| name | scan-and-audit |
| description | Weekly scan and audit orchestrator for Nx platform intelligence. Runs all 12 scan/audit commands plus the monthly digest via parallel subagents, then synthesizes a unified report with delta tracking. Use when user says "run scans", "weekly scan", "scan and audit", "run audits", "weekly report", "what's new this week", or any variation. Also use for "monthly scan" or "full audit".
|
| allowed-tools | ["Read","Write","Edit","Bash","Glob","Grep","WebFetch","WebSearch","Task"] |
Scan & Audit Orchestrator
Run all Nx platform intelligence scans in parallel, then produce a unified
weekly report with delta tracking. Designed to be run at the start of the
week (or day) to give Jack a quick picture of what changed.
Arguments
$ARGUMENTS
- No arguments: run all 13 scans (8 external + 1 CNW template validation +
3 internal audits + monthly digest) for the current week.
monthly only: skip scans, just run the monthly digest.scans only: skip the monthly digest, just run scans/audits.quick: skip slow scans (community, dependencies, supply-chain, api-surface,
capacity, project-health, customer-deps).
Only run web-research scans (competitors, frameworks, runtimes, ai-landscape)
plus cnw-templates (fast, critical).internal: run only the 3 internal management audits (capacity, project-health,
customer-deps). These use Linear MCP — no GitHub cloning needed.briefing: run internal audits + competitors + monthly digest. Produces
the full director-level monthly briefing.- Specific scan names:
competitors, frameworks, runtimes, ai-landscape,
community, dependencies, supply-chain, api-surface, capacity,
project-health, customer-deps, cnw-templates, digest.
lookback=N: override the lookback window to N days (default: 60).
Directory Structure
All orchestrator output goes to .ai/para/areas/scan-audit/.
.ai/para/areas/scan-audit/
├── README.md
├── state.json # Last run metadata + finding counts
├── weekly/
│ ├── 2026-W09.md # Unified weekly report
│ └── ...
└── monthly-digests/ # Monthly digest cross-functional + changelog
└── ...
Scan reports live in scans/ sub-directories (consolidated from former top-level areas):
External scans (in scan-audit/scans/):
scans/supply-chain-security/ — HIGH PRIORITY, WEEKLY CADENCEscans/dependency-health/scans/api-surface-audit/scans/ai-dev-landscape/ (includes archived ai-trends)scans/framework-ecosystem/scans/runtime-tracking/scans/cnw-templates/ — CRITICAL PRIORITY, WEEKLY CADENCE (CNW template health)
Still top-level areas (referenced independently):
.ai/para/areas/competitor-intel/.ai/para/areas/community-sentiment/
Internal audits (Linear MCP, still top-level):
.ai/para/areas/team-capacity/.ai/para/areas/project-health/.ai/para/areas/customer-deps/
Step 0: Setup, State & Auth
0a. Ensure directory structure exists
mkdir -p .ai/para/areas/scan-audit/weekly
mkdir -p .ai/para/areas/scan-audit/monthly-digests
0b. Read previous state
Read .ai/para/areas/scan-audit/state.json if it exists. Structure:
{
"lastRun": "2026-02-20T10:00:00Z",
"lastWeeklyReport": "2026-W08",
"lastMonthlyDigest": "2026-01",
"findings": {
"dependencies": { "critical": 2, "warning": 5 },
"supply-chain": { "status": "clear" },
"api-surface": { "high": 3, "medium": 8 },
"competitors": { "highlights": 4 },
"frameworks": { "compat-risks": 1 },
"runtimes": { "action-items": 0 },
"ai-landscape": { "highlights": 6 },
"community": { "top-pain-points": 5 },
"capacity": { "high-risk-people": 2, "overdue-items": 8 },
"project-health": { "zombies": 2, "overdue-projects": 3 },
"customer-deps": { "churned": 1, "cooling": 0, "concentration-risks": 2 },
"priority-mismatch": { "bump-candidates": 3, "stale-hot": 5 },
"cnw-templates": { "critical": 0, "high": 0, "medium": 1, "low": 0, "templates-tested": 4 }
}
}
This lets us compute deltas ("2 new critical deps since last week").
0c. Compute current week number and lookback window
date '+%Y-W%V'
LOOKBACK_DAYS=60
LOOKBACK_START=$(date -v-${LOOKBACK_DAYS}d '+%Y-%m-%d')
echo "Lookback window: $LOOKBACK_START to today"
The LOOKBACK_START date is passed to every subagent so they scan data
going back 60 days (not just the current calendar month). This ensures
coverage of events that happened in the prior month as well.
