Audit deployed Vercel apps for cost and performance issues using metrics, project config, code scans, and version-aware recommendations.
| name | vercel-optimize |
| description | Audit deployed Vercel apps for cost and performance issues using metrics, project config, code scans, and version-aware recommendations. |
| risk | safe |
| source | https://github.com/vercel-labs/agent-skills |
| date_added | 2026-06-02 |
Run an observability-first Vercel optimization audit. Do not inspect source files until signals.json exists and a deterministic gate points to a route, file, or project setting.
Core doctrine: read references/doctrine.md if any rule is unclear.
scripts/gate-investigations.mjs decides what deserves investigation.references/docs-library.json; invalid or version-mismatched citations are stripped.vercel metrics, vercel usage, vercel contract, and vercel api.vercel login.vercel link. VERCEL_PROJECT_ID can help resolve project config, but vercel metrics still requires directory linkage. The link or environment must include the intended project org/team/user scope so the collector can resolve a CLI-safe --scope and keep vercel metrics, vercel usage, and vercel contract on the same account.Never put auth tokens in shell commands. Do not type VERCEL_TOKEN=..., --token ..., or Authorization: Bearer ... into commands that may be echoed in chat.
The preflight reads package.json and sets expectations before metric fan-out.
| Framework | Status | Notes |
|---|---|---|
| Next.js App Router | supported | strongest route mapping, scanners, playbooks, citations |
| Next.js Pages Router | supported | scoped to Pages Router idioms when detected |
| SvelteKit | supported | route mapping for src/routes files and SvelteKit scanner |
| Nuxt | supported | route mapping plus generic/platform checks; fewer framework-specific recs |
| Astro | limited | route mapping plus generic checks; fewer framework-specific recs |
| Hono / Remix / unknown | blocked by default | continue only if the user accepts a limited platform/code-only audit |
If unsupported, stop and ask before scanning or gating:
This project uses <framework>. Vercel Optimize supports metric-backed code recommendations for Next.js, SvelteKit, and Nuxt. Astro support is limited. For <framework>, I can still run a limited platform/scanner audit, but route-level Vercel metrics may not map back to source files.
Do you want me to continue with the limited audit, or stop here?
If the user continues, rerun collection with --continue-unsupported-framework.
Use a fresh run directory for every audit. Do not reuse briefs, sub-agent outputs, or reports across runs.
RUN_DIR="$(mktemp -d -t vercel-optimize-XXXXXX)"
Run from the linked app directory or pass --cwd where a script supports it. Keep stdout JSON separate from stderr logs. Do not combine streams.
node scripts/collect-signals.mjs [projectId] > "$RUN_DIR/vercel-signals.json" 2> "$RUN_DIR/collect.stderr"
node -e 'JSON.parse(require("fs").readFileSync(process.argv[1], "utf8"))' "$RUN_DIR/vercel-signals.json"
node scripts/scan-codebase.mjs <repo-root> > "$RUN_DIR/codebase.json"
node scripts/merge-signals.mjs "$RUN_DIR/vercel-signals.json" "$RUN_DIR/codebase.json" --out "$RUN_DIR/signals.json"
Collection details, schemas, metric IDs, and degradation behavior live in references/data-collection.md. The metric registry is lib/queries.mjs; keep all queries on the shared 14-day window.
collect-signals.mjs resolves the linked project owner to commandScope.cliScope and verifies that the resolved account can read the resolved project before it checks Observability Plus. Downstream scripts reuse that scope for every Vercel CLI command that accepts --scope. Do not run vercel usage, vercel metrics, or vercel contract manually without the same scope; unscoped usage can report the user's personal organization while route metrics come from the team project.
If project or scope resolution is ambiguous, stop and ask the user which Vercel project and team/personal scope they want audited. Do not infer the intended scope from the current vercel whoami team, and do not proceed with metrics, usage, or contract collection until the link, an exact project match in .vercel/repo.json, or VERCEL_PROJECT_ID + VERCEL_ORG_ID identifies the intended account.
Use this prompt for PROJECT_SCOPE_UNRESOLVED, SCOPE_UNRESOLVED, or PROJECT_SCOPE_MISMATCH:
I can't safely identify the Vercel project and account for this audit yet.
Please confirm the Vercel project name or ID and the team slug/name, or tell me it's under your personal account. Once confirmed, I'll relink or rerun collection against that exact scope before checking metrics.
