ワンクリックで
arib-ci-audit
CI | Audit, init, or review CI/PR posture — workflows, templates, CODEOWNERS, branch protection
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
CI | Audit, init, or review CI/PR posture — workflows, templates, CODEOWNERS, branch protection
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Memory | Code-graph subsystem — a native lightweight IMPORT graph (which file imports which, god-node candidates) built with ripgrep/grep, so a large monorepo can be navigated by structure instead of re-grepping every session. build/refresh/query. Honest scope: structural import graph, NOT semantic (no call-graph/type resolution); no Graphify dependency. Loads ON DEMAND only (zero always-on tokens). ADR-034.
Dev | Over-engineering review — reads a diff/module and returns a delete-list of bloat (single-use abstractions, premature generalization, speculative config, dead options) WITHOUT stripping legitimate structure. Advisory: returns recommendations, never auto-deletes. The on-demand companion to the ponytail-lite tripwire hook. Authored natively (no Ponytail dependency). ADR-033.
Wave | Pre-wave requirement lock — Act 1 derives the requirements from the codebase + memory (an honest grill, not guesswork), Act 2 hands the locked plan to an independent model (Codex) to tear apart until sign-off. Produces waves/<id>/PLAN.md + PLAN-REVIEW-LOG.md. Auto-chained idempotently from /arib-wave-start. If Act 2 can't run (no Codex), the wave proceeds but HOLDS MERGE for a human. Absorbs grill-me-codex (ADR-032).
Wave | Start a multi-session delivery wave — branch, plan, parallel architect+planner
Engine | Command the engineering team to deliver a known goal — dispatches the engineer-manager to decompose → dispatch specialists (parallel where safe) → integrate → reconcile (verification-agent) → merge gate. Scales its own reach: runs inline for a bounded goal, escalates to a parallel Workflow for a broad one, and paces under /loop for a multi-turn campaign — only when it needs to. Use when a goal needs a coordinated TEAM, not one specialist. Sibling of /arib-engine: the engine DISCOVERS its own backlog; /arib-build EXECUTES a goal you hand it.
Stack | NestJS architecture & patterns reference — modules/providers/DI, DTO+validation, guards/interceptors/pipes/filters, config, async lifecycle, testing, and the security + performance pitfalls that bite at scale. Use when building or reviewing a NestJS backend. Composes with security-auditor (OWASP), database-guardian (TypeORM/Prisma migrations), and performance (N+1). Authored natively (the ECC graft was unsourceable; this is CCM's own, MIT).
| name | arib-ci-audit |
| argument-hint | [audit | init | review <file> | branch-protection] |
| description | CI | Audit, init, or review CI/PR posture — workflows, templates, CODEOWNERS, branch protection |
Single entry point for the v3.5 CI/PR engineering subsystem. Dispatches
the ci-pr-engineer agent in one of four modes. Output is always a
structured report at io/ledger/ci-pr-<mode>-<date>.md (parallel to
how /arib-deep-audit writes its ledger entry).
The skill is the methodology-side companion to the v3.4 GitHub plumbing (PR template, CODEOWNERS, workflows, dependabot, CONTRIBUTING.md, repo-root SECURITY.md). v3.4 shipped the artifacts; v3.5 makes them maintainable.
audit mode catches drift between what
CONTRIBUTING.md describes and what the workflows actually do.init mode
scaffolds the full set..github/** —
review <file> mode focuses on one file.branch-protection mode confirms
the GitHub web-UI settings match CONTRIBUTING.md §6./arib-deep-audit (documentation completeness)./arib-ci-audit # full audit (default)
/arib-ci-audit init # bootstrap CI/PR for a fresh project
/arib-ci-audit review .github/workflows/hooks.yml # focused review of one file
/arib-ci-audit branch-protection # query GitHub API for live BP state
| Argument | Mode |
|---|---|
(none) or audit | audit |
init | init |
review <path> | review (path must exist or, in init, must not exist yet) |
branch-protection or bp | branch-protection |
| anything else | print usage, exit |
audit:
.github/ exists. If not, switch to init mode and notify
the user.architecture/DECISIONS.md ADR-012 (the binding decision) to
ground findings.init:
.github/ does NOT exist (or contains only obviously
abandoned scaffolding).audit instead.review <file>:
.github/, CONTRIBUTING.md,
SECURITY.md, or a workflow path.branch-protection:
gh CLI is installed: command -v gh.gh auth status returns success. If not, partial-audit and
surface the limitation.Single Task call to ci-pr-engineer with mode and target. The agent
runs the full audit checklist (see agents/ci-pr-engineer.md §2-4)
and returns a structured findings list.
