npx claudepluginhub rune-kit/rune --plugin @rune/analyticsThis skill uses the workspace's default tool permissions.
Comprehensive project health audit across 8 dimensions (7 project + 1 mesh analytics). Delegates security scanning to `sentinel`, dependency analysis to `dependency-doctor`, and code complexity to `autopsy`, then directly audits architecture, performance, infrastructure, and documentation. Applies framework-specific checks (React/Next.js, Node.js, Python, Go, Rust, React Native/Flutter) based o...
Runs comprehensive codebase audits with mechanical verification (build, lint, tests, secrets scan, git status) and specialist reviewers, producing scored reports across 7+ axes. Quick modes skip reviewers.
Audits project health across architecture, performance, security, tests, and dependencies using 5 parallel subagents. Run quarterly, before releases, after refactors, or for onboarding.
Coordinates parallel agent audits for codebase health, evaluation (12-pillar scoring), technical debt, and documentation drift, producing intake docs for /pipeline.
Share bugs, ideas, or general feedback.
Comprehensive project health audit across 8 dimensions (7 project + 1 mesh analytics). Delegates security scanning to sentinel, dependency analysis to dependency-doctor, and code complexity to autopsy, then directly audits architecture, performance, infrastructure, and documentation. Applies framework-specific checks (React/Next.js, Node.js, Python, Go, Rust, React Native/Flutter) based on detected stack. Produces a consolidated health score and prioritized action plan saved to AUDIT-REPORT.md.
/rune audit — full 8-dimension project health audit/rune audit dx — DX Review Mode (Addy Osmani 8 principles, see below)scout (L2): Phase 0 — project structure and stack discoverydependency-doctor (L3): Phase 1 — vulnerability scan and outdated dependency checksentinel (L2): Phase 2 — security audit (OWASP Top 10, secrets, config)autopsy (L2): Phase 3 — code quality and complexity assessmentimprove-architecture (L2): Phase 3.5 — architecture sub-score (depth / leverage / locality across top modules)perf (L2): Phase 4 — performance regression checkdb (L2): Phase 5 — database health dimension (schema, migrations, indexes)journal (L3): record audit date, overall score, and verdictconstraint-check (L3): audit HARD-GATE compliance across project skillssast (L3): Phase 2 — deep static analysis (Semgrep, Bandit, ESLint security rules)retro (L2): Phase 6 — engineering velocity and health dimension (rune:retro)browser-pilot (L3): DX Review Mode — real browser testing of docs, setup guides, error pagescook (L1): pre-implementation audit gatelaunch (L1): pre-launch health check/rune audit direct invocationCall rune:scout for a full project map. Then use Read on:
README.md, CLAUDE.md, CONTRIBUTING.md, .editorconfig (if they exist)Determine:
API/backend | frontend/SPA | fullstack | CLI tool | library | mobile | infra/IaCOutput before proceeding: Brief project profile, stack summary, and which Framework-Specific Checks will be applied.
For each critical module (entry points, auth, data layer, core business logic):
Why: Without this phase, the auditor pattern-matches against known vulnerability lists and hallucinates findings that don't exist in THIS specific codebase. The invariants + assumptions ground all later analysis in reality.
Delegate to dependency-doctor. The dependency-doctor report covers:
Pass the full dependency-doctor report through to the final audit.
Delegate to sentinel. Request a full security scan covering:
*, missing HTTP security headers).gitignore coverage of sensitive filesPass the full sentinel report through to the final audit.
Delegate to autopsy for codebase health (complexity, coupling, hotspots, dead code, health score per module).
In addition, use Grep to find supplementary issues autopsy may not cover:
# console.log in production code
grep -r "console\.log" src/ --include="*.ts" --include="*.js" -l
# TypeScript any types
grep -r ": any" src/ --include="*.ts" -n
# Empty catch blocks
grep -rn "catch.*{" src/ --include="*.ts" --include="*.js" -A 1 | grep -E "^\s*}"
# Python print() in production
grep -r "^print(" . --include="*.py" -l
# Rust .unwrap() outside tests
grep -rn "\.unwrap()" src/ --include="*.rs"
Merge autopsy report + supplementary findings.
Use Read and Grep to evaluate structural health directly.