0d. GitHub auth (single 1Password approval)
Read the GitHub PAT once and stash it in a temp env file that subagents can
source. This is the one place all GitHub auth happens — every helper call
across orchestrator and subagents reads $GITHUB_TOKEN from this file, so
the user only sees one 1Password prompt for the whole run.
Use the op-request-reason skill convention (writes a PENDING row to
/private/tmp/op_requests.txt so Raycast surfaces it, then flips to
APPROVED/DENIED based on exit code):
SCAN_DATA_DIR="/tmp/scan-data-$(date +%s)"
mkdir -p "$SCAN_DATA_DIR"/{releases,issues,api}
uid="$$-$RANDOM" log=/private/tmp/op_requests.txt
printf 'PENDING\t%s\t%s\t%s\t%s\t%s\n' \
"$uid" "$(date '+%Y-%m-%dT%H:%M:%S%z')" "$PWD" \
'scan-and-audit: reading GitHub PAT for weekly intelligence scans' \
'op read op://Employee/API Keys/github_token' >>"$log"
GITHUB_TOKEN=$(op read 'op://Employee/API Keys/github_token'); rc=$?
tab=$(printf '\t'); tmp=$(mktemp)
[ $rc -eq 0 ] && outcome=APPROVED || outcome=DENIED
sed "s|^PENDING${tab}${uid}${tab}|${outcome}${tab}${uid}${tab}|" "$log" >"$tmp" && mv "$tmp" "$log"
[ $rc -ne 0 ] && { echo "Failed to read GitHub token from 1Password"; exit 1; }
umask 077
cat >"$SCAN_DATA_DIR/gh-env.sh" <<EOF
export GITHUB_TOKEN='$GITHUB_TOKEN'
EOF
export GITHUB_TOKEN
source "$HOME/.claude/skills/scan-and-audit/gh-helpers.sh"
If the op read fails, abort early — every downstream scan needs the token.
0e. Determine what to run
- If
lastMonthlyDigest < current month AND we're past the 25th of the
month, include the monthly digest.
- Otherwise only include it if explicitly requested or if arguments say so.
- All 8 scans run by default unless scoped by arguments.
Step 1: Clone Repos (if needed for audit commands)
Four commands need local repo access: audit-api-surface, audit-dependencies,
audit-supply-chain, and scan-community (for issue data, though community
mostly uses the GitHub REST API via the helpers).
NX_TMP="/tmp/nx-scan-$(date +%s)"
git clone --depth 1 https://github.com/nrwl/nx.git "$NX_TMP" 2>/dev/null
OCEAN_TMP="/tmp/ocean-scan-$(date +%s)"
git clone --depth 1 git@github.com:nrwl/nx-cloud.git "$OCEAN_TMP" 2>/dev/null \
|| echo "OCEAN_CLONE_FAILED"
If ocean clone fails (permissions, SSH keys), note it and continue with
nx-only scans. Never block on ocean access.
Store paths for subagents:
NX_REPO_PATH=$NX_TMPOCEAN_REPO_PATH=$OCEAN_TMP (or empty if failed)
Step 1.5: Pre-fetch GitHub Data
Why: Otherwise each subagent would re-fetch the same data and we'd burn
the rate limit. Instead, run ALL GitHub API calls here in the orchestrator
(single shell, helpers already sourced, token already exported) and cache
results for subagents.
The output JSON files match the legacy gh --json shapes (the helpers in
gh-helpers.sh do the field rename), so existing jq filters in each scan
command keep working unchanged.
Release lists (21 repos)
Fetch releases for every repo any scan command needs. Helpers include body
so subagents don't need separate release-view calls.
