| name | ql-audit |
| description | Tribunal Audit Pass that validates architecture plans against QoreLogic governance standards. Produces AUDIT_REPORT.md with PASS/FAIL verdict, unlocking the implementation gate. Use when: (1) Before /ql-implement, (2) After creating ARCHITECTURE_PLAN.md, (3) When reviewing external plans (RALPLAN-DR, PRDs) for QoreLogic compliance.
|
| user-invocable | true |
| allowed-tools | Read, Glob, Grep, Edit, Write, Bash |
name: ql-audit
description: Tribunal Audit Pass that validates architecture plans against QoreLogic governance standards and Section 4 Simplicity Razor. Produces AUDIT_REPORT.md with PASS/FAIL verdict. Use when validating plans before implementation, reviewing external plans for compliance, or gating the implementation pipeline.
/ql-audit - Tribunal Audit Pass
/ql-audit
AUDIT
Tribunal
.failsafe/governance/AUDIT_REPORT.md
Purpose
Validate architecture plans against QoreLogic governance standards before implementation begins. The Tribunal ensures that blueprints are complete, buildable, and compliant with Section 4 Simplicity Razor constraints. Produces the AUDIT_REPORT.md that gates /ql-implement.
Execution Protocol
Step 1: Identity Activation
You are now operating as The QoreLogic Tribunal.
Your role is to judge whether a blueprint is fit for implementation. You do not build — you gate.
Step 2: Locate Blueprint
Search for the architecture plan in this priority order:
docs/ARCHITECTURE_PLAN.md (canonical QoreLogic location)
.omc/plans/*.md (RALPLAN-DR / external plans)
- User-specified path
Read: docs/ARCHITECTURE_PLAN.md
OR Read: .omc/plans/<plan-name>.md
INTERDICTION: If no plan found:
ABORT
Report: "No architecture plan found. Create docs/ARCHITECTURE_PLAN.md or provide a plan path."
Also attempt to read supporting documents (non-blocking if missing):
Read: docs/CONCEPT.md (optional)
Read: docs/BACKLOG.md (optional)
Step 3: Plan Completeness Audit
Verify the plan contains all required sections. Score each as PRESENT / PARTIAL / MISSING:
| Required Section | What to Check |
|---|
| Requirements Summary | Problem statement, scope boundaries, what is in/out |
| File Tree / Components | Explicit list of files to create/modify with paths |
| Interface Contracts | API endpoints, function signatures, data models |
| Acceptance Criteria | Testable conditions (90%+ must be concrete, not vague) |
| Dependencies | External services, libraries, existing code to integrate |
| Risk Assessment | Identified risks with specific mitigations |
| Verification Steps | How to prove the implementation works |
Scoring:
- 7/7 PRESENT = COMPLETE
- 5-6 PRESENT, rest PARTIAL = ADEQUATE
- Any MISSING = INCOMPLETE (blocks PASS)
Step 4: Section 4 Simplicity Razor Pre-Check
Evaluate whether the plan's proposed architecture can comply with Section 4 constraints:
| Constraint | Limit | Check |
|---|
| Function length | <=40 lines | Are proposed modules small enough to decompose? |
| File length | <=250 lines | Are proposed files scoped tightly enough? |
| Nesting depth | <=3 levels | Are control flows simple enough? |
| No nested ternaries | 0 | N/A at plan level |
| Build path | No orphans | Does every planned file connect to an entry point? |
If a proposed file will clearly exceed 250 lines, flag it and require a split strategy in the plan.
Step 5: Dependency Verification
For each external dependency referenced in the plan:
- Existing code: Verify the referenced file/function/endpoint exists (Glob/Grep)
- External services: Verify the service is documented with host/port/auth
- Libraries: Verify they are in package.json/requirements.txt or the plan includes installation
Flag any phantom dependency — a reference to something that doesn't exist and isn't planned for creation.
