{"skill":{"slug":"agent-skills-audit","displayName":"Audit Code","summary":"Run a two-pass, multidisciplinary code audit led by a tie-breaker lead, combining security, performance, UX, DX, and edge-case analysis into one prioritized report with concrete fixes. Use when the user asks to audit code, perform a deep review, stress-test a codebase, or produce a risk-ranked remediation plan across backend, frontend, APIs, infra scripts, and product flows.","description":"---\nname: audit-code\ndescription: Run a two-pass, multidisciplinary code audit led by a tie-breaker lead, combining security, performance, UX, DX, and edge-case analysis into one prioritized report with concrete fixes. Use when the user asks to audit code, perform a deep review, stress-test a codebase, or produce a risk-ranked remediation plan across backend, frontend, APIs, infra scripts, and product flows.\n---\n\n# Audit Code\n\n## Overview\n\nRun an expert-panel audit with strict sequencing and one unified output document.\nProduce findings first, sorted by severity, with file references, exploit/perf/flow impact, and actionable fixes.\n\nLoad `references/audit-framework.md` before starting the analysis.\n\n## Required Inputs\n\nCollect or infer the following:\n- Audit scope: paths, modules, PR diff, or whole repository.\n- Product context: PRD/spec/user stories, trust boundaries, and critical business flows.\n- Runtime context: deployment model, queue/cron/background jobs, traffic profile, data sensitivity, and abuse assumptions.\n- Constraints: timeline, acceptable risk, and preferred remediation style.\n\nIf product context is missing, state assumptions explicitly and continue.\n\n## Team Roles\n\nUse exactly these roles:\n- Security expert\n- Performance expert\n- UX expert\n- DX expert\n- Edge case master\n- Tie-breaker team lead\n\nThe tie-breaker lead resolves conflicts, prioritizes issues, and produces the final single report.\n\n## Workflow\n\nFollow this sequence every time:\n\n1. Build Context\nRead code + product flows. Identify assets, entry points, high-risk operations, privileged actions, external dependencies, and \"failure hurts\" journeys.\n\n2. Build Invariant Coverage Matrix\nBefore specialist pass 1, map critical invariants to every mutating path (HTTP routes, webhooks, async jobs, scripts):\n- Data-link invariants: multi-table relationships that must remain consistent.\n- Auth lifecycle invariants: disable/revoke semantics for sessions/tokens/API keys.\n- Input/transport invariants: validation, content-type policy, body-size/parse behavior.\n- Shape invariants: trees/graphs must reject cycles where applicable.\nTreat missing parity across equivalent paths as a finding candidate.\n\n3. Pass 1 Specialist Reviews\nRun role-specific analysis in this order:\n- Security\n- Performance\n- UX\n- DX\n- Edge case master\nCapture findings using the schema in `references/audit-framework.md`.\n\n4. Tie-Breaker Reconciliation\nResolve disagreements:\n- Decide whether contested items are true issues.\n- Set severity and confidence.\n- Remove duplicates and merge overlapping findings.\n\n5. Cross-Review Pass 2\nAfter edge-case findings, rerun specialists:\n- Security/Performance/UX/DX reassess prior findings and new edge-triggered scenarios.\n- Edge case master performs a final pass on residual risk after proposed mitigations.\n\n6. Final Report\nPublish one document from the tie-breaker lead with:\n- Findings first (ordered by severity, then blast radius, then exploitability).\n- Open questions/assumptions.\n- Remediation plan with priority, owner type, and verification tests.\n- Short executive summary at the end.\n\n## Quality Bar\n\nEnforce these requirements:\n- Use concrete evidence with file references and line numbers where available.\n- Include reproduction steps for security/performance/edge findings when feasible.\n- Prefer actionable fixes over abstract advice.\n- Separate confirmed defects from speculative risks.\n- Mark confidence for each finding.\n- Run a cross-route consistency sweep: equivalent endpoints/jobs must enforce equivalent invariants.\n- For each High/Critical finding, include at least one focused regression test/check.\n\n## Safety and Policy Guardrails\n\nApply these guardrails while auditing:\n- Do not provide operational abuse instructions or exploit weaponization details.\n- Evaluate manipulative UX patterns as legal/trust/reputation risk, not as recommended growth tactics.\n- Prioritize user safety, system integrity, and maintainable engineering outcomes.\n\n## Output Format\n\nFollow this response structure:\n\n1. Findings\nList only validated issues. Use the finding schema in `references/audit-framework.md`.\n\n2. Open Questions / Assumptions\nState missing context that could change priority or validity.\n\n3. Change Summary\nSummarize high-impact remediation themes in a few lines.\n\n4. Suggested Verification\nList focused tests/checks to confirm each major fix.\n\n## Runtime Heuristics\n\nWhen the target stack is Bun + SQLite, apply the runtime-specific checklist in `references/audit-framework.md` (`Runtime-Specific Heuristics (Bun + SQLite)`) before finalizing findings.\n","tags":{"latest":"0.1.0"},"stats":{"comments":0,"downloads":2164,"installsAllTime":81,"installsCurrent":5,"stars":0,"versions":1},"createdAt":1770643402369,"updatedAt":1778486231449},"latestVersion":{"version":"0.1.0","createdAt":1770643402369,"changelog":"- Initial release of the \"audit-code\" skill for multidisciplinary code auditing.\n- Runs a structured, two-pass expert review covering security, performance, UX, DX, and edge cases, led by a tie-breaker.\n- Produces one unified, prioritized report with actionable fixes and verification steps.\n- Includes required input collection, strict team roles, and a sequenced workflow with cross-discipline reconciliation.\n- Enforces concrete evidence, parity checks across routes, and safety guardrails.\n- Adds stack-specific heuristics for Bun + SQLite environments.","license":null},"metadata":null,"owner":{"handle":"swader","userId":"s176dnz81fnsardqm19jev3dps884pax","displayName":"Swader","image":"https://avatars.githubusercontent.com/u/1430603?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1779962562980}}