for repo in \
vercel/turborepo moonrepo/moon bazelbuild/bazel pantsbuild/pants \
nodejs/node oven-sh/bun denoland/deno \
anthropics/claude-code modelcontextprotocol/specification \
angular/angular facebook/react vercel/next.js remix-run/remix \
nuxt/nuxt vuejs/core vitejs/vite webpack/webpack \
web-infra-dev/rspack rolldown/rolldown evanw/esbuild swc-project/swc; do
slug="${repo//\//-}"
gh_release_list "$repo" 15 \
> "$SCAN_DATA_DIR/releases/$slug.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/releases/$slug.json"
done
Issue data (nrwl/nx + nrwl/nx-cloud)
gh_issue_list_with_meta nrwl/nx open 200 \
> "$SCAN_DATA_DIR/issues/nrwl-nx-open.json"
gh_issue_list_state nrwl/nx all 200 \
> "$SCAN_DATA_DIR/issues/nrwl-nx-all.json"
gh_issue_list_with_meta nrwl/nx-cloud open 100 \
> "$SCAN_DATA_DIR/issues/nrwl-nx-cloud-open.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/issues/nrwl-nx-cloud-open.json"
REST API + GraphQL
gh_api 'repos/nrwl/nx/issues?state=open&sort=reactions-%2B1&direction=desc&per_page=50' \
> "$SCAN_DATA_DIR/api/nrwl-nx-top-reactions.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/api/nrwl-nx-top-reactions.json"
gh_api 'repos/nrwl/nx-cloud/issues?state=open&sort=reactions-%2B1&direction=desc&per_page=20' \
> "$SCAN_DATA_DIR/api/nrwl-nx-cloud-top-reactions.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/api/nrwl-nx-cloud-top-reactions.json"
gh_api_graphql '
{
repository(owner: "nrwl", name: "nx") {
discussions(first: 30, orderBy: {field: CREATED_AT, direction: DESC}) {
nodes {
title
createdAt
upvoteCount
comments { totalCount }
category { name }
}
}
}
}' > "$SCAN_DATA_DIR/api/nrwl-nx-discussions.json" 2>/dev/null \
|| echo "{}" > "$SCAN_DATA_DIR/api/nrwl-nx-discussions.json"
Priority mismatch detection (medium-priority issues with high engagement)
gh_api 'repos/nrwl/nx/issues?state=open&labels=priority:%20medium&sort=reactions-%2B1&direction=desc&per_page=50' \
> "$SCAN_DATA_DIR/api/nrwl-nx-medium-priority-hot.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/api/nrwl-nx-medium-priority-hot.json"
gh_api 'repos/nrwl/nx/issues?state=open&sort=reactions-%2B1&direction=desc&per_page=100' \
> "$SCAN_DATA_DIR/api/nrwl-nx-stale-hot.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/api/nrwl-nx-stale-hot.json"
Search queries
gh_search_repos "ai agent developer tools" 10 stars \
> "$SCAN_DATA_DIR/api/ai-agent-repos.json" 2>/dev/null \
|| echo "[]" > "$SCAN_DATA_DIR/api/ai-agent-repos.json"
Total: ~30 sequential REST calls, single 1Password auth from step 0d,
~60–90 seconds. All output files match the legacy gh --json shape so the
existing jq filters in subagents work unchanged.
Step 2: Launch All Scans in Parallel
Launch each scan as a background Task subagent. Each subagent receives:
- The command file content (its full instructions)
- The repo path(s) to scan
- The current month (YYYY-MM) for report file naming
- The previous report path (if exists) for delta computation
$SCAN_DATA_DIR (so it can read the cached JSON + source gh-env.sh)
Every subagent prepends the following bootstrap to its shell work so the
helpers and token are available:
source "$HOME/.claude/skills/scan-and-audit/gh-helpers.sh"
source "$SCAN_DATA_DIR/gh-env.sh"
Scan Groups
Group A — Repo-dependent audits (need cloned repos):
-
audit-dependencies — Audit dependency health across nx + ocean
- Subagent instruction: "Run the dependency health audit. Scan both
$NX_REPO_PATH/packages/ and $OCEAN_REPO_PATH/ (if available).
Write report to .ai/para/areas/dependency-health/YYYY-MM.md."
-
audit-api-surface — Detect API vs docs drift
- Subagent instruction: "Run the API surface audit on
$NX_REPO_PATH.
Also check ocean's public npm packages if $OCEAN_REPO_PATH is available.
Write report to .ai/para/areas/api-surface-audit/YYYY-MM.md."
-
audit-supply-chain — Supply chain security review
- Subagent instruction: "Run the supply chain audit. Check both
@nx/*
and @nx-cloud/* scoped packages on npm. Use $NX_REPO_PATH for
workflow inspection. Write report to
.ai/para/areas/supply-chain-security/YYYY-MM.md."
