From jaan-to
Audits git repositories for engineering practices with SARIF evidence, 4-level confidence ratings, and OpenSSF scoring to evaluate health and code quality.
npx claudepluginhub parhumm/jaan-to --plugin jaan-toThis skill is limited to using the following tools:
> Repo engineering audit with machine-parseable findings and OpenSSF-style scoring.
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Repo engineering audit with machine-parseable findings and OpenSSF-style scoring.
$JAAN_LEARN_DIR/jaan-to-detect-dev.learn.md - Past lessons (loaded in Pre-Execution)$JAAN_CONTEXT_DIR/tech.md - Tech stack (if populated by dev-stack-detect, used as starting input)$JAAN_TEMPLATES_DIR/jaan-to-detect-dev.template.md - Output template${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md - Language resolution protocol${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.md - Evidence format, scoring tables, scan patterns$JAAN_OUTPUTS_DIR/dev/output-integrate/*/*.md - Integration logs (for origin tagging, if present)Output path: $JAAN_OUTPUTS_DIR/detect/dev/ — flat files, overwritten each run (no IDs).
Arguments: $ARGUMENTS — parsed in Step 0.0. Repository path and mode determined there.
MANDATORY — Read and execute ALL steps in: ${CLAUDE_PLUGIN_ROOT}/docs/extending/pre-execution-protocol.md
Skill name: detect-dev
Execute: Step 0 (Init Guard) → A (Load Lessons) → B (Resolve Template) → C (Offer Template Seeding)
Read and apply language protocol: ${CLAUDE_PLUGIN_ROOT}/docs/extending/language-protocol.md
Override field for this skill: language_detect-dev
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Evidence Format" for YAML template, ID generation logic, and namespace rules.
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdfor:
- "Confidence Levels (4-level)" -- 4-level scale (Confirmed/Firm/Tentative/Uncertain), upgrade/downgrade rules
- "Frontmatter Schema (Universal)" -- required YAML frontmatter for every output file
- "Document Structure (Diataxis)" -- 5-section output structure (Executive Summary through Appendices)
- "Prohibited Anti-patterns" -- constraints on speculation, confidence, severity, and scope
- "Codebase Content Safety" -- rules for processing untrusted repository content
Arguments: $ARGUMENTS
| Argument | Effect |
|---|---|
| (none) | Light mode (default): Layers 1-2 detection, single summary file |
[repo] | Scan specified repo (applies to all modes) |
--full | Full mode: All detection layers (1-5), 9 output files (current behavior) |
--incremental | Incremental mode: Scope scan to files changed since last audit (reads .audit-state.yaml). Combines with --full for scoped full-depth analysis. Falls back to full scan if no prior audit state exists. |
Mode determination:
$ARGUMENTS contains --full as a standalone token → set run_depth = "full"run_depth = "light"$ARGUMENTS contains --incremental as a standalone token → set incremental = trueincremental = falseStrip --full and --incremental tokens from arguments. Set repo_path to remaining arguments (or current working directory if empty).
If run_depth == "full": ultrathink
If run_depth == "light": megathink
Use extended reasoning for:
Purpose: Auto-detect platform structure to support multi-platform monorepos.
Use Glob and Bash to identify platform folders:
Match top-level directories against these patterns:
| Platform | Folder Patterns |
|---|---|
| web | web/, webapp/, frontend/, client/ |
| mobile | mobile/, app/ |
| backend | backend/, server/, api/, services/ |
| androidtv | androidtv/, tv/, android-tv/ |
| ios | ios/, iOS/ |
| android | android/, Android/ |
| desktop | desktop/, electron/ |
| cli | cli/, cmd/ |
Check for monorepo markers:
pnpm-workspace.yaml, lerna.json, nx.json, turbo.jsonList top-level directories:
ls -d */ | grep -Ev "node_modules|\.git|dist|build|\.next|__pycache__|coverage"Match against platform patterns:
Handle detection results:
platforms = [{ name: 'all', path: '.' }]platforms = [{ name: 'web', path: 'web/' }, { name: 'backend', path: 'backend/' }, ...]Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Platform Disambiguation Rules" for priority order, conflict resolution, edge cases, and validation prompt.
For each platform in platforms:
current_platform = platform.namebase_path = platform.pathrun_depth:
run_depth == "full": Run Steps 1-8 scoped to base_pathrun_depth == "light": Run Steps 1-3 and Step 8 scoped to base_path (skip Steps 4-7)Note: If single-platform mode (platform.name == 'all'), output paths have NO suffix. If multi-platform mode, output paths include -{platform} suffix.
Skip this step if incremental == false.