4.1 Project Structure
4.2 Design Patterns & Principles
// BAD — route handler directly coupled to database
app.get('/users/:id', async (req, res) => {
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
res.json(user);
});
// GOOD — layered architecture
app.get('/users/:id', async (req, res) => {
const user = await userService.getUser(req.params.id);
res.json(user);
});
4.3 API Design (if applicable)
4.4 Database Patterns (if applicable)
// BAD — N+1
const users = await db.query('SELECT * FROM users');
for (const user of users) {
user.posts = await db.query('SELECT * FROM posts WHERE user_id = $1', [user.id]);
}
// GOOD — single JOIN
const usersWithPosts = await db.query(`
SELECT u.*, json_agg(p.*) as posts
FROM users u LEFT JOIN posts p ON p.user_id = u.id
GROUP BY u.id
`);
LIMIT on user-facing queries4.5 State Management (frontend only)
5.1 Build & Bundle (frontend)
// BAD — imports entire library
import _ from 'lodash';
// GOOD — tree-shakeable import
import get from 'lodash/get';
5.2 Runtime Performance
// BAD — regex compiled on every call
function validate(input: string) {
return /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(input);
}
// GOOD — compile once at module level
const EMAIL_REGEX = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
function validate(input: string) { return EMAIL_REGEX.test(input); }
5.3 Database & I/O
LIMIT on user-facing endpoints)// BAD — sequential when independent
const users = await fetchUsers();
const products = await fetchProducts();
// GOOD — parallel
const [users, products] = await Promise.all([fetchUsers(), fetchProducts()]);
Use Glob and Read to check:
6.1 CI/CD Pipeline
.github/workflows/, .gitlab-ci.yml, .circleci/, Jenkinsfile)6.2 Environment Configuration
.env.example exists with placeholder values (not real secrets)// BAD — silently undefined
const port = process.env.PORT;
// GOOD — validate at startup
const port = process.env.PORT;
if (!port) throw new Error('PORT environment variable is required');
6.3 Containerization (if applicable)
.dockerignore covers node_modules, .git, .env6.4 Logging & Monitoring
console.log)/health, /ready)Use Glob and Read to check:
7.1 Project Documentation
7.2 Code Documentation
CHANGELOG.md maintainedLICENSE file presentApply only if the framework was detected in Phase 0. Skip entirely if not relevant.
React / Next.js (detect: react or next in package.json)
useEffect with missing dependencies (stale closures)Node.js / Express / Fastify (detect: express, fastify, koa, @nestjs/core)
SELECT * without paginationPython (Django / Flask / FastAPI) (detect: django, flask, fastapi in requirements)
permission_classes, DEBUG=True in production, missing CSRF middlewareapp.run(debug=True) without environment checkdef func(items=[]))Go (detect: go.mod)
file, _ := os.Open(filename))defer for resource cleanup (files, locks, connections)Rust (detect: Cargo.toml)
.unwrap() / .expect() in non-test production code (use ? operator)unsafe blocks without safety commentsMobile (React Native / Flutter) (detect: react-native in package.json or pubspec.yaml)
keyExtractor or getItemLayoutReact.memo on list item componentsconst constructors, missing dispose() for controllers and streamsGoal: Surface insights about skill usage, chain patterns, and mesh health from accumulated metrics.
Data source: .rune/metrics/ directory (populated by hooks automatically).
.rune/metrics/ exists. If not, emit INFO: "No metrics data yet — run a few cook sessions first.".rune/metrics/skills.json — extract per-skill invocation counts, last used dates.rune/metrics/sessions.jsonl — extract session count, avg duration, avg tool calls.rune/metrics/chains.jsonl — extract most common skill chains.rune/metrics/routing-overrides.json (if exists) — list active routing overridesCompute and report:
Propose routing overrides: If patterns suggest inefficiency (e.g., debug consistently called 3+ times in a chain for the same session), propose a new routing override for user approval.
Output as a section in the final audit report:
### Mesh Analytics
| Skill | Invocations | Last Used | Chains Containing |
|-------|-------------|-----------|-------------------|
| cook | 47 | 2026-02-28| 34 |
| scout | 89 | 2026-02-28| 42 |
| ... | ... | ... | ... |
**Common Chains**:
1. cook → scout → plan → test → fix → quality → verify (34x)
2. debug → scout → fix → verification (12x)
**Session Stats**: 23 sessions, avg 35min, avg 52 tool calls
**Unused Skills**: [list or "none"]
**Routing Overrides**: [count] active
Shortcut: /rune metrics invokes ONLY this phase, not the full 7-phase audit.
Triggered by /rune audit dx. Evaluates developer experience — how easy it is for a new contributor to understand, set up, use, and recover from mistakes in this project. Inspired by Addy Osmani's DX framework.
Measure: How many steps from git clone to running the project?
