Stats
Actions
Tags
From session-orchestrator
Audits a repository for baseline compliance across 9 categories including code quality, security, CI/CD, testing, and documentation. Emits Markdown report and JSON sidecar.
How this skill is triggered — by the user, by Claude, or both
Slash command
/session-orchestrator:repo-auditinheritThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Perform a comprehensive audit of the host repository against the ecosystem baseline. Emits a structured Markdown checklist report and a JSON sidecar for trend tracking.
Perform a comprehensive audit of the host repository against the ecosystem baseline. Emits a structured Markdown checklist report and a JSON sidecar for trend tracking.
Answer the question: "Does this repo match the ecosystem baseline?" — a compliance-focused, checkable question with a fixed 9-category checklist. Distinct from /discovery (broad quality probes) and /harness-audit (plugin installation health).
Read the project's ## Session Config section in CLAUDE.md (or AGENTS.md for Codex CLI). Store resolved values as $CONFIG.
Command resolution follows skills/quality-gates/SKILL.md priority order:
.orchestrator/policy/quality-gates.json — canonical policy file (if present).test-command / typecheck-command / lint-command — fallback.pnpm test --run, tsgo --noEmit, pnpm lint.If any command is set to the literal string skip, skip that check entirely and mark it skipped.
Check for Clank integration markers:
ls .clank/ 2>/dev/null || ls clank.config.* 2>/dev/null || ls clank.config.json 2>/dev/null
Set $CLANK_DETECTED=true if any marker exists, false otherwise.
Also check Session Config for ecosystem: baseline — if set, treat Clank checks as required rather than optional.
Run all checks in parallel where possible. For each check use the status symbols:
✓ — passes✗ — fails (action required)⚠ — warning (review recommended)skipped — intentionally skipped| Check | Method |
|---|---|
CLAUDE.md exists (50-100 lines, lean) | wc -l CLAUDE.md |
.claude/rules/ has path-scoped rules | ls .claude/rules/*.md 2>/dev/null |
.claude/settings.json exists | ls .claude/settings.json |
.mcp.json exists with servers | ls .mcp.json |
.gitignore covers .env*, node_modules, build artifacts | `grep -E '.env* |
Commands resolved from Session Config per Phase 1.
| Check | Method |
|---|---|
ESLint v9 flat config (eslint.config.mjs) | ls eslint.config.mjs 2>/dev/null |
Prettier config (.prettierrc or prettier.config.*) | ls .prettierrc* prettier.config.* 2>/dev/null |
TypeScript strict mode ("strict": true in tsconfig.json) | grep '"strict": true' tsconfig.json |
| 0 TypeScript errors | Run {typecheck-command} 2>&1 — pass if exit code 0 |
No console.log in production code (excluding tests) | `grep -r 'console.log' --include='.ts' --include='.mts' --exclude-dir=tests --exclude-dir=node_modules . 2>/dev/null |
| Lint passes | Run {lint-command} 2>&1 — pass if exit code 0 |
| Check | Method |
|---|---|
| Husky + lint-staged configured | ls .husky/ 2>/dev/null && grep 'lint-staged' package.json |
| commitlint (Conventional Commits) | `ls commitlint.config.* 2>/dev/null |
| Gitleaks pre-commit or CI | `ls .gitleaks.toml 2>/dev/null |
| No secrets in git history | `git log --all -p 2>/dev/null |
| Check | Method |
|---|---|
CI config exists (.gitlab-ci.yml or .github/workflows/) | ls .gitlab-ci.yml 2>/dev/null || ls .github/workflows/*.yml 2>/dev/null |
| Stages include validate → security → test → deploy | Read CI config, check for these stage names |
| Typecheck in CI | `grep -E 'tsgo |
| Tests in CI | `grep -E 'vitest |
| Dependency audit in CI | `grep -E 'audit |
| Check | Method |
|---|---|
Vitest configured (vitest.config.ts or vitest.config.mjs) | ls vitest.config.* 2>/dev/null |
| Test coverage configured | grep 'coverage' vitest.config.* 2>/dev/null |
| E2E tests (Playwright) for frontend repos | ls playwright.config.* 2>/dev/null — only required if next.config.* or nuxt.config.* exists |
Test scripts in package.json | grep '"test"' package.json 2>/dev/null |
| Tests pass | Run {test-command} 2>&1 — pass if exit code 0 |
| Check | Method |
|---|---|
Auth-at-boundary pattern (requireAuth) | grep -r 'requireAuth' --include='*.ts' src/ 2>/dev/null || echo "N/A (no src/)" |
| Zod validation on inputs | grep -r 'z\.object|z\.string|z\.parse|safeParse' --include='*.ts' src/ 2>/dev/null || echo "N/A" |
| No hardcoded secrets (scan for API key patterns) | grep -r 'sk-|api_key\s*=\s*"' --include='*.ts' --include='*.mts' --exclude-dir=node_modules . 2>/dev/null — warn if found |
.env* files not tracked | `git ls-files |
.env.example documents all secrets | ls .env.example 2>/dev/null |
Note: RLS, rate limiting, and CORS checks are ⚠ review items — they require human judgment and cannot be fully automated. Flag them as ⚠ manual-review-recommended.
| Check | Method |
|---|---|
README.md exists | ls README.md 2>/dev/null |
.env.example exists with documented vars | ls .env.example 2>/dev/null |
Architecture documented in CLAUDE.md | grep -i 'architecture|structure|stack' CLAUDE.md 2>/dev/null |
If $CLANK_DETECTED=false AND ecosystem: baseline is NOT set in Session Config:
### 8. Clank Integration
Status: skipped — Clank not detected (.clank/ and clank.config.* absent; ecosystem: baseline not set)
Do not mark any Clank check as ✗. Absence of Clank is not a failure outside the baseline ecosystem.
