Stats
Actions
Tags
From vibeos
Full audit cycle that dispatches all 8 audit agents (security, architecture, correctness, test quality, evidence, product drift, red team, contract validator), applies consensus logic, and produces a composite report with actionable findings. Use when the user says "audit the code", "review everything", "check for security issues", "do a full review", or wants a comprehensive multi-perspective code review.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vibeos:auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Dispatch all 8 audit agents, merge findings with consensus logic, and produce a composite report.
Dispatch all 8 audit agents, merge findings with consensus logic, and produce a composite report.
Follow the full USER-COMMUNICATION-CONTRACT.md (docs/USER-COMMUNICATION-CONTRACT.md). Key rules:
Skill-specific addenda:
Before starting, verify these exist:
project-definition.jsonIf no source code exists, report "No source code to audit" and stop.
If $ARGUMENTS specifies a single auditor name (security, architecture, correctness, test, evidence, product-drift, red-team, contract), run only that auditor. Otherwise, run all 8.
Read project-definition.json for:
Before dispatching any auditor, choose visibility automatically:
bash scripts/select-audit-visibility-mode.sh "${ARGUMENTS:-}"
Read .vibeos/session-state.json after that command and use:
audit_visibility_modeaudit_dispatch_profileaudit_snapshot_refRules:
audit_dispatch_profile is same-tree, dispatch the *-same-tree.md auditor variants.audit_dispatch_profile is worktree, dispatch the standard isolated-worktree auditors.Dispatch the selected audit agents using the chosen visibility mode. Auditors remain read-only in both modes.
Agent dispatch list:
| Agent | File | Model | Purpose |
|---|---|---|---|
| Security | agents/security-auditor.md | sonnet | OWASP Top 10, secrets, injection, PII |
| Architecture | agents/architecture-auditor.md | sonnet | Layer violations, circular deps, boundaries |
| Correctness | agents/correctness-auditor.md | opus | Logic errors, missing error paths, user impact |
| Test Quality | agents/test-auditor.md | sonnet | Spec-first, assertion quality, mock density |
| Evidence | agents/evidence-auditor.md | sonnet | Documentation completeness, tracking accuracy |
| Product Drift | agents/product-drift-auditor.md | sonnet | Product promise drift, experience drift, stale decisions |
| Plan | agents/plan-auditor.md | opus | WO planning correctness, sequencing, canon alignment |
| Red Team | agents/red-team-auditor.md | opus | Adversarial corruption hunting, cheating detection |
| Contract | agents/contract-validator.md | sonnet | Frontend-backend contract verification (cross-boundary only) |
When audit_dispatch_profile is same-tree, replace each agents/<name>.md with agents/<name>-same-tree.md.
For codebases under 15K lines: dispatch each auditor on the full codebase (current behavior).
For codebases over 15K lines: use module-targeted dispatch:
src/gateway/, src/orchestrator/, frontend/src/)For per-WO audits during build: only audit the files changed by this WO (incremental audit), plus their immediate dependencies. Do not audit the full codebase.
Dispatch agents that can run independently in parallel where possible using the visibility mode selected in Step 2. Pass each agent:
project-definition.json pathAs each agent completes, extract its structured findings. Normalize each finding to this format:
{
"id": "[agent]-[N]",
"agent": "[agent name]",
"category": "[finding category]",
"severity": "[critical|high|medium|low|info]",
"file": "[file path]",
"line": "[line number or range]",
"description": "[what was found]",
"recommendation": "[how to fix]",
"confidence": "[high|medium|low]"
}
If an agent fails to complete or returns unparseable output:
Group findings by location (file + line range overlap) and category similarity:
True Positive (high confidence): 2 or more agents flag the same location or same issue pattern.
Warning (review recommended): Exactly 1 agent flags an issue.
Clean: Location checked by multiple agents with no findings.
Write the report to stdout (displayed to user). Format:
## Composite Audit Report
**Date:** [today]
**Scope:** [directories audited]
**audit_visibility_mode:** [same-tree|snapshot|committed-tree|not-applicable]
**audit_snapshot_ref:** [ref|none]
**Auditors dispatched:** [list of 8 or subset]
**Auditors completed:** [count]/[dispatched]
### Executive Summary
- **True positives (2+ auditors agree):** [count]
- **Warnings (single auditor):** [count]
- **Critical findings:** [count]
- **High findings:** [count]
- **Medium findings:** [count]
- **Low/Info findings:** [count]
### Critical & High Findings (Action Required)
| # | Finding | Severity | Consensus | Agents | File | Recommendation |
|---|---|---|---|---|---|---|
| 1 | [description] | [severity] | [true_positive/warning] | [agent list] | [path:line] | [fix] |
### Medium & Low Findings (Review Recommended)
| # | Finding | Severity | Agent | File | Recommendation |
|---|---|---|---|---|---|
| 1 | [description] | [severity] | [agent] | [path:line] | [fix] |
### Auditor Summary
| Auditor | Status | Findings | Top Issue |
|---|---|---|---|
| Security | [complete/failed] | [count] | [top finding or "clean"] |
| Architecture | [complete/failed] | [count] | [top finding or "clean"] |
| Correctness | [complete/failed] | [count] | [top finding or "clean"] |
| Test Quality | [complete/failed] | [count] | [top finding or "clean"] |
| Evidence | [complete/failed] | [count] | [top finding or "clean"] |
| Product Drift | [complete/failed] | [count] | [top finding or "clean"] |
| Plan | [complete/failed] | [count] | [top finding or "clean"] |
| Red Team | [complete/failed] | [count] | [top finding or "clean"] |
| Contract | [complete/failed/skipped] | [count] | [top finding or "clean"] |
### Overall Assessment
[1-3 sentence plain English assessment of project health]
**Recommendation:** [pass/conditional pass/fail]
- pass: No critical or high findings
- conditional pass: High findings exist but are addressable
- fail: Critical findings that must be fixed before proceeding
If this audit was triggered from /vibeos:build, save the report to .vibeos/audit-reports/[WO-NNN]-[timestamp].md for the build log to reference.
Create the directory if it doesn't exist:
mkdir -p .vibeos/audit-reports
After saving the report, register it so session-end closure gates validate the correct report:
bash scripts/register-audit-report.sh ".vibeos/audit-reports/[WO-NNN]-[timestamp].md"
When $ARGUMENTS specifies a single auditor:
project-definition.jsonnpx claudepluginhub chieflatif/vibeos-plugin --plugin vibeosRuns mechanical checks (build, typecheck, lint, tests, secrets scan) then dispatches specialist reviewers and produces a scored codebase health report. Use for code quality, security, or performance audits.
Iterative multi-agent code audit that detects project shape and risk signals, runs role-scoped reviewers, consolidates findings with a false-positive contract, and fixes critical/high issues in batches until clean.
Runs codebase audits (health, evaluation, documentation) with parallel agents, producing intake docs for a pipeline run.