From rune
Comprehensive project audit — security, dependencies, code quality, architecture, performance, infra, docs, and mesh analytics. Delegates to specialist skills and generates an 8-dimension health score.
How this skill is triggered — by the user, by Claude, or both
Slash command
/rune:auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Comprehensive project health audit across 8 dimensions (7 project + 1 mesh analytics). Delegates security scanning to `sentinel`, dependency analysis to `dependency-doctor`, and code complexity to `autopsy`, then directly audits architecture, performance, infrastructure, and documentation. Applies framework-specific checks (React/Next.js, Node.js, Python, Go, Rust, React Native/Flutter) based o...
Comprehensive project health audit across 8 dimensions (7 project + 1 mesh analytics). Delegates security scanning to sentinel, dependency analysis to dependency-doctor, and code complexity to autopsy, then directly audits architecture, performance, infrastructure, and documentation. Applies framework-specific checks (React/Next.js, Node.js, Python, Go, Rust, React Native/Flutter) based on detected stack. Produces a consolidated health score and prioritized action plan saved to AUDIT-REPORT.md.
/rune audit — manual invocationscout (L2): Phase 0 — project structure and stack discoverydependency-doctor (L3): Phase 1 — vulnerability scan and outdated dependency checksentinel (L2): Phase 2 — security audit (OWASP Top 10, secrets, config)autopsy (L2): Phase 3 — code quality and complexity assessmentperf (L2): Phase 4 — performance regression checkdb (L2): Phase 5 — database health dimension (schema, migrations, indexes)journal (L3): record audit date, overall score, and verdictconstraint-check (L3): audit HARD-GATE compliance across project skillssast (L3): Phase 2 — deep static analysis (Semgrep, Bandit, ESLint security rules)retro (L2): Phase 6 — engineering velocity and health dimension (rune:retro)cook (L1): pre-implementation audit gatelaunch (L1): pre-launch health check/rune audit direct invocationCall rune:scout for a full project map. Then use Read on:
README.md, CLAUDE.md, CONTRIBUTING.md, .editorconfig (if they exist)Determine:
API/backend | frontend/SPA | fullstack | CLI tool | library | mobile | infra/IaCOutput before proceeding: Brief project profile, stack summary, and which Framework-Specific Checks will be applied.
For each critical module (entry points, auth, data layer, core business logic):
Why: Without this phase, the auditor pattern-matches against known vulnerability lists and hallucinates findings that don't exist in THIS specific codebase. The invariants + assumptions ground all later analysis in reality.
Delegate to dependency-doctor. The dependency-doctor report covers:
Pass the full dependency-doctor report through to the final audit.
Delegate to sentinel. Request a full security scan covering:
*, missing HTTP security headers).gitignore coverage of sensitive filesPass the full sentinel report through to the final audit.
Delegate to autopsy for codebase health (complexity, coupling, hotspots, dead code, health score per module).
In addition, use Grep to find supplementary issues autopsy may not cover:
# console.log in production code
grep -r "console\.log" src/ --include="*.ts" --include="*.js" -l
# TypeScript any types
grep -r ": any" src/ --include="*.ts" -n
# Empty catch blocks
grep -rn "catch.*{" src/ --include="*.ts" --include="*.js" -A 1 | grep -E "^\s*}"
# Python print() in production
grep -r "^print(" . --include="*.py" -l
# Rust .unwrap() outside tests
grep -rn "\.unwrap()" src/ --include="*.rs"
Merge autopsy report + supplementary findings.
Use Read and Grep to evaluate structural health directly.
