// Run a comprehensive language-agnostic repository health audit, scored 0-100. Detects language, runs native tooling, never assumes JS/Python.
Agent-to-Agent (A2A) protocol gateway reference. JSON-RPC 2.0 peer-to-peer agent communication. (/a2a-gateway, a2a, agent protocol)
Native CDP browser automation reference. Headless/headed Chrome control, screenshots, JS evaluation. (/browser-cdp, browser automation, cdp, scraping)
Runtime tool management with tool_manage and tools.toml format. Create, enable, disable, reload tools without restart. (/dynamic-tools, tool_manage, runtime tools)
Reference for all 25+ opencli-rs dynamic tools (news, social, search, web). Use when user asks about trending topics, news, social media, jobs, or web search. (/opencli, opencli tools, news, trending)
Estimate codebase cost-to-build, AI-assisted ROI, and fair-market valuation
Run a comprehensive language-agnostic security & CVE audit, scored 0-100
| name | repo-audit |
| description | Run a comprehensive language-agnostic repository health audit, scored 0-100. Detects language, runs native tooling, never assumes JS/Python. |
You are a senior engineer performing a comprehensive repository health audit. The audit must be language-agnostic — detect the project's primary language(s) FIRST, then dispatch to the appropriate metrics and tooling. Do not apply JavaScript-specific checks (try/catch coverage, JSDoc, node_modules) to a Rust project. Do not apply Rust-specific checks to a Python project. Each language has its own conventions; respect them.
A previous third-party tool produced a Rust-blind report on this codebase that hallucinated "0 dependencies" and "0% try/catch coverage" because it could not parse Cargo.toml or recognize Result<T, E> error handling. Do not be that tool. When in doubt about a metric, skip it and say why rather than report a misleading zero.
Inspect the working directory for manifest files. Multiple manifests = polyglot/monorepo — audit each stack and report per-stack scores.
| Manifest detected | Language | Native tooling for audit |
|---|---|---|
Cargo.toml | Rust | cargo clippy, cargo test, cargo audit, cargo outdated, cargo tree |
package.json + package-lock.json | Node (npm) | npm audit, npm outdated, npx eslint, npx tsc --noEmit (if TS) |
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit, pnpm outdated, pnpm exec eslint |
package.json + yarn.lock | Node (yarn) | yarn npm audit, yarn outdated, yarn eslint |
pyproject.toml / requirements*.txt / Pipfile.lock | Python | ruff check, pip-audit, pytest --co, mypy |
go.mod | Go | go vet, staticcheck, govulncheck, go test ./... |
Gemfile.lock | Ruby | bundle outdated, bundle audit, rubocop |
composer.json | PHP | composer audit, phpstan |
pom.xml / build.gradle | Java/JVM | mvn dependency:tree, osv-scanner -r ., spotbugs |
pubspec.yaml | Dart/Flutter | flutter analyze, dart pub outdated |
*.csproj / *.fsproj | .NET | dotnet list package --vulnerable, dotnet build |
Package.swift | Swift | swift package show-dependencies, swiftlint |
mix.exs | Elixir | mix deps.audit, mix credo, mix dialyzer |
*.tf / .terraform.lock.hcl | Terraform | tflint, tfsec, checkov |
Dockerfile | OCI | hadolint, trivy fs . |
Record what you detected and what you did NOT detect (so the score is auditable). If the relevant scanner is not installed, report which scanner would run and continue with stages that don't need it.
These work regardless of language. Run them on every audit.
git shortlog -sne --all | head -20
git log --pretty=format: --name-only --since="6 months ago" | sort | uniq -c | sort -rn | head -20
git log --pretty=format: --name-only --since="6 months ago" | awk 'NF' | sort -u
For each pair of files that change together >50% of the time over the last 6 months, flag as a coupling candidate. Co-change cohesion of 0.8+ between files in different modules suggests the boundary is wrong.
git log --pretty=format:%s --since="3 months ago" | grep -cE "^(feat|fix|chore|docs|test|refactor|style|perf|build|ci|revert)(\(.+\))?:"
Divide by total commits in the same window. >70% indicates a disciplined contributor; <30% suggests ad-hoc work.
git log --pretty=format:%s | grep -cE '^[Rr]evert '
Revert ratio >5% of commits is a red flag — usually means undertested releases.
Detect by the language's test convention:
tests/ or src/tests/ or with #[test] / #[tokio::test]*.test.{js,ts} / *.spec.{js,ts} / files under __tests__/test_*.py / *_test.py / tests/*_test.gosrc/test/spec/ or test/Ratio = test_files / source_files. Healthy: 0.3+. Excellent: 0.6+. The exact target depends on the language ecosystem norms.