Task(ci-pr-engineer, mode=<mode>, target=<file-or-repo>)
For audit mode on a repo that also has compliance / hooks concerns,
this can run in parallel with other read-only agents per
AGENT_ARCHITECTURE.md. Common parallel-safe batch:
Task(ci-pr-engineer, mode=audit)
Task(security-auditor) # if also auditing application code
Task(accessibility) # if also auditing UI
gh api repos/$(gh repo view --json nameWithOwner -q .nameWithOwner)/branches/main/protection \
--jq '{
approvals: .required_pull_request_reviews.required_approving_review_count,
require_codeowners: .required_pull_request_reviews.require_code_owner_reviews,
dismiss_stale: .required_pull_request_reviews.dismiss_stale_reviews,
required_checks: .required_status_checks.contexts,
strict_checks: .required_status_checks.strict,
linear_history: .required_linear_history.enabled,
enforce_admins: .enforce_admins.enabled
}'
Agent compares against the binding settings in CONTRIBUTING.md §6
and the rule in architecture/CONSTRAINTS.md constraint #10.
Output goes to io/ledger/ci-pr-<mode>-<YYYY-MM-DD>.md.
The report MUST include the same YAML-style header that
/arib-deep-audit writes, so the report is part of the same audit
trail and can be referenced by hash:
# CI/PR Audit Report
- audit-hash: <sha256 of findings, sorted>
- short-hash: <first 8>
- timestamp: <ISO-8601>
- branch: <git current branch>
- head-sha: <git HEAD>
- mode: audit | init | review | branch-protection
- target: <repo or file path>
- verdict: PASS | WARN | BLOCK
- findings-count: <N>
- block-count: <N>
- warn-count: <N>
- info-count: <N>
## Findings
(...)
| Verdict | Trigger | Recommended action |
|---|---|---|
| PASS | No findings or only INFO | Nothing required. Schedule next audit in 90 days. |
| WARN | One or more WARN findings, no BLOCK | Address in a follow-up PR; do not block ship. |
| BLOCK | Any BLOCK finding | Fix before merging the change that triggered the audit. |
For init mode: verdict is always PASS (or skill aborts). The
"action" is the sequenced bootstrap checklist the parent applies.
2026-05-08 | ci-pr-audit | <mode> | <verdict> | <short-hash> | <one-line summary>
This puts CI/PR audits in the same operational ledger as deep audits and wave reports.
User: /arib-ci-audit
Mode: audit
Pre-flight: .github/ exists ✓; ADR-012 read ✓
Dispatch: Task(ci-pr-engineer, mode=audit)
Findings:
- workflows checked: 4 (PASS: 4)
- templates: PASS (PR template + 3 issue templates + config)
- CODEOWNERS: PASS (catch-all + 7 specific paths, all reviewers exist)
- branch protection: not checked (run with `branch-protection` mode)
- governance docs: PASS (CONTRIBUTING + SECURITY + COC + .markdownlint.json)
Verdict: PASS
Wrote: io/ledger/ci-pr-audit-2026-05-08.md
Next step: schedule next audit ~2026-08-08.
User: /arib-ci-audit init (in a project bootstrapped from CCM but
missing the .github/ scaffolding)
Mode: init
Pre-flight: .github/ does not exist ✓
Dispatch: Task(ci-pr-engineer, mode=init)
Returned plan:
Create:
.github/PULL_REQUEST_TEMPLATE.md (from CCM canonical)
.github/ISSUE_TEMPLATE/{bug_report,feature_request,security}.yml
.github/ISSUE_TEMPLATE/config.yml
.github/CODEOWNERS (replace @AribSudia → @<owner>)
.github/dependabot.yml (timezone → <project tz>)
.github/workflows/hooks.yml
.github/workflows/json-validate.yml
.github/workflows/token-budget.yml
.github/workflows/markdown-lint.yml
.markdownlint.json
CONTRIBUTING.md
SECURITY.md
CODE_OF_CONDUCT.md
Then in repo Settings → Branches:
Apply branch protection per CONTRIBUTING.md §6.
