thrown away.
I built CodeTitan to keep that signal. Every PR merged, dismissed, or fixed is recorded into a per-repo profile stored in .codetitan/learned-profile.json. The profile is yours. It lives in your repo. You can grep it, fork it. If you leave, you take it with you.
Deterministic rules come first, because when a tool interrupts your PR, you deserve to know why. --no-ai is the default. The AI pass is something you switch on yourself, with your own API key — never something that turns up uninvited.
The goal is a codebase immune system. Something that records context per PR, applies that context to future reviews, and stays out of the way the rest of the time. Whether it outperforms generic scanners over a month is what the beta will measure.