From Codebase Auditor
Methodology for auditing this marketplace against its own F1–F13 failure classes — the deterministic static detectors, the finding line format, and how the review sub-agents add logic/security/invariant findings on top. Use when running /auditor:run or as an auditor sub-agent.
How this skill is triggered — by the user, by Claude, or both
Slash command
/auditor:audit-codebaseThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The auditor productizes THIS project's own audit (the F1–F13 findings) as **regression
The auditor productizes THIS project's own audit (the F1–F13 findings) as regression detectors: each fires only when a specific, previously-fixed failure class is re-introduced, and stays silent on a clean tree. Two layers:
scripts/lib-audit-checks.sh, pure shell/awk, no python) —
the floor. They scan by ROLE (hook scripts resolved from each plugin's hooks.json, the
sourced shared/lib/common.sh, the manifests, the agent files), never a blanket grep, so
they neither miss a hook nor false-flag the detector library itself.auditor-scout breadth / auditor-critical depth) — judgment on top:
logic, security, and invariant breaks that static analysis cannot see.One finding per line, TAB-separated:
<SEVERITY>\t<detector>\t<file:line-or-path>\t<message>
SEVERITY ∈ HIGH | MEDIUM | LOW | ADVISORY (see the classify-findings skill). verify-audit.sh
tallies HIGH/MEDIUM/LOW (ADVISORY excluded), writes .claude/auditor/FINDINGS.md, and records
bd_status_write auditor audit <state> "" high=$H med=$M low=$L. The pipeline release gate
(verify-release.sh) reads auditor high and requires it to be 0 to release.
HIGH — a gate/module is SILENTLY broken or bypassable (these feed the 0-high gate):
command -v python3 as a presence test, or a raw
python $(…) capture under set -e with no || fallback. The Windows Store stub re-opens fail-open.bd_normalize_path); a ../backslash segment escapes the zone.hooks.json command whose script is missing or not +x (100755);
the hook silently never runs.plugin.json/marketplace.json that doesn't parse, or a marketplace
source dir that doesn't exist.plugins/*/lib/common.sh that differs from the canonical
shared/lib/common.sh (runs stale shared logic).MEDIUM — a real defect that doesn't silently break a gate:
Write|Edit matcher omitting NotebookEdit, or a guard not reading notebook_path.cat without an [ -t 0 ] guard.hooks.json command entry with no timeout.LOW — hygiene:
.sh shipping CRLF (git ls-files --eol = i/crlf), or a
non-hook .sh not tracked 100755. Plus per-file ShellCheck errors when ShellCheck is installed.ADVISORY — informational only, NEVER gates, EXCLUDED from the tally (the "fuzzy" findings whose
static signal is too weak to gate on without false-blocking): README/doc drift (F5), redundant
agent tools:+disallowedTools: (F12), stale explorer index.json paths (F13).
.claude/explorer/MEMORY.md for ground truth, then read the
diff under review (git diff or the base ref the orchestrator passed).path:line. Separate evidence from inference (a hypothesis is labelled, never a HIGH)..claude/auditor/findings/<agent>.tsv in the line format above.Keep findings dense and evidence-first. A HIGH must be a real, defensible regression — the gate trusts it.
npx claudepluginhub hafizmirhamza276-lab/backend-agentic-marketplace --plugin auditorGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.