Parent session executes the writes through normal Write tool calls
(path-scoping hook validates each).
Verdict: PASS (init scope)
Wrote: io/ledger/ci-pr-init-2026-05-08.md
User: /arib-ci-audit review .github/workflows/token-budget.yml
Mode: review
Pre-flight: file exists ✓
Dispatch: Task(ci-pr-engineer, mode=review,
target=.github/workflows/token-budget.yml)
Findings:
F1 — line 4 — WARN
`paths:` filter is broad; runs on any architecture/** change.
Consider scoping to architecture/{CONSTRAINTS,CONTEXT_MAP}.md and
.claude/rules/** which actually affect token cost.
F2 — line 24 — INFO
Consider concurrency cancellation:
concurrency:
group: token-budget-${{ github.ref }}
cancel-in-progress: true
Verdict: WARN (acceptable for ship; address in follow-up)
Wrote: io/ledger/ci-pr-review-2026-05-08.md
User: /arib-ci-audit branch-protection
Mode: branch-protection
Pre-flight: gh installed ✓; gh authenticated ✓
Live query:
approvals: 1 ✓
require_codeowners: true ✓
dismiss_stale: true ✓
required_checks: ["Hooks regression / test-hooks",
"JSON validation / validate-json",
"Token budget / measure",
"Markdown lint / lint"] ✓
strict_checks: true ✓
linear_history: true ✓
enforce_admins: false ✗
Findings:
F1 — branch-protection — WARN
enforce_admins is false; admin can bypass required checks.
Per ADR-012 + constraint #10, direct push reserved for emergencies.
If you intend to keep this, document in operations/OPERATIONS_LOG.md;
otherwise enable in Settings → Branches.
Verdict: WARN
Wrote: io/ledger/ci-pr-branch-protection-2026-05-08.md
/arib-ci-audit [<mode>]
|
v
[Mode parsed?]
|
+-- no --> print usage; exit
+-- yes --> continue
|
v
Pre-flight per mode
|
+-- audit: .github/ exists?
+-- init: .github/ does NOT exist?
+-- review: file exists?
+-- bp: gh installed + authed?
|
v
Dispatch ci-pr-engineer (single Task)
|
v
Receive findings list
|
v
Compute verdict (PASS / WARN / BLOCK)
|
v
Write io/ledger/ci-pr-<mode>-<date>.md
|
v
Optionally append OPERATIONS_LOG.md line
|
v
Report to user with next-step recommendation
Self-hosted Git platform (GitLab, Gitea): agent skips
GitHub-specific checks (CODEOWNERS, dependabot, branch protection
via gh) and surfaces the platform mismatch as INFO. Workflow
validation still applies if the project uses GitHub Actions.
gh auth has insufficient scope (e.g., missing repo scope
for private repo): partial branch-protection audit; report the
scope gap explicitly. Recommend gh auth refresh -s repo.
Workflow file uses reusable workflow (uses: org/.github/.workflows/foo.yml@main):
agent reports the upstream workflow is out of scope; recommend
pinning the SHA and auditing the upstream separately.
Required-check job name was renamed: agent detects the rename
by diffing against the previous audit ledger entry (if present);
flags as BLOCK because branch protection will silently lose the
required check.
CODEOWNERS lists a removed user: agent flags as BLOCK because reviews will block forever waiting on a non-existent reviewer.
init mode in a repo that already has partial scaffolding:
agent refuses to overwrite. Recommends audit to identify gaps,
then targeted fixes.
gh rate-limited during branch-protection mode: cache the
last successful response (in io/ledger/) and report from cache
with a note about staleness.architecture/DECISIONS.md ADR-012: project hasn't adopted
the binding decision. Treat as init mode, recommend ADR adoption..claude/agents/ci-pr-engineer.md — does the heavy lifting.architecture/DECISIONS.md ADR-012, ADR-013 — binding records.architecture/CONSTRAINTS.md constraint #10 — binding rule.Training/11-CI-PR-MANUAL.md — user-facing manual..claude/rules/ci-pr.md — path-scoped rules..github/ — artifacts under audit.CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md — governance docs..claude/skills/arib-deep-audit/SKILL.md — calls this skill as section 9.