원클릭으로
audit
Deep code audit — security, tests, architecture, performance, stack-specific checks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Deep code audit — security, tests, architecture, performance, stack-specific checks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | audit |
| description | Deep code audit — security, tests, architecture, performance, stack-specific checks |
| argument-hint | ["--dry-run | --changed | --since <commit/date> | security | tests | architecture | performance | ux | costs | <custom>"] |
Run a structured code audit on this project. Adapts to the detected stack.
Modes:
/audit — full audit, all relevant axes, all files/audit security (or tests, architecture, etc.) — full audit, single axis/audit --changed — incremental: only files changed since the last audit report/audit --since abc123 — incremental: only files changed since the given commit or date/audit --changed security — incremental + single axis/audit --dry-run — full audit, report only, no tickets created/audit --dry-run security — single axis, no ticketsRead CLAUDE.md (project root or .claude/). If none exists:
/audit-conf first to generate one, then re-run /audit."From CLAUDE.md, extract:
Check for previous audit reports:
ls -t audit-reports/*.md 2>/dev/null | head -1Parse arguments and determine mode:
Incremental mode (if --changed or --since in arguments):
--changed: find the date of the last audit report. If none exists, tell the user "No previous audit found — running full audit instead." and fall back to full mode.
Get changed files: git diff --name-only --diff-filter=ACMR $(git log --since="YYYY-MM-DD" --format=%H | tail -1)..HEAD (using the last report date)--since <ref>: get changed files: git diff --name-only --diff-filter=ACMR <ref>..HEAD--changed/--since <ref> are treated as axis filter.Full mode (default):
$ARGUMENTS is provided (and not --changed/--since) → audit ONLY that axisBased on the stack and project structure, select which axes to audit.
Always included (any stack):
/factorize for a deep analysis.Include if detected:
Estimate project size to calibrate agent count:
find src/ lib/ app/ . -maxdepth 3 -name "*.py" -o -name "*.ts" -o -name "*.js" -o -name "*.dart" -o -name "*.go" -o -name "*.rs" | grep -v test | grep -v __pycache__ | grep -v node_modules | wc -lPresent the selected axes to the user:
AUDIT PLAN — [project name]
Stack: [detected stack]
Mode: [full / incremental (X files changed since YYYY-MM-DD)]
Size: [X source files] → [small/medium/large] (or X changed files in incremental)
Axes: [list of selected axes]
Agents: [1-4] review agents
Previous audit: [date of last report, or "none"]
Proceed? [Y/n]
Wait for confirmation before launching agents.
Incremental mode: Skip the Explore agent entirely. The changed files list IS the audit map. Classify each changed file into the relevant axes based on its path and content (quick read of first 20 lines). This saves ~2 minutes on incremental audits.
Full mode: Launch 1 agent (subagent_type: Explore, thoroughness: "very thorough"):
Mission: Map the codebase for the audit. For each selected axis, identify which files are relevant. Produce a structured map:
AUDIT MAP
├── Tests: [list of test files + source files with no test coverage]
├── Security: [auth files, route handlers, config files, env handling]
├── Architecture: [core modules, services, models, entry points]
├── Error handling: [same files as architecture + API clients]
├── Performance: [DB queries, ORM models, async code, batch operations]
├── [other axes]: [relevant files]
This map is the INPUT for the review agents. No file should be audited blindly.
Launch agents in parallel (subagent_type: feature-dev:code-reviewer).
Number of agents determined by project size (Step 2).
Split the axes across agents to minimize file overlap:
| Agent | Axes | Focus |
|---|---|---|
| Reviewer 1 | Security + Error handling | Auth, routes, input handling, config, API clients |
| Reviewer 2 | Tests + Robustness | Test files, source files with gaps, edge cases |
| Reviewer 3 | Architecture + Performance | Core logic, services, models, DB queries |
| Reviewer 4 | Stack-specific (if applicable) | UX, data integrity, API costs, deployment |
Sizing rules:
Each agent receives:
You are auditing [project name] ([stack]).
Your axes: [list].
Files to review: [list from audit map].
For each finding, report:
- **Severity**: CRITICAL / HIGH / MEDIUM / LOW
- **Category**: BUG / SECURITY / ROBUSTNESS / PERFORMANCE / COST / UX / ARCHITECTURE
- **File:line**: exact location
- **Description**: what's wrong (1-2 sentences)
- **Evidence**: the problematic code snippet
- **Suggestion**: how to fix it (1-2 sentences)
CRITICAL/HIGH findings MUST include evidence (code snippet).
Do NOT report style issues or nitpicks — only real problems.
Do NOT report issues that the project's linter/analyzer would already catch.
After all agents return, act as CTO. For each finding:
CRITICAL/HIGH findings:
MEDIUM/LOW findings:
Feature suggestions (things that aren't bugs but could be better):
If --dry-run is set → skip this step entirely. The report is still generated (Step 7) but no tickets are created. The report will show "—" in the Ticket column instead of ticket IDs.