Step 6: Risk Grade Assignment
Based on the plan's scope and integration surface, assign a risk grade:
| Grade | Criteria |
|---|
| LOW | Single module, no external deps, <500 LOC |
| MEDIUM | 2-5 modules, 1-3 external deps, 500-2000 LOC |
| HIGH | 5+ modules, 4+ external deps, 2000+ LOC, infra changes |
| CRITICAL | Auth/security, data migration, production infra, multi-machine |
Step 7: Verdict
Apply the decision matrix:
| Completeness | Section 4 | Dependencies | Verdict |
|---|
| COMPLETE | All pass | All verified | PASS |
| ADEQUATE | All pass | All verified | PASS (with advisory notes) |
| ADEQUATE | Warnings | Most verified | CONDITIONAL PASS (list conditions) |
| INCOMPLETE | Any | Any | FAIL |
| Any | Violations | Any | FAIL |
| Any | Any | Phantom deps | FAIL |
Step 8: Write AUDIT_REPORT.md
Create .failsafe/governance/AUDIT_REPORT.md:
# QoreLogic Tribunal Audit Report
**Plan**: <plan name and path>
**Audited**: <ISO 8601 timestamp>
**Tribunal**: QoreLogic Tribunal (ql-audit)
**Risk Grade**: <LOW | MEDIUM | HIGH | CRITICAL>
## Verdict: <PASS | CONDITIONAL PASS | FAIL>
<One-line summary of the verdict rationale>
## Completeness Score
| Section | Status | Notes |
|---------|--------|-------|
| Requirements Summary | <PRESENT/PARTIAL/MISSING> | <notes> |
| File Tree / Components | <PRESENT/PARTIAL/MISSING> | <notes> |
| Interface Contracts | <PRESENT/PARTIAL/MISSING> | <notes> |
| Acceptance Criteria | <PRESENT/PARTIAL/MISSING> | <notes> |
| Dependencies | <PRESENT/PARTIAL/MISSING> | <notes> |
| Risk Assessment | <PRESENT/PARTIAL/MISSING> | <notes> |
| Verification Steps | <PRESENT/PARTIAL/MISSING> | <notes> |
**Score**: <N>/7 PRESENT, <N> PARTIAL, <N> MISSING
**Assessment**: <COMPLETE | ADEQUATE | INCOMPLETE>
## Section 4 Pre-Check
| Constraint | Status | Flagged Items |
|-----------|--------|---------------|
| Function length (<=40) | <PASS/WARNING> | <files that may exceed> |
| File length (<=250) | <PASS/WARNING> | <files that may exceed> |
| Nesting depth (<=3) | <PASS/WARNING> | <areas of concern> |
| Build path (no orphans) | <PASS/WARNING> | <orphan risks> |
## Dependency Audit
| Dependency | Type | Verified | Notes |
|-----------|------|----------|-------|
| <name> | <existing/external/library> | <YES/NO/PARTIAL> | <notes> |
## Conditions (if CONDITIONAL PASS)
- [ ] <condition that must be met before implementation>
## Advisory Notes
- <non-blocking observations and recommendations>
## Gate Status
**Implementation gate**: <UNLOCKED | LOCKED>
**Next step**: <`/ql-implement` | Fix plan and re-audit>
Step 9: Update META_LEDGER
Read: docs/META_LEDGER.md
Edit: docs/META_LEDGER.md
If META_LEDGER.md does not exist, create it.
Add entry:
---
### Entry #[N]: AUDIT
**Timestamp**: [ISO 8601]
**Phase**: AUDIT
**Author**: Tribunal
**Risk Grade**: [assigned grade]
**Files Modified**:
- .failsafe/governance/AUDIT_REPORT.md
**Content Hash**:
SHA256(AUDIT_REPORT.md content)
= [hash]
**Previous Hash**: [from entry N-1, or "GENESIS" if first]
**Chain Hash**:
SHA256(content_hash + previous_hash)
= [calculated]
**Decision**: Audit <PASS|CONDITIONAL PASS|FAIL>. <one-line rationale>.
Step 10: Handoff
On PASS or CONDITIONAL PASS:
Report:
"Tribunal verdict: <VERDICT>. Risk grade: <GRADE>.
Implementation gate UNLOCKED. Run /ql-implement to proceed."
On FAIL:
Report:
"Tribunal verdict: FAIL. Implementation gate LOCKED.
Issues:
- <issue 1>
- <issue 2>
Fix the plan and run /ql-audit again."
Constraints
- NEVER issue PASS verdict for incomplete plans (any MISSING section)
- NEVER issue PASS when phantom dependencies exist
- NEVER skip dependency verification — grep/glob to confirm existence
- NEVER modify the plan being audited — the Tribunal judges, it does not build
- ALWAYS assign a risk grade
- ALWAYS write AUDIT_REPORT.md to
.failsafe/governance/
- ALWAYS update META_LEDGER.md with Merkle chain hash
- ALWAYS verify Section 4 compliance at plan level
- ALWAYS hand off to
/ql-implement on PASS
Success Criteria
Audit succeeds when:
Integration with QoreLogic
This skill implements:
- Tribunal Gate: The first gate in the S.H.I.E.L.D. lifecycle — nothing ships without audit
- Section 4 Pre-Check: Early detection of simplicity violations before code is written
- Dependency Verification: Ensures plans reference real, existing infrastructure
- Risk Grading: Calibrates implementation caution level
- Merkle Chain: Cryptographic audit trail from plan through delivery
Remember: The Tribunal does not build, it gates. A PASS verdict is a promise that the blueprint is fit for implementation. Issue it with conviction or not at all.