/audit-report

Command: /audit:report

Write or regenerate AUDIT_REPORT.md from cached findings. Does not re-run analysis — reads from the findings cache.

Usage

/audit:report

---

Auto-Update

Before anything else, pull the latest plugin code:

bash "${HOME}/.claude/plugins/vibeaudit/scripts/auto-update.sh"

This is silent and non-blocking — if the network is unavailable or the pull fails, the report continues with the current version.

---

Execution

Step 1 — Read Cache and State

Read both files:

cat .claude/vibeaudit/findings-cache.json
cat .claude/vibeaudit/state.json

findings-cache.json contains all findings from the last audit, keyed by file path. state.json contains audit metadata: date, stack detected, file counts, previous state hash.

If either file is missing, print:

No audit data found. Run /audit or /audit:full first to generate findings.

Then stop.

Step 2 — Derive Project Name and Date

Read package.json for the name field. If not found, use the directory name of the current working directory.

Date: You MUST run this command and use its output as the report date:

date +"%Y-%m-%d"

⚠️ Do NOT use the auditedAt field from state.json — that is a UTC cache timestamp, not the report date. Do NOT hardcode any date. Always run the command above and use its output verbatim in both the header line and the footer.

Step 3 — Write AUDIT_REPORT.md

Write the file to the project root using this exact structure:

---

# vibeAudit — [Project Name]

*[output of `date +"%Y-%m-%d"`] · [Stack: Next.js, Supabase, Stripe] · [N new + M cached files]*

---

## Summary

|   | Severity   | Count |
|---|------------|------:|
| 🔴 | Critical  |     N |
| 🟠 | High      |     N |
| 🟡 | Medium    |     N |
| 🟢 | Low       |     N |
| ℹ️  | Info      |     N |
|   | **Total**  | **N** |

> ⛔ **N ship-blockers detected.** Do not deploy until all Critical findings are resolved.
[Omit the callout line if Critical count is 0]

---

## 🔴 Critical

### [Short human-readable title — 5–10 words derived from description]

> `[Security]` · `path/to/file.ts:LINE`

[One to two sentences: what is wrong, why it is exploitable, what an attacker can do.]

```ts
// concrete remediation — copy-pasteable

---

[repeat for each Critical finding]

🟠 High

[Short title]

[Category] · path/to/file.ts:LINE

[Description]

// Fix

---

[repeat; same pattern for 🟡 Medium, 🟢 Low, ℹ️ Info]

---

Fixed Since Last Audit

[Only include if state.json has a previous_state_hash and the previous cache exists. Omit entirely otherwise.]

• path/to/file.ts:LINE — Description ✓ resolved

---

Generated by vibeAudit · [output of date +"%Y-%m-%d"]

---

### Grouping Rules

Within each severity section:
1. Group by category: Security first, then Performance, then Quality, then Compliance, then Documentation, then Testing.
2. Within each category, sort by file path alphabetically.
3. Use a `###` heading for each finding with a short human-readable title (5–10 words from the description).
4. The `> \`[Category]\` · \`file:LINE\`` blockquote is the location line — always the first element under the heading.

### Finding Title Derivation

Generate a concise action-phrase title from the description. Examples:
- `Missing Stripe webhook signature verification`
- `N+1 query in user activity feed`
- `Swallowed error hides payment mutation failures`
- `JWT secret hardcoded in source`

Do not use the raw emit string (`🔴 CRITICAL | Security | src/...`) as a title.

### Severity Emojis — Mandatory

Every severity section heading MUST include its emoji prefix exactly as shown:
- `## 🔴 Critical` (not `## Critical`)
- `## 🟠 High` (not `## High`)
- `## 🟡 Medium` (not `## Medium`)
- `## 🟢 Low` (not `## Low`)
- `## ℹ️ Info` (not `## Info`)

The Summary table MUST also include the emoji column. The emojis are part of the format — never omit them.

### Empty Sections

Omit any severity section entirely if it has zero findings. Do not write `## 🟢 Low` with nothing under it.

---

## Confirmation

After writing the file, print:

AUDIT_REPORT.md written. [N] findings across [severity levels present].