code-auditor-agent

Run a full codebase audit against a reference standard. Discovers all files, triages with grep, audits in parallel batches, verifies findings, fills gaps, consolidates per-domain, and generates actionable TODO files. Optionally applies fixes with verification loop.

Run an incremental audit of only the files changed since a previous audit or commit. Finds changed files via git diff, traces their dependents, and audits only that subset. Merges delta findings with a previous full audit report. NOT a substitute for full audit.

Extracts every factual claim from the PR description and commit message, then verifies each one against the actual code. This agent catches the #1 source of missed bugs: the gap between what the author thinks they did and what the code actually does. Born from a real incident where "fromLabel/toLabel population via registry lookup" was claimed in the PR description but never implemented in convertAMPToMessage().

Per-domain code correctness auditor. Spawned as a SWARM — one instance per file group or domain. Checks type safety, logic bugs, API contracts, test coverage, security, and shell script correctness. This agent is the microscope: excellent at finding per-file bugs but structurally blind to cross-file inconsistencies and PR-level claim mismatches.

Merges multiple audit/verification/gap-fill reports for a single domain into one consolidated report. De-duplicates findings by file+line+violation_type. Separates RECORD_KEEPING items. HARD LIMIT: max 5 input reports per invocation. If more reports exist, the orchestrator must split them into sub-groups.

Deduplicates code review findings from the merged CAA report. Handles same-line-different-bug cases with semantic analysis. Produces final report with accurate counts and verdict.

Per-batch codebase auditor for compliance/decoupling audits. Spawned as a SWARM — one instance per file batch (3-4 files max). Audits files against a reference standard document to find violations such as hardcoded API calls, hardcoded governance rules, direct dependency coupling, and other compliance issues. HARD LIMIT: never processes more than 4 files per invocation.

Applies fixes from TODO files to source code. Processes 3-4 files max per invocation. Uses checkpoint-based recovery to resume after crashes. Re-reads each file after fixing to verify no syntax errors. Makes MINIMAL changes — only what the TODO specifies.

Re-audits fixed files to confirm fixes are correct and no regressions were introduced. Checks each fixed file against the reference standard and the original TODO that prompted the fix. Reports PASS or FAIL with specific remaining issues.

Deep security review agent that analyzes code for vulnerabilities, attack surfaces, injection vectors, secrets exposure, dependency risks, and compliance with latest security practices. Checks against OWASP Top 10, CWE/SANS 25, and recent CVEs. Simulates attacker perspective to identify exploitable paths. This agent is the shield: focused exclusively on security, unlike the correctness agent which treats security as one checklist item among many.

Holistic PR reviewer that reads the entire diff as a hostile external maintainer would. Not checking individual correctness but the big picture: UX concerns, breaking changes, cross-file consistency, missing implementations, design judgment, and documentation accuracy. This is the telescope that sees what the microscope (correctness swarm) misses.

Converts consolidated violation reports into actionable TODO files with dependency ordering, priority classification, and exact change instructions. Each TODO includes file, line range, current code, required change, and verification steps.

Cross-checks audit reports against actual code. Spawned per audit report (ONE report per agent). Verifies that every violation claim is real (file exists, line exists, code matches evidence). Verifies that every "CLEAN" claim is accurate (quick-checks with grep patterns). Detects missed files by diffing the report's file list against the full domain inventory.

Trigger with /audit-codebase, 'audit the codebase', 'compliance audit', 'codebase audit'. Use when auditing a codebase for compliance violations, generating TODOs, or applying automated fixes.

Trigger with "review and fix the PR", "audit and fix the PR", "pre-merge review and fix". Use when reviewing and fixing PRs with automated iterative resolution.

Trigger with "review the PR", "check the PR", "audit the PR", "pre-merge review". Use when reviewing PRs, auditing code, or running pre-merge quality gates.