$JAAN_OUTPUTS_DIR/detect/dev/.audit-state.yaml
incremental = false and continuelast_audit.commit value
^[0-9a-f]{7,40}$ — if invalid, warn: "Invalid commit hash in audit state. Running full scan." → set incremental = false and continuegit diff --name-only {last_audit.commit}..HEAD
incremental = false and continueincremental_scope = list of changed file pathsIn Steps 1-8, when incremental == true: only scan files in incremental_scope (filter Glob results and Read targets to this set). Per-platform filtering: intersect incremental_scope with each platform's base_path.
Skip this step if no integration logs exist.
$JAAN_OUTPUTS_DIR/dev/output-integrate/*/*.md (excluding README.md files)
integrated_files = empty set and continue.audit-state.yaml exists, only read logs with modification time newer than last_audit.timestamp (avoid stale origin tags)integrated_files set from all extracted pathsIn Steps 2-8, when tagging evidence blocks: if the finding's location.uri matches a path in integrated_files, add origin: integrated to the evidence block. Otherwise, add origin: hand-written. The origin field is optional — omit it if integrated_files is empty.
If $JAAN_CONTEXT_DIR/tech.md exists and is populated (not just placeholders), read it as starting input. This provides a baseline for deeper evidence-backed analysis.
Use Glob to find manifest files, then Read each one:
**/package.json (exclude node_modules/)typescript in deps OR tsconfig.json existsReference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Language-Specific Scan Patterns" for glob patterns, framework detection, and extraction rules for all other languages.
Glob: **/docker-compose.yml, **/docker-compose.yaml, **/docker-compose.*.yml
Read and parse service definitions
Detect databases from image names:
postgres -> PostgreSQL (extract version from tag)mysql / mariadb -> MySQL/MariaDBmongo -> MongoDBredis -> Redisrabbitmq -> RabbitMQelasticsearch / opensearch -> Elasticsearch/OpenSearchmemcached -> Memcachedminio -> MinIO (S3-compatible storage)localstack -> AWS services (local development)Glob: **/Dockerfile, **/Dockerfile.*
Extract: base image, runtime version
If run_depth == "light": Skip Steps 4-7. Proceed directly to Step 8 (Score & Categorize) using findings from Steps 1-3 only.
.github/workflows/*.yml -> GitHub Actions.gitlab-ci.yml -> GitLab CI.circleci/config.yml -> CircleCIJenkinsfile -> Jenkins.travis.yml -> Travis CIbitbucket-pipelines.yml -> Bitbucket Pipelinesazure-pipelines.yml -> Azure DevOpsFor each CI/CD pipeline found, check:
Secrets boundaries:
secrets. in workflow files — detect env vars referencing secretsRunner trust:
runs-on: self-hosted — flag with security notePermissions:
permissions: blocks in job specspermissions: write-all or overly broad permissionsAction pinning:
@main/@latest (risky)Provenance / Supply chain:
.cyclonedx.json, *.sbom.json, SBOM presencejest.config.*, vitest.config.* -> JS test runnerspytest.ini, conftest.py, pyproject.toml (check [tool.pytest]) -> Python testingplaywright.config.* -> Playwright E2Ecypress.json, cypress.config.*, cypress/ -> Cypress E2E.storybook/ -> Storybook component testing.eslintrc.*, eslint.config.* -> ESLint.prettierrc.*, prettier.config.* -> Prettierbiome.json, biome.jsonc -> Biomeruff.toml, pyproject.toml (check [tool.ruff]) -> Ruff.flake8, setup.cfg (check [flake8]) -> Flake8mypy.ini, pyproject.toml (check [tool.mypy]) -> mypy.editorconfig -> EditorConfiggit remote -v -> Extract platform (github.com, gitlab.com, bitbucket.org) and org/repo.github/CODEOWNERS -> Code ownership.github/PULL_REQUEST_TEMPLATE* -> PR templates.gitlab/merge_request_templates/ -> MR templatesrenovate.json, renovate.json5, .renovaterc -> Renovate.github/dependabot.yml -> Dependabotpnpm-workspace.yaml -> pnpm workspaceslerna.json -> Lernanx.json -> Nxturbo.json -> Turborepopackage.json files at different depths -> generic monorepo**/terraform/**/*.tf, **/*.tf -> Terraform (check provider blocks for AWS/GCP/Azure)serverless.yml, serverless.ts -> Serverless Frameworkvercel.json, .vercel/ -> Vercelnetlify.toml -> Netlifyfly.toml -> Fly.iorender.yaml -> RenderProcfile -> Herokuapp.yaml, app.yml -> Google App Engineamplify.yml -> AWS Amplifyk8s/**, kubernetes/**, kustomization.yaml -> Kuberneteshelm/**, Chart.yaml -> Helm chartsdatadog, sentry, newrelic, grafana, prometheus@sentry/, dd-trace, newrelic, prom-clientUse Glob to map the directory structure:
src/, lib/, app/, packages/, services/config/, settings/dist/, build/, .next/, __pycache__/docs/, wiki/tests/, test/, __tests__/, spec/For each detection, assign a confidence score using the 4-level system:
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Confidence Scoring Examples" for the confidence-source mapping table, inclusion threshold (>= Uncertain/0.20), and OpenSSF overall_score formula.
