QED42 Opens EventHorizon Waitlist After Releasing Open-Source Drupal CLI

Before a Drupal codebase can be audited, some teams face a stricter requirement: client code cannot leave controlled infrastructure. That concern shaped EventHorizon CLI, an open-source static-analysis tool from QED42 that runs locally without AI processing, cloud upload, or telemetry. QED42 has also opened a waitlist for EventHorizon, a broader code-intelligence suite for Drupal built on the same scanning engine.

The two tools serve different parts of the same audit workflow. EventHorizon CLI provides local, terminal-based analysis for teams that need a portable audit artifact. The EventHorizon suite adds a visual platform for exploring architecture, dependencies, complexity, code health, caching, configuration, performance, and security.

Souvik Pal, senior backend engineer at QED42, told The DropTimes that the code he analyses at work is usually enterprise-grade, client-owned, and governed by non-disclosure agreements or data residency clauses. He said a tool that sends source code to an external API can shift an audit from a technical decision into a legal, security, or procurement discussion. For short audit engagements, he said, that process can make the tool unusable before technical review begins.

Souvik described data sovereignty as the premise of EventHorizon CLI, not an added feature. The project repository describes the CLI as running locally, with no uploads, APIs, models, or telemetry. The repository also states that every rule, metric, and report is computed on the user’s machine, making the tool suitable for client code, air-gapped environments, and locked-down continuous integration pipelines.

Asked about the problems that shaped the tool, Souvik said EventHorizon grew out of repeated work with inherited Drupal codebases. He described a performance investigation that took three weeks of team effort on a project in which the codebase met conventional standards and type checks, yet remained slow. That experience shaped the tool’s focus on Drupal-specific production risks such as missing cache metadata and entity loading inside loops.

The current CLI analysis core covers 25 security rules, 20 performance rules, 11 context-aware caching detectors, and code metrics, according to the project repository. The repository lists checks for issues such as insecure unserialize() usage, routes with _access: TRUE, XSS through #markup, SQL injection patterns, entity loads inside loops, missing #cache metadata, and missing cache tags. The project is listed under an MIT licence and includes instructions for running 105 tests.

The reporting model is deliberately plain. Souvik said enterprise-grade scans can surface hundreds or thousands of rows, which teams then need to sort, filter, assign, compare, and move into sprint planning. EventHorizon CLI produces CSV and XLSX reports with standardised columns, including category, severity, file, line, rule, message, tool, and recommendation fields.

Souvik said the spreadsheet format was chosen because audit findings need to move between developers, project managers, and client stakeholders without creating another login or dashboard dependency. The repository states that reports are saved in timestamped directories, so previous runs are not overwritten. That structure allows teams to compare findings across audit runs.

QED42’s waitlist announcement presents the EventHorizon suite as the visual layer built on the same scanning engine. The product site describes interactive maps of modules, services, and hooks, along with circular dependency views, upgrade blast-radius analysis, function-level tracing, code health scoring, and codebase statistics. It positions the suite for agencies inheriting client projects and enterprise teams planning upgrades or managing platform risk.

The suite also changes how AI fits into the EventHorizon story. Souvik described the CLI as requiring no AI at all, while the suite presents AI as optional and controlled by the user’s own Gemini, OpenAI, or Anthropic key. Static analysis remains the baseline, with AI positioned as an optional layer for asking questions grounded in the project.

Souvik said the CLI shipped first because the analysis engine had to exist before a broader product could be built around it. He described two next directions for EventHorizon: community contribution around recurring Drupal audit rules and a team-oriented product built on the same engine. The waitlist announcement makes the second direction public without replacing the first.

Together, the open-source CLI and the suite, frame EventHorizon as both a local audit tool and a shared visual system for teams that need to understand inherited Drupal codebases. Its central claim is not that AI can replace review, but that Drupal-specific static analysis can make audit findings visible before teams lose time to manual code archaeology.