一键导入
foundry-audit
Audit the EOU Foundry itself for schema drift, self-approval risk, generation overreach, weak validators, and missing governance evidence.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit the EOU Foundry itself for schema drift, self-approval risk, generation overreach, weak validators, and missing governance evidence.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | foundry-audit |
| description | Audit the EOU Foundry itself for schema drift, self-approval risk, generation overreach, weak validators, and missing governance evidence. |
Audit the whole Foundry. Read all governance files first, then execute each check category in order.
foundry/constitution.yml — top-level invariantsfoundry/registry.yml — current EOU registration and lifecycle stagesfoundry/governance.yml — approval authority and promotion rulesschemas/*.schema.yml — all schema files (authority for valid field names and values)foundry/eous/*.yml — all standard EOU specsfoundry/meta-eous/*.yml — all meta/generating EOU specsfoundry/self-evolution/ecp/implemented/ — approved and implemented ECPs (for check 6)Halt and record a critical finding before checks if:
foundry/constitution.yml does not exist — the Foundry is unconfigured.schemas/eou.schema.yml does not exist — schema drift cannot be checked.Every EOU spec must declare all six facet fields: function, target_object, automation_mode, authority_level, risk_level, lifecycle_stage. Flag any spec with missing or placeholder values.
For each EOU with function: generate: verify generation_envelope.forbidden_outputs contains active_eou, approved_eou, and constitution_change. Flag any envelope that permits outputs outside its stated scope.
For each EOU: verify responsibility.executor ≠ responsibility.approver. A single role cannot both produce and approve outputs. Flag any EOU where this boundary is absent or ambiguous.
Every EOU in registry.yml with lifecycle_stage: active or pilot must have a corresponding spec file in foundry/eous/ or foundry/meta-eous/. Every spec file at those stages must be registered. Flag orphan specs and unregistered active EOUs.
Load each schema from schemas/*.schema.yml. For each active or pilot EOU spec, validate it against the schema. Flag missing required fields and type mismatches.
Any EOU spec that changed authority_level, blast_radius.forbidden_scope, or removed a validator must have a corresponding approved ECP. Determine prior state from versioning.changelog entries in the spec. Check foundry/self-evolution/ecp/implemented/ for the approved ECP. Flag spec changes with no matching implemented ECP.
For each active EOU: at least one regression fixture must exist in foundry/self-evolution/regression/cases/. Flag EOUs with zero regression coverage.
For each EOU: authority_level must match blast_radius.allowed_scope. An EOU with authority_level: write_candidate or lower must not have allowed_scope containing any of: foundry/constitution.yml, foundry/governance.yml, foundry/registry.yml, foundry/self-evolution/ecp/implemented/, schemas/. Flag any mismatch between authority level and the governance files in the allowed scope.
For each EOU with risk_level: high or critical: escalation.require_human_when must be non-empty and responsibility.approver must be a named human role (not "Claude" or "script"). Flag violations.
For each EOU: purpose.statement must name a concrete failure prevented or decision improved — not a process description. Flag EOUs with purpose statements that describe what the EOU does without naming what failure it prevents.
Write the audit report to foundry/audits/foundry-audits/{YYYYMMDD}.foundry-audit.yml:
audit_date:
findings:
- check: # check category name
severity: # critical | high | medium | low
eou_id: # or "foundry-wide"
description: # what was found
required_fix: # specific change required
summary:
total_findings:
by_severity:
critical:
high:
medium:
low:
pass_rate: # checks passed / total checks
verdict: # PASS | FAIL | CONDITIONAL_PASS
skipped with a reason, not as pass.low-severity warning finding.Audit a generated candidate EOU set for boundary quality, minimality, overlap, authority, operational value, and governance risk.
Audit value_invocations in run traces for EOUs with classification.judgment_authorized:true. Verifies invocations against the captured_workflow's declared priority (no F15), checks for drift over multiple runs (no F16), detects hallucinated value ids (no F17), catches silent decisions on contested cases (F14), and runs counterfactual-swap audit as the V1 anti-theater defense.
Audit EOU specs for Foundry V2 faceted classification, authority limits, schemas, validation, failure modes, trace, blast radius, and responsibility ownership.
Synthesize a Stage 0 captured_workflow (D2.4 step 1–5 outputs + per-app constitutional domain_values layer) from a user goal, structured 5-role reference set, and constraints. For users entering an unfamiliar craft domain who cannot articulate a workflow unaided, and for any user who needs the constitutional layer made explicit before downstream EOU generation begins.
Generate a minimal, ranked candidate EOU set from a messy workflow using Foundry V2 constraints. Candidates are proposal-only and cannot be activated.
Audit a generated candidate EOU set for boundary quality, minimality, overlap, authority, operational value, and governance risk before any candidate advances to specification. <example> Context: A generation run has just produced a candidate set; the owner wants to know which candidates survive audit before promotion. user: "$audit-candidate-eou-set foundry/self-evolution/candidate-sets/cs-generate-eou-candidates-20260520-1430.yml" assistant: "I'll run the eight tests (boundary, non-overlap, minimality, authority, operational value, counter-generation, set composition, high-stakes) and write the audit report under foundry/audits/candidate-set-audits/." </example> <example> Context: User wants to audit a candidate set that contains a generating EOU without a corresponding audit path. user: "$audit-candidate-eou-set ./my-candidates.yml" assistant: "I'll audit. Heads-up that if any candidate has authority_level approve/publish or proposes weakening validators, I'll escalate to FAIL regardless of other test outc