Check for: .github/workflows/*.yml, .gitlab-ci.yml, .circleci/config.yml, Jenkinsfile, azure-pipelines.yml, .drone.yml, bitbucket-pipelines.yml.
Count workflows. Note triggers (push, PR, release, scheduled). Missing CI = critical finding regardless of language.
Pick the section matching the detected language. Skip the others. Do NOT cross-apply (e.g. don't run JSDoc checks on Rust).
cargo tree --depth 1 for direct deps. cargo outdated for staleness. cargo audit for advisories.Result< / .unwrap() / .expect() / ? operators. High unwrap() count in non-test code = panic-on-error risk. The metric is "panic surface area," not try/catch coverage (which doesn't exist).grep -rn "unsafe " src/ --include="*.rs" | grep -v "// SAFETY:" | wc -l. Any unsafe block without a // SAFETY: justification comment is a finding.mod.rs files. A directory with mod.rs declaring pub mod foo; pub mod bar; IS structured. Do NOT label it "flat/unstructured" because it lacks an index.ts.fn lines outside #[cfg(test)] blocks). Files >2000 lines OR >30 non-test functions are refactor candidates.cargo doc --no-deps --quiet and check warnings. /// and //! are doc comments, not "missing JSDoc."cargo clippy --all-targets -- -W clippy::all and count distinct warning categories.cargo clippy -- -W clippy::module_name_repetitions -W clippy::similar_names for hints.package.json + lockfile. Count direct + transitive. npm outdated. npm audit..catch() on promise chains, error boundaries in React.strict: true in tsconfig? any usage count? Run tsc --noEmit and count errors.eslint . and count rules violated. Note plugins (security, sonarjs, unicorn).node_modules in .gitignore? package-lock.json committed? Lockfile up-to-date with manifest?pyproject.toml / requirements.txt / Pipfile.lock. Count direct deps. pip-audit for CVEs. pip list --outdated.except: clauses (anti-pattern), exception chaining (raise ... from ...).mypy --strict errors. % of functions with type annotations.ruff check (modern) or flake8 (legacy). Count rule violations.pylint --disable=all --enable=cyclic-import).src/ layout vs flat? __init__.py present where expected? setup.py vs pyproject.toml?go.mod + go.sum. go list -m -u all for outdated. govulncheck ./....error that ignore it. errcheck ./....go vet ./..., staticcheck ./..., golangci-lint run.gocyclo -over 15 ..go test -cover ./....For Ruby, Java, .NET, Swift, Dart, Elixir: detect, run native tooling, report findings in the same shape (deps + errors + lints + structure + tests). Don't fabricate metrics.
Apply to all languages.
target/, Cargo.lock (libraries should commit, binaries should commit too).node_modules/, dist/, build/, .env.__pycache__/, *.pyc, .venv/, venv/, dist/, build/, *.egg-info/.vendor/ (optional, depends on convention).node_modules exclusion in a Rust project. Do not flag missing target/ exclusion in a Python project.README.md present? Length > 200 chars? Has install/usage/license sections?CONTRIBUTING.md? LICENSE? CODE_OF_CONDUCT.md (mature project)?CHANGELOG.md present? Maintained (last entry < 6 months old)?gitleaks detect --no-git --redact or equivalent regex sweep..env committed (look for .env in git history not gitignored)?*example* / *test* files).cargo build, npm install && npm run dev, etc.).pre-commit-config.yaml, .husky/, lefthook.yml)?.editorconfig)?rustfmt.toml, .prettierrc, .editorconfig, pyproject.toml [tool.black])?Produce a markdown report with:
Cargo.toml, Cargo.lock| Dimension | Weight | Score | Notes |
|---|---|---|---|
| Language tooling health (lint, typecheck) | 15 | ||
| Dependency posture (CVE + staleness) | 15 | ||
| Test coverage & ratio | 15 | ||
| Code structure (module org, god files) | 15 | ||
| Error handling discipline | 10 | ||
| Documentation | 10 | ||
| CI/CD & build hygiene | 10 | ||
| Git workflow (commits, reverts, churn) | 10 |
Adjust weights when a dimension doesn't apply (e.g. no CI, no deps) and re-normalize so the total is still 100.
For each (only confidence ≥ 0.8):
A short list of what the repo is doing right. Builds trust in the audit; stops the report from being all doom.
Only the section(s) for detected language(s). Don't include "Python deps: 0" if there's no Python.
Prioritized list. P0 = ship-blocker (security CVE, missing CI). P1 = next sprint (refactor god files, fill test gaps). P2 = ongoing (tighten clippy lints, improve docs).
Be explicit. "Did not run live security scan (no cargo-audit installed). Did not analyze branches other than main. Did not review unmerged PRs."
Cargo.toml exists with deps means your tool is broken — say so, don't report the zero.main (or default branch) unless the user asks for a per-branch or per-PR scope.