Check blockers before gating:
jq '{frameworkSupportBlocker, observabilityPlus, observabilityPlusUsable, observabilityPlusBlocker, observabilityPlusBlockerDetail}' "$RUN_DIR/signals.json"
Required actions:
frameworkSupportBlocker === "unsupported_framework": use the unsupported-framework prompt above.PROJECT_SCOPE_UNRESOLVED, SCOPE_UNRESOLVED, or PROJECT_SCOPE_MISMATCH: stop and ask which Vercel project and team/personal scope the user wants audited. For team projects, rerun after vercel link --yes --project <project-name-or-id> --team <team-slug>; for personal projects, rerun after linking under the intended user account or after setting both VERCEL_PROJECT_ID and VERCEL_ORG_ID.observabilityPlusBlocker === null: continue.no_traffic: tell the user route metrics are sparse; continue only if they accept limited output.payment_required or no_oplus_probe: render references/observability-plus.md verbatim and ask.project_disabled: tell the user to enable Observability Plus for the project or accept a limited audit.daily_quota_exceeded: stop and tell the user the Observability query quota is exhausted; retry after the next UTC midnight reset, or ask whether to continue with a limited code-only audit.not_linked: link the app directory, then rerun Step 1. If app path and project are known:vercel link --yes --project <project-name-or-id> --cwd <app-dir>
# add --team <team-id-or-slug> when known
forbidden or project_not_found: fix auth/team scope. Do not pitch Observability Plus.all_failed_other: show the raw error code and ask whether to continue in limited code-only mode.Do not silently fall back to code-only mode. If the user accepts a limited audit, rerun collection with:
node scripts/collect-signals.mjs [projectId] --continue-without-observability > "$RUN_DIR/vercel-signals.json" 2> "$RUN_DIR/collect.stderr"
Then scan and merge again.
node scripts/gate-investigations.mjs "$RUN_DIR/signals.json" > "$RUN_DIR/gate.json"
Output shape:
toLaunch: code-scope candidates to investigate.platform: project/account-scope recommendations.gated: skipped, covered, or disqualified candidates that must still appear in the report.budget: candidate budget and selection mode.Default budget is 6 code-scope candidates with a diversity guardrail. To expand:
node scripts/gate-investigations.mjs "$RUN_DIR/signals.json" --max-candidates 12 > "$RUN_DIR/gate.json"
node scripts/gate-investigations.mjs "$RUN_DIR/signals.json" --max-candidates all > "$RUN_DIR/gate.json"
Generated candidate docs: references/candidates.md.
Before deep-dive, run:
node scripts/budget-summary.mjs "$RUN_DIR/gate.json" --format json > "$RUN_DIR/budget-summary.json"
If shouldAsk is false, continue.
If shouldAsk is true:
exactChatMessage.body exactly as returned. Do not summarize, truncate, reorder, or rewrite it.questionText using questionPayload when the host supports structured questions.--max-candidates <choice>.Never put the long preview inside the question field. The preview and the question are separate surfaces.
node scripts/deep-dive.mjs "$RUN_DIR/signals.json" "$RUN_DIR/gate.json" --cwd <project-dir> > "$RUN_DIR/investigation-evidence.json"
node scripts/reconcile-candidates.mjs "$RUN_DIR/investigation-evidence.json" \
--gate "$RUN_DIR/gate.json" \
--out "$RUN_DIR/reconciled-investigation.json"
--cwd must be the linked project directory so deep-dive.mjs can verify the same project link and reuse signals.json.commandScope.cliScope for any follow-up vercel metrics calls.
Reconciliation deterministically converts disproven candidates into observations before any source investigation:
metric_mismatcherror_stormdeployment_regressionscanner_only_no_metricList the work:
node scripts/prepare-investigation-brief.mjs "$RUN_DIR/signals.json" "$RUN_DIR/reconciled-investigation.json" --list > "$RUN_DIR/briefs-manifest.json"
Generate one brief for every entry in briefs-manifest.json.briefs. The group can be toLaunch or platform; do not generate only toLaunch briefs.
mkdir -p "$RUN_DIR/briefs" "$RUN_DIR/sub-agent-outputs"
node scripts/prepare-investigation-brief.mjs "$RUN_DIR/signals.json" "$RUN_DIR/reconciled-investigation.json" \
--group <brief.group> --index <brief.index> --out "$RUN_DIR/briefs/<brief.group>-<brief.index>.md"
Use briefs-manifest.json.briefs[].label for visible worker names, for example Low cache-hit route on /docs/llm-digest/[...slug], not toLaunch-7.
Fan-out rule:
Sub-agent contract:
If a sub-agent reaches for repo-wide grep, the candidate is malformed; drop or abstain rather than widening scope.
