Stats
Actions
Tags
From devrites
Read-only audit dispatch for the active feature on the requested axis — security (OWASP, trust boundary, secrets), perf (measure-first, N+1, CWV), or simplify (Chesterton's Fence, deletion test). Use when the user says "security review", "is this safe", "is this fast enough", "perf check", "N+1", "simplify this", "Chesterton's Fence". Not for write actions or whole-project audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/devrites:devrites-audit <security | perf | simplify><security | perf | simplify>The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Dispatch one read-only review subagent against the active feature's workspace + diff. The subagent runs in **fresh context** (no author anchoring) and returns labeled findings. The caller (`/rite-polish` Phase 1, `/rite-review`, or the user) acts on them — this skill returns the subagent's report verbatim.
Dispatch one read-only review subagent against the active feature's workspace + diff. The subagent runs in fresh context (no author anchoring) and returns labeled findings. The caller (/rite-polish Phase 1, /rite-review, or the user) acts on them — this skill returns the subagent's report verbatim.
This is the inline single-axis pass used during build / polish — one axis at a time, on demand, where a quick read keeps a slice honest. It is intentionally distinct from the seal/review gate, where the reviewer agents fan out in parallel across all relevant axes in their own fresh contexts (see /rite-seal). Same agents, different role: the audit is a cheap mid-flight check; the seal fan-out is the blocking gate. Both reading the same agent disciplines is the point, not a divergence.
Why a subagent rather than inline: an adversarial reviewer with no author context is more likely to find what's wrong. Anthropic bug #49559 leaves context: fork silently inline under plugin install, so Task dispatch is the reliable path under both plugin and bash installs.
$ARGUMENTS picks the axis. If the caller did not pass one, infer from intent and confirm with the user before dispatch.
| Axis | Subagent (.claude/agents/) | Discipline |
|---|---|---|
security | devrites-security-auditor | OWASP Top 10; three-tier trust boundary (untrusted → boundary → trusted); secrets handling; dependency risk. A real auth-bypass / data-exposure / injection is Critical → NO-GO at seal. |
perf | devrites-performance-reviewer | Measure-first: no claim without a number or a specified measurement. N+1s, hot-path work, payload/bundle size, Core Web Vitals risks. Breach of a stated spec.md budget is Important/Critical. |
simplify | devrites-simplifier-reviewer | Behavior-preserving simplification: guard clauses, Extract Method, simplify conditionals, the deletion-test heuristic, Chesterton's Fence. Findings are Suggestion / Nit / FYI — no behavior change. |
.devrites/ACTIVE to resolve the active feature <slug>..devrites/work/<slug>/touched-files.md and spec.md exist. If missing → STOP and tell the caller the feature has no recorded diff or spec yet.Use the Task tool to launch the chosen subagent with this prompt shape (axis-specific reads in Read:):
Audit the active DevRites feature on the <axis> axis.
Workspace: .devrites/work/<slug>/
Read:
- spec.md (acceptance criteria; for perf: any perf budget; for security: data model + affected areas)
- decisions.md (if present)
- evidence.md (existing measurements, for perf)
- touched-files.md
Run `git diff` and read the listed touched files. Apply your documented
discipline and return labeled findings (Critical / Important / Suggestion /
Nit / FYI) using your documented output format. ONE FINDING PER LINE,
cite file:line.
Feature scope only. No edits. Do not summarize or re-rank — the caller
reconciles.
Rules for the dispatch:
/rite-seal's job (see .claude/skills/rite-seal/reference/parallel-dispatch.md).Task call in a single message so the runtime parallelizes; each subagent gets only its own brief.Pass the subagent's findings report back to the caller verbatim. Do not re-label, re-rank, or summarize. The caller (/rite-polish for simplify, /rite-review for security/perf) decides what to act on within feature scope, and surfaces any Critical to /rite-seal as a NO-GO blocker.
If the Task tool is unavailable in the current environment, fall back to a read-only inline audit using the discipline documented in the corresponding agent file (.claude/agents/devrites-{security-auditor,performance-reviewer,simplifier-reviewer}.md). Flag clearly that this was an inline fallback, not an independent review. The seal weighs the fallback differently — see rite-seal/reference/risk-and-rollback.md.
perf: no number → no claim. Speculative micro-opts are Suggestion at most.simplify: behavior-preserving only. Anything that needs new tests is out of scope here — route to /rite-plan reslice.npx claudepluginhub viktorsbaikers/devrites --plugin devritesGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.