If $CLANK_DETECTED=true OR ecosystem: baseline is set:
| Check | Method |
|---|---|
GET /health endpoint exists (for services) | grep -r '/health' --include='*.ts' src/ 2>/dev/null |
| CI pipeline sends webhooks to Event Bus | grep -E 'webhook|event.bus|clank' .gitlab-ci.yml .github/workflows/*.yml 2>/dev/null |
| Sentry configured (for user-facing apps) | grep -r 'Sentry' --include='*.ts' --include='*.mts' --exclude-dir=node_modules . 2>/dev/null |
| Conventional Commits enforced (commitlint) | `ls commitlint.config.* 2>/dev/null |
| Check | Method |
|---|---|
.mcp.json exists | ls .mcp.json 2>/dev/null |
| MCP servers match project type | Read .mcp.json, verify server list is appropriate (e.g., shadcn only for frontend repos, no stale servers) |
| No stale or unused MCP entries | Cross-reference .mcp.json servers against project stack markers |
Emit a structured report in this format:
# Repo Audit Report — <repo-name>
Generated: <ISO timestamp>
Session Config commands: test=`<test-command>` typecheck=`<typecheck-command>` lint=`<lint-command>`
## Summary
| Category | Pass | Fail | Warn | Skipped |
|---|---|---|---|---|
| 1. Configuration | N | N | N | N |
| 2. Code Quality | N | N | N | N |
| 3. Git Hygiene | N | N | N | N |
| 4. CI/CD | N | N | N | N |
| 5. Testing | N | N | N | N |
| 6. Security | N | N | N | N |
| 7. Documentation | N | N | N | N |
| 8. Clank Integration | N | N | N | N |
| 9. MCP Configuration | N | N | N | N |
| **Total** | N | N | N | N |
**Overall:** ✓ PASS / ✗ FAIL / ⚠ WARN
## Detailed Results
### 1. Configuration
- ✓ CLAUDE.md exists (72 lines — within 50-100 range)
- ✗ `.claude/settings.json` missing — create with permissions and hooks
- ⚠ `.mcp.json` missing — add MCP servers appropriate for your stack
...
### 2. Code Quality
...
### 8. Clank Integration
skipped — Clank not detected (.clank/ and clank.config.* absent; ecosystem: baseline not set in Session Config)
...
## Critical Findings
<List only ✗ items — actionable, with fix guidance>
## Action Items
<Numbered list of recommended fixes, ordered by priority>
Write to .orchestrator/metrics/repo-audit-<unix-timestamp>.json:
{
"schema_version": 1,
"generated_at": "<ISO timestamp>",
"repo": "<basename of cwd>",
"commands": {
"test": "<resolved test-command>",
"typecheck": "<resolved typecheck-command>",
"lint": "<resolved lint-command>"
},
"clank_detected": false,
"ecosystem_baseline": false,
"categories": {
"configuration": { "pass": 4, "fail": 1, "warn": 0, "skipped": 0, "checks": [] },
"code_quality": { "pass": 3, "fail": 1, "warn": 1, "skipped": 0, "checks": [] },
"git_hygiene": { "pass": 2, "fail": 1, "warn": 0, "skipped": 0, "checks": [] },
"ci_cd": { "pass": 0, "fail": 5, "warn": 0, "skipped": 0, "checks": [] },
"testing": { "pass": 4, "fail": 0, "warn": 0, "skipped": 1, "checks": [] },
"security": { "pass": 3, "fail": 1, "warn": 2, "skipped": 0, "checks": [] },
"documentation": { "pass": 2, "fail": 0, "warn": 1, "skipped": 0, "checks": [] },
"clank_integration": { "pass": 0, "fail": 0, "warn": 0, "skipped": 4, "checks": [] },
"mcp_configuration": { "pass": 1, "fail": 0, "warn": 2, "skipped": 0, "checks": [] }
},
"summary": {
"total_pass": 0,
"total_fail": 0,
"total_warn": 0,
"total_skipped": 0,
"overall": "pass|fail|warn"
}
}
Each checks array entry:
{ "id": "config.claude-md-exists", "status": "pass|fail|warn|skipped", "detail": "human-readable result" }
Create .orchestrator/metrics/ if it does not exist:
mkdir -p .orchestrator/metrics
Write using node -e or direct file write — do not require any external dependency.
✗ FAIL — any check has status fail⚠ WARN — no fails, but at least one warn✓ PASS — all checks are pass or skippedskipped when absentpnpm).orchestrator/metrics/repo-audit-<timestamp>.jsonnpx claudepluginhub kanevry/session-orchestrator --plugin session-orchestratorAssesses codebase for AI agent readiness by detecting stacks, monorepos, git setup, and evaluating style, testing, code quality, secrets, and file sizes.
Conducts tiered code reviews for security (OWASP top 10), performance, and quality on staged git changes, PRs, or files before commits or releases.
Audits a repository to map its real stack, conventions, assets, tests, docs, risks, and integration points. Persists results in reusable markdown to reduce re-reading and save tokens. Also calculates a harnessability score (0-100) to assess how well the codebase supports autonomous agent work.