-
scan-community — Community sentiment analysis
- Subagent instruction: "Run the community sentiment scan. Cover both
nrwl/nx and nrwl/nx-cloud (if public) GitHub issues and discussions.
Write report to .ai/para/areas/community-sentiment/YYYY-MM.md."
Group A2 — CNW Template Validation (no repo access needed, CRITICAL PRIORITY):
- cnw-templates — Create-Nx-Workspace template health check
-
Subagent instruction: "Validate all nrwl/ CNW (Create Nx Workspace) templates
by scaffolding workspaces and checking for npm audit warnings. This scan
MUST be reported first in the unified report — do not bury it.
IMPORTANT: Use --template=nrwl/*-template, NOT --preset=*-monorepo.
The --template flag uses the actual nrwl template repos which include
additional packages (e.g., @nx/module-federation in react/angular templates)
that --preset does not. Using --preset will produce falsely clean results.
Templates to test:
nrwl/empty-templatenrwl/typescript-templatenrwl/angular-templatenrwl/react-template
For each template, run in a temp directory:
CNW_TMP=$(mktemp -d)
cd $CNW_TMP
npx create-nx-workspace@latest test-$NAME \
--template=nrwl/$NAME-template --nxCloud=skip --no-interactive 2>&1
cd test-$NAME
npm audit --json 2>&1 > audit-$NAME.json
npm audit 2>&1 > audit-$NAME.txt
Parse npm audit output for each template:
- Count vulnerabilities by severity: critical, high, moderate (medium), low
- For each critical or high vulnerability, record: package name, severity,
vulnerability title, path (dependency chain), CVE if available, and
whether it's a direct or transitive dependency
- Note which templates share the same vulnerability (likely same root dep)
Severity classification for the report:
- 🔴 Critical: npm audit critical vulnerabilities — fix ASAP
- 🟠 High: npm audit high vulnerabilities — resolve this week
- 🟡 Medium: npm audit moderate vulnerabilities — note, no immediate action
- ⚪ Low: npm audit low vulnerabilities — note, no immediate action
Also check:
- Does
npx create-nx-workspace itself succeed without errors for each template?
- Are there any deprecation warnings during workspace creation?
- Does
npm install complete cleanly (no peer dep conflicts)?
Write report to .ai/para/areas/scan-audit/scans/cnw-templates/YYYY-MM.md
with format:
# CNW Template Health — YYYY-MM
## Summary
Tested N templates against create-nx-workspace@VERSION.
{overall status: clean / warnings found / action required}
## Results by Template
### nrwl/empty-template
- Creation: ✅/❌
- npm audit: N critical, N high, N moderate, N low
- Vulnerabilities:
- [severity] package-name: description (CVE-XXXX) — direct/transitive
### nrwl/typescript-template
...
### nrwl/angular-template
...
### nrwl/react-template
...
## Cross-Template Analysis
{Which vulnerabilities appear across multiple templates — likely from shared
Nx core dependencies vs template-specific deps}
## Action Items
### Fix ASAP (Critical)
- ...
### Resolve This Week (High)
- ...
### Noted (Medium/Low)
- ...
Clean up temp directories when done:
rm -rf $CNW_TMP
"
Group B — Web research scans (no repo access needed):
- scan-competitors — Competitor changelog analysis
- scan-frameworks — Framework & bundler ecosystem tracking
- scan-runtimes — Node.js & runtime tracking
- scan-ai-landscape — AI dev tools landscape scan
- Subagent instruction: "Run the AI landscape scan. In addition to the
standard coverage (MCP, coding tools, CI/CD, agentic patterns), also
research AI model security threats — specifically, new model
releases (Anthropic, OpenAI, Google, Meta, DeepSeek, xAI, open-weight
models, etc.) whose capabilities materially change the threat model
for orgs like ours. Flag:
- Models advertised or benchmarked as strong at vulnerability
discovery / exploit generation in real codebases (e.g. a hypothetical
'Claude Mythos' release that finds CVEs easily). These shift the
offensive-security balance and matter for our supply-chain posture.
- Models with notable jailbreak / alignment regressions that increase
misuse risk.
- Agentic capabilities that enable autonomous recon, credential
harvesting, or repo exfiltration.
- Prompt-injection / indirect-injection research that affects tools
we ship or embed (nx-mcp, Self-Healing CI, AI code review).
Surface findings under a dedicated 'AI Security Threats' section in
the AI landscape report. If any are High severity, include them in the
weekly TL;DR alongside CNW template and supply-chain findings."