1. Read README.md — extract setup instructions
2. Count discrete steps (clone, install, config, build, run)
3. Check: are ALL commands copy-pasteable? (no placeholders without explanation)
4. Check: does `npm start` / `python main.py` / equivalent work immediately after install?
5. If browser-pilot available: attempt to follow the README steps literally
| Steps to Run | Score | Verdict |
|---|---|---|
| 1-2 commands | 10/10 | Excellent — "clone and go" |
| 3-4 commands | 7/10 | Good — reasonable setup |
| 5-7 commands | 4/10 | Fair — friction will lose contributors |
| 8+ commands | 2/10 | Poor — significant onboarding barrier |
| Cannot run from README | 0/10 | Broken — README is lying or incomplete |
Check for common setup traps:
.env.example → new dev has no idea what env vars are needed.nvmrc or engines field)python-version in pyproject.toml)--help or usage message when running CLI with no argsScore: count friction points. 0 = 10/10, 1-2 = 7/10, 3-4 = 4/10, 5+ = 2/10.
Sample 5 error paths in the codebase (auth failure, invalid input, missing config, network error, permission denied). For each:
| Quality | Score |
|---|---|
| All 3 (what + why + how) | 10/10 |
| What + why, no how | 6/10 |
| What only | 3/10 |
| Generic errors | 1/10 |
If project has a CLI entry point:
1. Run `<cli> --help` — capture output
2. Check: does it list all commands with descriptions?
3. Check: does each subcommand have `--help` with examples?
4. Check: is there a quickstart example in help output?
5. Check: are flags named predictably (--verbose not --v, --output not --o)?
Score: 2 points each for: command listing, subcommand help, examples, consistent naming, error on unknown flag.
If no CLI: score as N/A (does not count toward total).
Can a developer find answers in under 60 seconds?
Grep for ]( patterns and spot-check 5 links)If browser-pilot available: navigate the docs site, time how long to find "how to authenticate" and "how to deploy".
For the top 10 exported functions / API endpoints:
{ data, error } or all throw — not mixed)Score: consistency percentage across the 10 sampled APIs.
d.ts files, JSDoc, type stubs)down, deploys have rollback, git-based workflows)--force required for dangerous ops)--dry-run exist for risky operations?## DX Review: [Project Name]
| # | Principle | Score | Key Finding |
|---|-----------|-------|-------------|
| 1 | Time to Hello World | ?/10 | [steps count + blocker if any] |
| 2 | Setup Friction | ?/10 | [friction points found] |
| 3 | Error Messages | ?/10 | [quality level + worst example] |
| 4 | CLI Help | ?/10 | [coverage + gaps] |
| 5 | Doc Navigation | ?/10 | [findability + dead links] |
| 6 | API Consistency | ?/10 | [consistency % + violations] |
| 7 | Progressive Disclosure | ?/10 | [simple path exists? defaults?] |
| 8 | Recovery | ?/10 | [undo/rollback/dry-run support] |
| **Overall DX** | | **?/10** | **[verdict]** |
### Quick Wins (fix in <1 hour)
1. [specific, actionable improvement]
2. [specific, actionable improvement]
3. [specific, actionable improvement]
### Structural Improvements (plan needed)
1. [deeper change needed]
Grade thresholds: 9-10 Excellent DX, 7-8 Good DX, 5-6 Fair DX (losing contributors), 3-4 Poor DX (significant barrier), 1-2 Hostile DX.
After all phases complete:
Use Write to save AUDIT-REPORT.md to the project root with the full findings from all phases.
Call rune:journal to record: audit date, overall health score, verdict, and CRITICAL count.
Each dimension score feeds into a weighted composite formula that produces a single comparable health score. Use this formula to compute Overall Health — not a simple average.
Overall = (Security × 0.25) + (Code Quality × 0.20) + (Architecture × 0.15)
+ (Dependencies × 0.15) + (Performance × 0.10) + (Infrastructure × 0.08)
+ (Documentation × 0.07)
Mesh Analytics (Phase 8) is advisory — it contributes 0 to the weighted score but informs the verdict narrative.
| Score Range | Grade | Verdict | Action |
|---|---|---|---|
| 90–100 | Excellent | PASS | Routine audit in 3 months |
| 75–89 | Good | PASS | Address MEDIUM items next sprint |
| 60–74 | Fair | WARNING | Fix HIGH items within 2 weeks |
| 40–59 | Poor | FAIL | Fix CRITICAL + HIGH within 1 week |
| 0–39 | Critical | FAIL | Emergency response — CRITICAL items block all new work |
Security issues cause exponential blast — a 3/10 security score with all other dimensions at 9/10 = overall 72 (Fair), not 8.1 (Good). The formula ensures security and code quality dominate the verdict. Comparable across runs: if Overall moves from 68 → 74 after fixes, the project measurably improved.