4.1 Project Structure
4.2 Design Patterns & Principles
// BAD — route handler directly coupled to database
app.get('/users/:id', async (req, res) => {
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
res.json(user);
});
// GOOD — layered architecture
app.get('/users/:id', async (req, res) => {
const user = await userService.getUser(req.params.id);
res.json(user);
});
4.3 API Design (if applicable)
4.4 Database Patterns (if applicable)
// BAD — N+1
const users = await db.query('SELECT * FROM users');
for (const user of users) {
user.posts = await db.query('SELECT * FROM posts WHERE user_id = $1', [user.id]);
}
// GOOD — single JOIN
const usersWithPosts = await db.query(`
SELECT u.*, json_agg(p.*) as posts
FROM users u LEFT JOIN posts p ON p.user_id = u.id
GROUP BY u.id
`);
LIMIT on user-facing queries4.5 State Management (frontend only)
5.1 Build & Bundle (frontend)
// BAD — imports entire library
import _ from 'lodash';
// GOOD — tree-shakeable import
import get from 'lodash/get';
5.2 Runtime Performance
// BAD — regex compiled on every call
function validate(input: string) {
return /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(input);
}
// GOOD — compile once at module level
const EMAIL_REGEX = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
function validate(input: string) { return EMAIL_REGEX.test(input); }
5.3 Database & I/O
LIMIT on user-facing endpoints)// BAD — sequential when independent
const users = await fetchUsers();
const products = await fetchProducts();
// GOOD — parallel
const [users, products] = await Promise.all([fetchUsers(), fetchProducts()]);
Use Glob and Read to check:
6.1 CI/CD Pipeline
.github/workflows/, .gitlab-ci.yml, .circleci/, Jenkinsfile)6.2 Environment Configuration
.env.example exists with placeholder values (not real secrets)// BAD — silently undefined
const port = process.env.PORT;
// GOOD — validate at startup
const port = process.env.PORT;
if (!port) throw new Error('PORT environment variable is required');
6.3 Containerization (if applicable)
.dockerignore covers node_modules, .git, .env6.4 Logging & Monitoring
console.log)/health, /ready)Use Glob and Read to check:
7.1 Project Documentation
7.2 Code Documentation
CHANGELOG.md maintainedLICENSE file presentApply only if the framework was detected in Phase 0. Skip entirely if not relevant.
React / Next.js (detect: react or next in package.json)
useEffect with missing dependencies (stale closures)Node.js / Express / Fastify (detect: express, fastify, koa, @nestjs/core)
SELECT * without paginationPython (Django / Flask / FastAPI) (detect: django, flask, fastapi in requirements)
permission_classes, DEBUG=True in production, missing CSRF middlewareapp.run(debug=True) without environment checkdef func(items=[]))Go (detect: go.mod)
file, _ := os.Open(filename))defer for resource cleanup (files, locks, connections)Rust (detect: Cargo.toml)
.unwrap() / .expect() in non-test production code (use ? operator)unsafe blocks without safety commentsMobile (React Native / Flutter) (detect: react-native in package.json or pubspec.yaml)
keyExtractor or getItemLayoutReact.memo on list item componentsconst constructors, missing dispose() for controllers and streamsGoal: Surface insights about skill usage, chain patterns, and mesh health from accumulated metrics.
Data source: .rune/metrics/ directory (populated by hooks automatically).
.rune/metrics/ exists. If not, emit INFO: "No metrics data yet — run a few cook sessions first.".rune/metrics/skills.json — extract per-skill invocation counts, last used dates.rune/metrics/sessions.jsonl — extract session count, avg duration, avg tool calls.rune/metrics/chains.jsonl — extract most common skill chains.rune/metrics/routing-overrides.json (if exists) — list active routing overridesCompute and report:
Propose routing overrides: If patterns suggest inefficiency (e.g., debug consistently called 3+ times in a chain for the same session), propose a new routing override for user approval.
Output as a section in the final audit report:
### Mesh Analytics
| Skill | Invocations | Last Used | Chains Containing |
|-------|-------------|-----------|-------------------|
| cook | 47 | 2026-02-28| 34 |
| scout | 89 | 2026-02-28| 42 |
| ... | ... | ... | ... |
**Common Chains**:
1. cook → scout → plan → test → fix → quality → verify (34x)
2. debug → scout → fix → verification (12x)
**Session Stats**: 23 sessions, avg 35min, avg 52 tool calls
**Unused Skills**: [list or "none"]
**Routing Overrides**: [count] active
Shortcut: /rune metrics invokes ONLY this phase, not the full 7-phase audit.
After all phases complete:
Use Write to save AUDIT-REPORT.md to the project root with the full findings from all phases.
Call rune:journal to record: audit date, overall health score, verdict, and CRITICAL count.
Each dimension score feeds into a weighted composite formula that produces a single comparable health score. Use this formula to compute Overall Health — not a simple average.
Overall = (Security × 0.25) + (Code Quality × 0.20) + (Architecture × 0.15)
+ (Dependencies × 0.15) + (Performance × 0.10) + (Infrastructure × 0.08)
+ (Documentation × 0.07)
Mesh Analytics (Phase 8) is advisory — it contributes 0 to the weighted score but informs the verdict narrative.
| Score Range | Grade | Verdict | Action |
|---|---|---|---|
| 90–100 | Excellent | PASS | Routine audit in 3 months |
| 75–89 | Good | PASS | Address MEDIUM items next sprint |
| 60–74 | Fair | WARNING | Fix HIGH items within 2 weeks |
| 40–59 | Poor | FAIL | Fix CRITICAL + HIGH within 1 week |
| 0–39 | Critical | FAIL | Emergency response — CRITICAL items block all new work |
Security issues cause exponential blast — a 3/10 security score with all other dimensions at 9/10 = overall 72 (Fair), not 8.1 (Good). The formula ensures security and code quality dominate the verdict. Comparable across runs: if Overall moves from 68 → 74 after fixes, the project measurably improved.
