🤖 AI Assistant (`ask`)
Configure and use ADscan AI assistant with API providers or ChatGPT Plus/Pro via Codex subscription.
ADscan includes an AI assistant command: ask.
It supports two backend families:
- API providers:
openai,anthropic,gemini,ollama,openai_compatible - ChatGPT subscription mode:
codex_cli(ChatGPT Plus/Pro sign-in flow)
Quick Start
adscan start# 1) Configure backend
ask setup
# 2) Validate backend readiness
ask doctor
# 3) Run a prompt
ask "summarize current workspace context"ask Command Reference
| Command | Description |
|---|---|
ask help | Show quick usage |
ask setup | Configure provider/backend |
ask status | Show safe backend config (masked secrets) |
ask doctor | Validate runtime prerequisites |
ask login codex | Start Codex sign-in flow (subscription mode) |
ask auth-status codex | Check Codex auth status |
ask logout codex | Sign out from Codex |
| `ask usage [day | week |
ask usage budget [show|daily USD|weekly USD|clear] | Manage local AI budget thresholds |
ask clear | Clear conversation history |
ask "<prompt>" | Run a single prompt |
ask | Start interactive prompt loop |
API Provider Mode
Use this mode when you want direct API-key based control.
- Run
ask setup - Select one of:
openai,anthropic,gemini,ollama,openai_compatible - Provide model/API key/base URL when prompted
- Run
ask doctor
Example:
ask setup
ask doctor
ask "what domains and credentials are currently loaded?"ChatGPT Plus/Pro Mode (Codex)
Use this mode when you want to authenticate with your ChatGPT subscription instead of setting an API key.
- Run
ask setup - Select provider
codex_cli - Run
ask login codex - Complete sign-in in browser
- Run
ask auth-status codex - Run
ask doctor
Example:
ask setup
ask login codex
ask auth-status codex
ask doctor
ask "show me the highest-value next step from current findings"Container Runtime Note
If ADscan runs in Docker mode, Codex CLI must be installed in the ADscan image.
Authentication state is persisted via mounted ADscan directories.
Security Model
The AI assistant is orchestration UX, not arbitrary shell execution.
- AI actions are restricted to allowlisted ADscan CLI commands (
do_*mapped as command names). system,ask, and CLI control commands are blocked from AI execution.- Every AI-triggered CLI command requires explicit user confirmation.
- Audit logging captures AI-triggered action attempts and outcomes.
Command Selection Behavior
When AI is allowed to execute a CLI action, ADscan sends a command catalog to the model and expects a structured action payload:
{
"adscan_action": {
"command": "start_auth",
"arguments": "",
"reason": "Start authenticated scan workflow"
}
}Current behavior:
- ADscan sends the full allowlisted command catalog (not a small top-N shortlist).
- Command descriptions are derived from CLI command docstrings.
- The model picks one command; ADscan enforces policy and asks for confirmation before execution.
- The selection reason is logged in debug output (not shown in confirmation prompt text).
Debugging and Cost Visibility
Use verbose/debug logs to inspect prompt-level behavior:
- catalog stats:
total_allowlist,sent_to_model - selected command + arguments +
reason - prompt usage summary:
prompt_charsprompt_est_tokens(estimated)input_tokens/output_tokens/total_tokens(when backend returns usage)cost_usd(when provider returns cost, typically API-key backends)
For Codex subscription mode (codex_cli), prompt token counts are shown as estimates; direct per-prompt USD cost is generally not available.
Troubleshooting
codex not found in PATH
ask doctor may show:
CLI executable 'codex' not found in PATH.Action:
- Rebuild/update your ADscan Docker image with Codex CLI installed.
Codex auth check fails
Action:
ask login codex
ask auth-status codexProvider requires API key
For openai, anthropic, or gemini, configure API keys via:
ask setup