Each writes to its own .ai/para/areas/ directory.
Group C — Internal management audits (Linear MCP, no repo access needed):
- audit-capacity — Team capacity & sequencing risk analysis
- Subagent instruction: "Run the team capacity audit. Use Linear MCP to
pull issue assignments, project leads, and due dates across all active
teams. Analyze the next 4-6 week window for conflicts. Write report
to
.ai/para/areas/team-capacity/YYYY-MM.md."
-
audit-project-health — Long-running project & exit criteria audit
- Subagent instruction: "Run the project health audit. Use Linear MCP to
pull all In Progress projects, check milestone completion, identify
zombies (all milestones done, project still open), flag overdue target
dates and scope creep. Track revenue projects. Write report to
.ai/para/areas/project-health/YYYY-MM.md."
-
audit-customer-deps — Customer dependency concentration mapping
- Subagent instruction: "Run the customer dependency audit. Use Linear MCP
to search for known strategic customers across all teams. Map customer
to feature dependencies, check engagement recency, assess DPE capacity.
Write report to
.ai/para/areas/customer-deps/YYYY-MM.md."
Group D — Monthly digest (only if needed):
- nx-monthly-digest — Cross-functional digest + technical changelog
- Only runs if: current month > lastMonthlyDigest, OR explicitly requested.
- Uses the full
/nx-monthly-digest skill instructions.
- Writes to
.ai/para/areas/scan-audit/monthly-digests/.
Launching
Launch ALL scans simultaneously as background Task subagents. Use
run_in_background: true for all of them. Do NOT wait for one before
starting another.
For each subagent, provide:
- The full command file content (read from
dot_claude/commands/<name>.md)
- Any repo paths
- Current date/month
- The
LOOKBACK_START date (e.g., 2025-12-29 for a 60-day window)
- The
SCAN_DATA_DIR path (e.g., /tmp/scan-data-1772253563) for cached GitHub data
- Path to previous report(s) within the lookback window (for delta comparison)
- The two
source lines from "Step 2" above (helpers + gh-env)
Step 3: Wait for All Scans to Complete
Wait for all background subagents to finish. As each completes, note:
- Success or failure
- Key finding counts (parse from the report it wrote)
- Any errors or access issues
If a scan fails, log the error but don't retry — note it in the report.
Step 4: Read All Reports
After all scans complete, read each report file:
.ai/para/areas/scan-audit/scans/cnw-templates/YYYY-MM.md ← READ FIRST (critical priority)
.ai/para/areas/dependency-health/YYYY-MM.md
.ai/para/areas/api-surface-audit/YYYY-MM.md
.ai/para/areas/supply-chain-security/YYYY-MM.md
.ai/para/areas/community-sentiment/YYYY-MM.md
.ai/para/areas/competitor-intel/YYYY-MM.md
.ai/para/areas/framework-ecosystem/YYYY-MM.md
.ai/para/areas/runtime-tracking/YYYY-MM.md
.ai/para/areas/ai-dev-landscape/YYYY-MM.md
.ai/para/areas/team-capacity/YYYY-MM.md
.ai/para/areas/project-health/YYYY-MM.md
.ai/para/areas/customer-deps/YYYY-MM.md
Extract from each:
- Summary / key findings
- Severity counts (critical, warning, etc.)
- Delta vs. previous report (new items, resolved items)
- Action items
Step 5: Synthesize Unified Weekly Report
Write to .ai/para/areas/scan-audit/weekly/YYYY-WNN.md:
# Nx Platform Intelligence — Week {NN}, {Year}
_Generated: {datetime}_
_Scans run: {list of scans that completed}_
_Scans failed: {list of any that failed, or "None"}_
## TL;DR — What's New Since Last Week
{5-10 bullets, ranked by urgency. CNW template vulnerabilities ALWAYS
go first if any critical/high exist. Each bullet should be actionable
or informative enough to decide whether to dig deeper. Format:}
- **[AREA]** {finding}. {action needed or "FYI only"}.
Example:
- **[CNW Templates]** 2 high vulns in `angular-monorepo` preset via `postcss`. Resolve this week.
- **[AI Threat]** New frontier model claims SOTA on exploit-generation benchmarks — reassess supply-chain posture and secrets exposure.
- **[Security]** New CVE in `minimatch` affects nx@22.5.2. Already patched in 22.5.3. FYI only.