CRITICAL — Must fix immediately. Security vulnerabilities, data loss, broken builds.
HIGH — Should fix soon. Performance bottlenecks, CVEs, major code smells.
MEDIUM — Plan to fix. Code duplication, missing tests, outdated deps.
LOW — Nice to have. Style inconsistencies, minor refactors, doc gaps.
INFO — Observation only. Architecture notes, tech debt acknowledgment.
Apply confidence filtering: only report findings with >80% confidence. Consolidate similar issues (e.g., "12 functions missing error handling in src/services/" — not 12 separate findings). Adapt judgment to project type (a console.log in a CLI tool is fine; in a production API handler, it's not).
## Audit Report: [Project Name]
- **Verdict**: PASS | WARNING | FAIL
- **Overall Health**: [score]/10
- **Total Findings**: [n] (CRITICAL: [n], HIGH: [n], MEDIUM: [n], LOW: [n])
- **Framework Checks Applied**: [list]
### Health Score
| Dimension | Score | Notes |
|----------------|:--------:|--------------------|
| Security | ?/10 | [brief note] |
| Code Quality | ?/10 | [brief note] |
| Architecture | ?/10 | [brief note] |
| Performance | ?/10 | [brief note] |
| Dependencies | ?/10 | [brief note] |
| Infrastructure | ?/10 | [brief note] |
| Documentation | ?/10 | [brief note] |
| Mesh Analytics | ?/10 | [brief note] |
| **Overall** | **?/10** | **[verdict]** |
### Phase Breakdown
| Phase | Issues |
|----------------|--------|
| Dependencies | [n] |
| Security | [n] |
| Code Quality | [n] |
| Architecture | [n] |
| Performance | [n] |
| Infrastructure | [n] |
| Documentation | [n] |
| Mesh Analytics | [n] |
### Composite Score
- **Formula**: (Security×0.25) + (Code Quality×0.20) + (Architecture×0.15) + (Dependencies×0.15) + (Performance×0.10) + (Infrastructure×0.08) + (Documentation×0.07)
- **Weighted Score**: [computed value] → Grade: [Excellent/Good/Fair/Poor/Critical]
### Top Priority Actions
1. [action] — [file:line] — [why it matters]
### Positive Findings
- [at least 3 things the project does well]
### Follow-up Timeline
- FAIL → re-audit in 1-2 weeks after CRITICAL fixes
- WARNING → re-audit in 1 month
- PASS → routine audit in 3 months
Report saved to: AUDIT-REPORT.md
| Gate | Requires | If Missing |
|---|---|---|
| Discovery Gate | Phase 0 project profile completed before Phase 1 | Run scout and read config files first |
| Security Gate | sentinel report received before assembling final report | Invoke rune:sentinel — do not skip |
| Deps Gate | dependency-doctor report received before assembling final report | Invoke rune:dependency-doctor — do not skip |
| Report Gate | All 8 phases completed before writing AUDIT-REPORT.md | Complete all phases, note skipped ones |
| Artifact | Format | Location |
|---|---|---|
| Audit report | Markdown | AUDIT-REPORT.md (project root) |
| 8-dimension health score | Markdown table | AUDIT-REPORT.md + inline |
| Weighted composite score + grade | Markdown | inline + AUDIT-REPORT.md |
| Mesh analytics section | Markdown table | inline + AUDIT-REPORT.md |
| Journal entry | Text | .rune/adr/ (via rune:journal) |
| Failure Mode | Severity | Mitigation |
|---|---|---|
| Generating health scores from file name patterns instead of actual reads | CRITICAL | Phase 0 scout run is mandatory — never score without reading actual code |
| Skipping a phase because "there are no changes in that area" | HIGH | All 7 phases run for every audit — partial audits produce misleading scores |
| Health score inflation — no negative findings in any dimension | MEDIUM | CONSTRAINT: minimum 3 positive AND 3 improvement areas required |
| Dependency-doctor or sentinel sub-call times out → skipped silently | MEDIUM | Mark phase as "incomplete — tool timeout" with N/A score, do not fabricate |
~8000-20000 tokens input, ~3000-6000 tokens output. Sonnet orchestrating; sentinel (sonnet/opus) and autopsy (opus) are the expensive sub-calls. Full audit runs 4 sub-skills. Most thorough L2 skill — run on demand, not on every cycle.