For each confirmed finding:
| Category | Ticket type | Auto-create? |
|---|---|---|
| BUG / SECURITY (CRITICAL/HIGH) | BUG | Yes |
| BUG / SECURITY (MEDIUM/LOW) | BUG | Yes |
| ROBUSTNESS / ARCHITECTURE / PERFORMANCE | IMP | Yes |
| COST / UX | IMP | Yes |
| Feature suggestion | — | No (discussion) |
Respect project conventions:
BACKLOG/ exists → create tickets there (scan existing IDs, anti-conflict)BACKLOG/ → skip ticket creation, just present findings in report/backlog-bug and /backlog-imp patterns for ticket formatGenerate the report and save to audit-reports/YYYY-MM-DD_HH-MM.md.
The filename MUST include the hour and minute (e.g., 2026-03-26_14-30.md).
Use date +%Y-%m-%d_%H-%M to generate it. Never use date-only filenames — multiple audits per day would collide.
# Audit Report — [project name]
**Date:** [full timestamp]
**Stack:** [detected stack]
**Mode:** [full / incremental (X files changed since ref)]
**Scope:** [X source files (full) or X changed files (incremental)]
**Axes audited:** [list]
**Agents used:** [count]
**Duration:** [total time from start to report generation]
## Delta from previous audit
[If a previous report exists in audit-reports/:]
- Previous audit: [date]
- New findings: X (not in previous report)
- Resolved since last audit: X (in previous report, no longer found)
- Recurring: X (still present)
[If no previous report:] "First audit — no comparison available."
## Summary
| Severity | Count |
|----------|-------|
| CRITICAL | X |
| HIGH | X |
| MEDIUM | X |
| LOW | X |
| Category | Count |
|----------|-------|
| BUG | X |
| SECURITY | X |
| ... | X |
## CRITICAL & HIGH findings
### [FINDING-1] [Category] — [short title]
- **Severity:** CRITICAL
- **File:** `path/to/file:line`
- **Ticket:** BUG-XXX (created)
- **Description:** ...
- **Evidence:** ```code snippet```
- **Suggestion:** ...
- **Verified:** ✅ confirmed by CTO review
### [FINDING-2] ...
## MEDIUM & LOW findings
| # | Severity | Category | File | Description | Ticket |
|---|----------|----------|------|-------------|--------|
| 1 | MEDIUM | ... | ... | ... | IMP-XXX |
| 2 | LOW | ... | ... | ... | IMP-XXX |
## Rejected findings (false positives)
| # | Original finding | Rejection reason |
|---|-----------------|-----------------|
| 1 | ... | ... |
## Feature suggestions (for discussion)
- [Suggestion 1 — description + rationale]
- [Suggestion 2]
## Recommended treatment order
1. [TICKET-ID] (SEVERITY) — [why first: impact, quick win, dependency]
2. [TICKET-ID] (SEVERITY) — [reason]
3. ...
Group quick wins (XS complexity) that can be batched together.
## Tickets created
| ID | Type | Title | Severity |
|----|------|-------|----------|
| BUG-XXX | BUG | ... | CRITICAL |
| IMP-XXX | IMP | ... | MEDIUM |
Create the audit-reports/ directory if it doesn't exist.
Also display a summary in the conversation:
AUDIT COMPLETE — [project name]
═══════════════════════════════
Mode: [full / incremental (X changed files)]
Duration: [Xm Xs]
Findings: X critical, X high, X medium, X low
Rejected: X false positives
Tickets: [X BUG, X IMP created | dry-run — no tickets created]
Feature suggestions: X (for discussion)
Delta: [X new / X resolved / X recurring] (or "first audit")
Full report: audit-reports/[filename].md
After saving the report, check that audit-reports/ is in .gitignore.
If not, add it (audit reports contain security findings — never commit them).
Compresser une session de debug en cours et produire un prompt forensique strict (donnees -> hypothese unique -> test decisif -> STOP). A utiliser quand un debug long ou complexe derive vers la speculation, ou quand le contexte de la conv est sature et qu'il faut basculer sur une session vierge sans perdre les eliminations deja faites.
Switch to supervisor/CTO mode — plan, delegate to workers, never write code directly
Auto-bootstrap codebase indexing in any project. Detects the stack, dispatches to the native installer if supported (Dart in v0.1), or generates a stack-appropriate indexer with strict guardrails (official AST parser, format contract, auto-validation, refinement loop) for TypeScript, Python, Go, or Rust.
Switch to expert-comptable / fiscaliste mode — optimisation fiscale FR, structuration de societes, expatriation, patrimoine
Generate API_CONTRACT.md by scanning existing routes and controllers
Check if API_CONTRACT.md is in sync with the actual code