- **[Competitors]** Turborepo shipped remote caching v2 with content-addressable storage. Review implications for Nx Cloud positioning.
- **[Dependencies]** `chalk` hasn't published in 14 months. Now 🟠 Warning. We already migrated to picocolors — can remove.
## Dashboard
| Scan | Status | Findings | Delta |
|------|--------|----------|-------|
| **CNW Templates** | {status emoji} | {N critical, N high, N medium, N low} | {+/-N vs last week} |
| Dependencies | {status emoji} | {N critical, N warning} | {+/-N vs last week} |
| Supply Chain | {status emoji} | {status} | {change} |
| API Surface | {status emoji} | {N high, N medium} | {+/-N} |
| Community | {status emoji} | {N pain points} | {+/-N} |
| Competitors | {status emoji} | {N highlights} | {new items} |
| Frameworks | {status emoji} | {N compat risks} | {+/-N} |
| Runtimes | {status emoji} | {N action items} | {+/-N} |
| AI Landscape | {status emoji} | {N highlights} | {new items} |
| **Internal Audits** | | | |
| Team Capacity | {status emoji} | {N high-risk people} | {+/-N overdue} |
| Project Health | {status emoji} | {N zombies, N overdue} | {change} |
| Customer Deps | {status emoji} | {N concentration risks} | {churned/cooling} |
Status: ✅ = no action needed, ⚠️ = items to review, 🔴 = action required
## Priority Mismatch — Issues That May Need Bumping
Analyze `$SCAN_DATA_DIR/api/nrwl-nx-medium-priority-hot.json` and
`$SCAN_DATA_DIR/api/nrwl-nx-stale-hot.json` to surface:
### Medium Priority with High Engagement
Issues labeled `priority: medium` but with disproportionate community
engagement (reactions or comments). Thresholds:
- **Bump candidate**: 10+ total reactions OR 15+ comments
- **Strong bump candidate**: 20+ reactions OR 25+ comments
For each, list: issue number, title, reaction count, comment count,
age, and a one-line recommendation (bump to high? needs triage?).
### Stale High-Engagement Issues
Open issues older than 6 months with significant engagement (10+
reactions or 15+ comments) regardless of priority label. These are
long-standing pain points the community cares about. Filter
`nrwl-nx-stale-hot.json` by `createdAt` older than 180 days.
For each, list: issue number, title, age, reaction count, comment
count, current priority label, and whether it's been commented on
by maintainers recently.
If either list is empty, say so. Don't invent issues.
## Action Required
{Items from ANY scan that need immediate attention. Group by urgency.
If nothing, say "None this week."}
### This Week
{Must-do items}
### Soon (This Month)
{Should-do items}
### Watching
{Monitor, no action yet}
## Scan Summaries
### CNW Template Health (REPORT FIRST)
{Summary of npm audit results across all 4 presets. Lead with critical/high
findings. List affected presets per vulnerability. Note if any preset failed
to create.}
**Critical (fix ASAP):** {list or "None"}
**High (resolve this week):** {list or "None"}
**Medium/Low (noted):** {list or "None"}
[Full report](.ai/para/areas/scan-audit/scans/cnw-templates/YYYY-MM.md)
### Dependencies
{2-3 sentence summary from dependency-health report. Link to full report.}
[Full report](.ai/para/areas/dependency-health/YYYY-MM.md)
### Supply Chain Security
{2-3 sentence summary.}
[Full report](.ai/para/areas/supply-chain-security/YYYY-MM.md)
### API Surface
{2-3 sentence summary.}
[Full report](.ai/para/areas/api-surface-audit/YYYY-MM.md)
### Community Sentiment
{2-3 sentence summary.}
[Full report](.ai/para/areas/community-sentiment/YYYY-MM.md)
### Competitors
{2-3 sentence summary.}
[Full report](.ai/para/areas/competitor-intel/YYYY-MM.md)
### Frameworks & Bundlers
{2-3 sentence summary.}
[Full report](.ai/para/areas/framework-ecosystem/YYYY-MM.md)
### Runtimes (Node.js, Bun, Deno)
{2-3 sentence summary.}
[Full report](.ai/para/areas/runtime-tracking/YYYY-MM.md)
### AI Dev Tools Landscape
{2-3 sentence summary.}
[Full report](.ai/para/areas/ai-dev-landscape/YYYY-MM.md)
### Team Capacity & Sequencing
{2-3 sentence summary: who's overloaded, what projects are at risk.}
[Full report](.ai/para/areas/team-capacity/YYYY-MM.md)
### Project Health
{2-3 sentence summary: zombie projects, overdue targets, scope creep.}
[Full report](.ai/para/areas/project-health/YYYY-MM.md)
### Customer Dependencies
{2-3 sentence summary: concentration risks, engagement changes, DPE load.}
[Full report](.ai/para/areas/customer-deps/YYYY-MM.md)
## Monthly Digest
{If digest ran this cycle, include TL;DR + link. Otherwise:
"Last digest: {month}. Next scheduled: {month}."}
Step 6: Update State
Write updated .ai/para/areas/scan-audit/state.json with:
- Current run timestamp
- Current week number
- Updated finding counts from each scan
- Monthly digest month (if it ran)
Step 7: Update README
Ensure .ai/para/areas/scan-audit/README.md exists and is current:
# Scan & Audit
Weekly intelligence scans across the Nx platform. Covers dependency health,
supply chain security, API drift, community sentiment, competitor activity,
framework ecosystem, runtime changes, and AI tool landscape.