Save each raw investigation result in $RUN_DIR/sub-agent-outputs/, then collect:
node scripts/collect-sub-agent-outputs.mjs \
--manifest "$RUN_DIR/briefs-manifest.json" \
--out "$RUN_DIR/recommendations.json" \
"$RUN_DIR/sub-agent-outputs/"
The collector extracts JSON, prepends pre-resolved records, enforces manifest order, and fails on missing, duplicate, unknown, or mismatched candidateRef values.
node scripts/verify-and-regen.mjs "$RUN_DIR/recommendations.json" \
--signals "$RUN_DIR/signals.json" \
--repo-root <project-dir> \
--out "$RUN_DIR/verify.json"
This script extracts claims, verifies files/citations/version fit, grades quality, applies sanitizers, emits verifiedRecommendations, withheldRecommendations, renderableRecommendations, and creates regenPlan for failed or unsafe recommendations.
Recommendation schema, writing rules, sanitizer order, and grading rules: references/recommendations.md. Verification rules: references/verification.md.
For each regenPlan entry, rerun the same brief with a Previous attempt failed these checks section listing topFailures. Keep the regenerated output only if verification improves without gutting citations.
node scripts/render-report.mjs "$RUN_DIR/verify.json" "$RUN_DIR/gate.json" "$RUN_DIR/signals.json" \
--project <name> \
--out "$RUN_DIR/report.md" \
--message-out "$RUN_DIR/final-message.json"
Use --debug-out "$RUN_DIR/debug.json" only when developing the skill. Customer Markdown and chat output must not expose passRate, quality, sanitizer trails, raw sub-agent names, or other implementation fields.
After rendering, print final-message.json.body verbatim and stop. Do not add highlights, debug notes, raw counts, sub-agent summaries, or extra explanation. Render-time dedupe, platform caps, and hard-safety drops can change the customer-visible count, so never summarize from raw verify.json.
Report structure and impact framing: references/scoring.md.
Every recommendation must:
signals.json or evidence.deepDive.$N savings./.well-known/workflow/v1/*). These are generated orchestration routes for durable step/flow execution and should be hard-gated before investigation.Never recommend "verify X is on" for facts already present in signals.project, including Fluid compute status, memory tier, regions, in-function concurrency, and timeout.
Scanner findings are supplementary. Drop findings annotated COLD-PATH or NO-ROUTE-MAPPING unless the scanner declares metadata.trafficIndependent === true.
Traffic-independent examples: middleware matcher, source maps, React Compiler config, build settings. Route-local cache or data-fetch patterns need route-level traffic evidence.
Scanner docs: references/scanner-patterns.md.
Use:
recommendations readyobservations from investigationinvestigated, no change recommendednot investigated in this runAvoid:
sub-agentabstentionpassRatequality scoregateLLMUse these messages without adding sales copy or process detail.
No traffic in the last 14 days:
This project has no meaningful traffic in the last 14 days, so route-level metrics are sparse. I can still check traffic-independent scanner findings and project settings, but I cannot rank route fixes until traffic accumulates.
Route-level metrics unavailable:
Use the verbatim choice template in references/observability-plus.md. Do not silently fall back to code-only mode; present the two-path choice: enable Observability Plus and rerun the metric-backed audit, or accept a limited code-only run.
Project is not linked:
This worktree is not linked to a Vercel project. Run
vercel link --yes --project <project-name-or-id> --cwd <app-dir>and rerun the audit. If the team is known, add--team <team-id-or-slug>.
Most route-to-file mappings failed:
The route inventory matched fewer than half of the routes we saw in observability. This is common in monorepos with custom routing. I've surfaced what I can match; the rest appear in the "Not investigated in this run" section.
Find and fix WCAG 2.2 accessibility issues. Two modes — report (sweep a codebase or page, produce a prioritized written report, no edits) and fix (audit→edit→verify loop on a target). Prefers direct-CDP live-DOM auditing; falls back to a browser-MCP composition or HTML-string audits.
Diff a live page's accessibility violations against a baseline — by default compares uncommitted changes (stash-based), or pass --branch [<name>] to diff against a branch. Reports only new violations introduced, violations fixed, and pre-existing count. Use `scan` for a full audit with no diffing.
Audit a live page for accessibility issues, locate each WCAG violation precisely, and return a selector-grounded fix worklist without editing.
Use when working with composition-patterns tasks or workflows
Use when working with debugging toolkit smart debug (Alias for debugging-toolkit-smart-debug)
Deploy applications and websites to Vercel. Use when the user requests deployment actions like "deploy my app", "deploy and give me the link", "push this live", or "create a preview deployment".