CRITICAL — Must fix immediately. Security vulnerabilities, data loss, broken builds.
HIGH — Should fix soon. Performance bottlenecks, CVEs, major code smells.
MEDIUM — Plan to fix. Code duplication, missing tests, outdated deps.
LOW — Nice to have. Style inconsistencies, minor refactors, doc gaps.
INFO — Observation only. Architecture notes, tech debt acknowledgment.
Apply confidence filtering: only report findings with >80% confidence. Consolidate similar issues (e.g., "12 functions missing error handling in src/services/" — not 12 separate findings). Adapt judgment to project type (a console.log in a CLI tool is fine; in a production API handler, it's not).
## Audit Report: [Project Name]
- **Verdict**: PASS | WARNING | FAIL
- **Overall Health**: [score]/10
- **Total Findings**: [n] (CRITICAL: [n], HIGH: [n], MEDIUM: [n], LOW: [n])
- **Framework Checks Applied**: [list]
### Health Score
| Dimension | Score | Notes |
|----------------|:--------:|--------------------|
| Security | ?/10 | [brief note] |
| Code Quality | ?/10 | [brief note] |
| Architecture | ?/10 | [brief note] |
| Performance | ?/10 | [brief note] |
| Dependencies | ?/10 | [brief note] |
| Infrastructure | ?/10 | [brief note] |
| Documentation | ?/10 | [brief note] |
| Mesh Analytics | ?/10 | [brief note] |
| **Overall** | **?/10** | **[verdict]** |
### Phase Breakdown
| Phase | Issues |
|----------------|--------|
| Dependencies | [n] |
| Security | [n] |
| Code Quality | [n] |
| Architecture | [n] |
| Performance | [n] |
| Infrastructure | [n] |
| Documentation | [n] |
| Mesh Analytics | [n] |
### Composite Score
- **Formula**: (Security×0.25) + (Code Quality×0.20) + (Architecture×0.15) + (Dependencies×0.15) + (Performance×0.10) + (Infrastructure×0.08) + (Documentation×0.07)
- **Weighted Score**: [computed value] → Grade: [Excellent/Good/Fair/Poor/Critical]
### Top Priority Actions
1. [action] — [file:line] — [why it matters]
### Positive Findings
- [at least 3 things the project does well]
### Follow-up Timeline
- FAIL → re-audit in 1-2 weeks after CRITICAL fixes
- WARNING → re-audit in 1 month
- PASS → routine audit in 3 months
Report saved to: AUDIT-REPORT.md
| Gate | Requires | If Missing |
|---|---|---|
| Discovery Gate | Phase 0 project profile completed before Phase 1 | Run scout and read config files first |
| Security Gate | sentinel report received before assembling final report | Invoke rune:sentinel — do not skip |
| Deps Gate | dependency-doctor report received before assembling final report | Invoke rune:dependency-doctor — do not skip |
| Report Gate | All 8 phases completed before writing AUDIT-REPORT.md | Complete all phases, note skipped ones |
| Artifact | Format | Location |
|---|---|---|
| Audit report | Markdown | AUDIT-REPORT.md (project root) |
| 8-dimension health score | Markdown table | AUDIT-REPORT.md + inline |
| Weighted composite score + grade | Markdown | inline + AUDIT-REPORT.md |
| Mesh analytics section | Markdown table | inline + AUDIT-REPORT.md |
| Journal entry | Text | .rune/adr/ (via rune:journal) |
| Failure Mode | Severity | Mitigation |
|---|---|---|
| Generating health scores from file name patterns instead of actual reads | CRITICAL | Phase 0 scout run is mandatory — never score without reading actual code |
| Skipping a phase because "there are no changes in that area" | HIGH | All 7 phases run for every audit — partial audits produce misleading scores |
| Health score inflation — no negative findings in any dimension | MEDIUM | CONSTRAINT: minimum 3 positive AND 3 improvement areas required |
| Dependency-doctor or sentinel sub-call times out → skipped silently | MEDIUM | Mark phase as "incomplete — tool timeout" with N/A score, do not fabricate |
~8000-20000 tokens input, ~3000-6000 tokens output. Sonnet orchestrating; sentinel (sonnet/opus) and autopsy (opus) are the expensive sub-calls. Full audit runs 4 sub-skills. Most thorough L2 skill — run on demand, not on every cycle.
npx claudepluginhub tquoc229/runeGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Enforces test-driven development: write failing test first, then minimal code to pass. Use when implementing features or bugfixes.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
2plugins reuse this skill
First indexed Jul 13, 2026