## How to Run
/scan-and-audit # Full weekly scan (all 9)
/scan-and-audit quick # Web-research scans only (fast, ~5 min)
/scan-and-audit digest # Monthly digest only
/scan-and-audit competitors frameworks # Specific scans
## Latest Reports
### Weekly
- [{latest week}](./weekly/{latest}.md)
### Monthly Digests
- [{latest month}](./monthly-digests/{latest}.md)
## Individual Scan Areas
- [CNW Template Health](./scans/cnw-templates/)
- [Dependency Health](../dependency-health/)
- [Supply Chain Security](../supply-chain-security/)
- [API Surface Audit](../api-surface-audit/)
- [Community Sentiment](../community-sentiment/)
- [Competitor Intel](../competitor-intel/)
- [Framework Ecosystem](../framework-ecosystem/)
- [Runtime Tracking](../runtime-tracking/)
- [AI Dev Landscape](../ai-dev-landscape/)
Step 8: Cleanup
rm -rf "$NX_TMP" "$OCEAN_TMP" "$SCAN_DATA_DIR" 2>/dev/null
unset GITHUB_TOKEN
Step 9: Present Results
IMPORTANT: Present CNW Template Health findings FIRST, before the TL;DR
and Dashboard. If there are any critical or high vulnerabilities, lead with
those — they must not be buried in the full report. Then print the TL;DR
section and Dashboard table.
Tell them where the full report is saved. Offer to:
- Dive deeper into any specific scan
- Re-run a specific scan with different scope
- Create Linear issues for action items
Important Notes
- Parallelism: Launch ALL subagents at once. The skill should take
~10-15 minutes total (bounded by the slowest scan), not 60+ minutes
running sequentially.
- Idempotent: Running twice in the same week updates the existing
weekly report rather than creating a duplicate.
- Graceful degradation: If ocean can't be cloned, if npm is slow, if
the GitHub API rate-limits — note it and continue. Never fail the whole
run because one scan had issues.
- Delta focus: The weekly report should emphasize WHAT CHANGED since
last run. The individual reports have the full picture.
- No invention: Every finding must trace to a source. Don't speculate
about risks that aren't evidenced by the data.
- LIVE DATA OVER TRAINING DATA: This is the #1 quality rule. For
every factual claim (version numbers, release status, issue state,
EOL dates, download counts), verify against a live source BEFORE
writing it. Training data is stale by definition. Use:
npm view <pkg> version for package versions$SCAN_DATA_DIR/releases/*.json for release data (pre-fetched)$SCAN_DATA_DIR/issues/*.json for issue data (pre-fetched)WebFetch for changelogs, blogs, and EOL datesnpm view <pkg> time.modified for last-publish dates
If a live API is unavailable, explicitly mark the claim as
"unverified (from training data)" in the report.
- Verify issue state: Before listing any GitHub issue as an active
pain point or action item, verify it is still OPEN using
gh_issue_view nrwl/nx <N>. Closed issues should be noted as
resolved, not listed as current problems. This applies to ALL scans
that reference GitHub issues (community, dependencies, supply-chain).
- Thoroughness over speed: Use many tokens and subagent passes. It's
better to spend 15 minutes and catch everything than to skim in 5
minutes and miss a CVE or a competitor launch.