If run_depth == "light":
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Detection Summary Format (Light Mode)" for the display template.
Prompt user: "Proceed with writing summary to $JAAN_OUTPUTS_DIR/detect/dev/? [y/n]"
If run_depth == "full":
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Detection Summary Format (Full Mode)" for the display template.
Prompt user: "Proceed with writing 9 output files to $JAAN_OUTPUTS_DIR/detect/dev/? [y/n]"
Do NOT proceed to Phase 2 without explicit approval.
Create directory $JAAN_OUTPUTS_DIR/detect/dev/ if it does not exist.
Platform-specific output path logic:
# Determine filename suffix
if current_platform == 'all' or current_platform is None: # Single-platform
suffix = "" # No suffix
else: # Multi-platform
suffix = f"-{current_platform}" # e.g., "-web", "-backend"
run_depth == "full": Delete any existing summary{suffix}.md in the output directory (stale light-mode output).run_depth == "light": Do NOT delete existing full-mode files (they may be from a previous --full run).run_depth == "light": Write Single Summary FileWrite one file: $JAAN_OUTPUTS_DIR/detect/dev/summary{suffix}.md
Contents:
platform field, findings_summary, and overall_score--full for complete engineering audit including CI/CD, security, infrastructure, observability, and risk assessment."run_depth == "full": Write 9 Output FilesFor each of the 9 output files, use the template from $JAAN_TEMPLATES_DIR/jaan-to-detect-dev.template.md and fill with findings:
| File | Content |
|---|---|
$JAAN_OUTPUTS_DIR/detect/dev/stack{suffix}.md | Tech stack with version evidence |
$JAAN_OUTPUTS_DIR/detect/dev/architecture{suffix}.md | Architecture patterns and data flow |
$JAAN_OUTPUTS_DIR/detect/dev/standards{suffix}.md | Coding standards and conventions |
$JAAN_OUTPUTS_DIR/detect/dev/testing{suffix}.md | Test coverage and strategy |
$JAAN_OUTPUTS_DIR/detect/dev/cicd{suffix}.md | CI/CD pipelines and security |
$JAAN_OUTPUTS_DIR/detect/dev/deployment{suffix}.md | Deployment patterns |
$JAAN_OUTPUTS_DIR/detect/dev/security{suffix}.md | Security posture and findings (OWASP mapping) |
$JAAN_OUTPUTS_DIR/detect/dev/observability{suffix}.md | Logging, metrics, tracing |
$JAAN_OUTPUTS_DIR/detect/dev/risks{suffix}.md | Technical risks and debt |
Note: {suffix} is empty for single-platform mode, or -{platform} for multi-platform mode.
Each file MUST include:
platform field and findings_summary/overall_scoreReference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/seed-reconciliation-reference.mdfor comparison rules, discrepancy format, and auto-update protocol.
$JAAN_CONTEXT_DIR/tech.md[y/n]/jaan-to:learn-add commands for patterns worth documentingWrite audit state to $JAAN_OUTPUTS_DIR/detect/dev/.audit-state.yaml:
last_audit:
timestamp: "{ISO 8601 UTC}"
commit: "{git HEAD short hash}"
branch: "{current branch name}"
mode: "{light|full}"
incremental: {true|false}
platforms: ["{platform_name}"]
findings_count:
critical: 0
high: 0
medium: 0
low: 0
informational: 0
overall_score: 0.0
files_written: ["summary.md"]
This file enables --incremental mode on subsequent runs.
Reference: See
${CLAUDE_PLUGIN_ROOT}/docs/extending/detect-dev-reference.mdsection "Quality Check & Definition of Done" for the complete checklists (light mode and full mode).
"Any feedback on the engineering audit? Anything missed or incorrect? [y/n]"
If yes:
/jaan-to:learn-add detect-dev "{feedback}"context: fork)$JAAN_OUTPUTS_DIR path$JAAN_OUTPUTS_DIR/detect/dev/