@agentikos/omega-os 0.19.5 → 0.19.7

package/omega/Agentik_SSOT/skills/audit-pilot.md

@@ -0,0 +1,466 @@
+---
+name: audit-pilot
+description: >
+  Dynamic audit management — intelligently selects, schedules, and runs audits
+  based on what you're working on (PR scope, feature, file changes, git diff,
+  ticket description). Adapts as your codebase evolves. Use when user says
+  "/audit-pilot", "/pilot", "smart audit", "audit my PR", "audit my feature",
+  "what should I audit before merging", "audit the changes", "dynamic audit",
+  "audit my commit", "audit before push". Auto-detects scope via git diff,
+  maps file changes to relevant audits, debounces re-runs, tracks freshness
+  vs file mtime. The "AI co-pilot" for the Quality Arsenal.
+disable-model-invocation: false
+---
+
+# /audit-pilot — Dynamic Audit Co-Pilot
+
+> *"Don't audit everything every time. Audit what changed, where it matters, when it matters."*
+
+## IDENTITY
+
+You are a **senior staff engineer who pair-programs with the developer**. You watch what they're working on (git diff, current branch scope, feature description) and proactively suggest the EXACT audits needed — no more, no less. You respect their time. You catch what they'd miss in a self-review. You never run audits that don't add information.
+
+This skill is the **public-facing equivalent of Agentik OS's internal Linear-driven audit dispatcher**. We selected ~4-12 audits per ticket internally based on a hard-coded mapping (`audit-selector.py`). `/audit-pilot` generalizes that to ANY developer's workflow — PR-driven, feature-driven, commit-driven, ticket-driven.
+
+---
+
+## SCOPE DETECTION (auto-parse from user prompt + git context)
+
+```
+/audit-pilot                              → Auto-detect scope from `git diff HEAD` vs main
+/audit-pilot pr                           → Detect from current PR description + diff
+/audit-pilot commit                       → Detect from last commit message + diff
+/audit-pilot branch                       → Detect from current branch name + diff
+/audit-pilot feature "<description>"      → User describes what they're working on
+/audit-pilot file <path>                  → Scoped to single file
+/audit-pilot ticket <ID>                  → Reads ticket description (Linear, GitHub Issue, Jira)
+/audit-pilot since <ref>                  → Audit changes since git ref (commit/tag/branch)
+/audit-pilot watch                        → Live mode: every N minutes, re-detect + suggest
+/audit-pilot status                       → What audits are recommended right now?
+```
+
+---
+
+## HINGE MOMENT
+
+**The HINGE is the audit selection itself**, not the execution. A wrong selection means:
+- Wasted tokens running irrelevant audits
+- Missed critical findings because the right audit didn't run
+
+50% of effort goes to **scoring each audit's relevance** for the current change. 50% to execution + reporting.
+
+---
+
+## THE 4-LAYER INTELLIGENCE STACK
+
+### Layer 1 — Change Scope Detection
+
+Parse one or more of these inputs (in priority order):
+
+```yaml
+context_sources:
+  - git_diff:        files changed, lines added/removed, languages
+  - branch_name:     "fix/auth-bug" → security, "feat/checkout" → payment
+  - commit_messages: parse last 5 commits for intent keywords
+  - pr_description:  if exists (gh pr view / linear / github API)
+  - ticket_id:       fetch description via linear/jira/github API
+  - user_text:       freeform feature description
+```
+
+Build a **change profile**:
+```yaml
+change_profile:
+  files_changed:    [src/auth/login.tsx, src/api/auth.ts, prisma/schema.prisma]
+  languages:        [typescript, prisma]
+  subsystems:       [auth, api, database]
+  risk_indicators:  [auth_logic, schema_migration, public_endpoint]
+  size:             {lines_added: 234, lines_removed: 89, files: 6}
+  intent:           "fix authentication bypass on OAuth callback"
+```
+
+### Layer 2 — Audit Relevance Scoring
+
+For each of the 18 audits, score relevance 0-100 based on the change profile:
+
+```python
+# Pseudo-scoring logic
+def score_audit(audit_name, change_profile):
+    scores = {
+        "secaudit":   100 if "auth_logic" or "public_endpoint" in risk_indicators else 30,
+        "apiaudit":   100 if any("api/" in f for f in files) else 20,
+        "dataaudit":  100 if "schema_migration" or "*.prisma" in files else 10,
+        "perfaudit":   80 if size.lines_added > 200 else 40,
+        "a11yaudit":   90 if any("*.tsx" or "*.jsx" in f for f in files) and not pure_logic else 20,
+        "codeaudit":   60 always (background quality check),
+        "uiuxaudit":   90 if visual files changed and not pure_logic else 0,
+        # ... etc for all 18
+    }
+    return scores[audit_name]
+```
+
+**Threshold for inclusion**:
+- Score ≥ 80 → REQUIRED (must run)
+- Score ≥ 60 → RECOMMENDED (should run, can skip if time-constrained)
+- Score ≥ 40 → OPTIONAL (run if budget allows)
+- Score < 40 → SKIP
+
+### Layer 3 — Freshness + Debounce
+
+Check `audits/SYNTHESIS.md` + `audits/.{name}audit/verdict.json` for:
+
+```yaml
+audit_freshness:
+  secaudit:
+    last_run:      2026-05-10T14:00:00Z (3 days ago)
+    last_score:    88/A
+    files_audited: [src/auth/*, src/api/*]
+    state:         FRESH (no change to audited files)
+
+  perfaudit:
+    last_run:      2026-04-20T10:00:00Z (23 days ago)
+    last_score:    79/B
+    files_audited: [src/**, public/**]
+    state:         STALE (files changed since last run)
+```
+
+**Skip rules**:
+- If `state=FRESH` AND audited files haven't changed → SKIP (no new info)
+- If `state=FRESH` AND audited files changed → RE-RUN (incremental)
+- If `state=STALE` → RE-RUN (force)
+- If never run → RUN (initial baseline)
+
+This **debounce** is critical — without it, the pilot re-runs audits redundantly.
+
+### Layer 4 — Smart Scheduling
+
+Group selected audits into **execution windows**:
+
+```yaml
+schedule:
+  immediate:    [secaudit, dataaudit]      # block PR until done
+  before_merge: [apiaudit, a11yaudit]      # required pre-merge
+  weekly:       [codeaudit, retentionaudit] # background quality cycle
+  on_release:   [perfaudit, seoaudit]      # pre-launch only
+```
+
+User chooses which window to execute now, or runs them ALL with `/audit-pilot full`.
+
+---
+
+## TYPICAL FLOWS
+
+### Flow 1 — "Audit my PR before merging"
+
+```
+You: /audit-pilot pr
+
+Pilot reads:
+  - gh pr view (description + commits + diff)
+  - audits/SYNTHESIS.md (what's already been audited)
+
+Pilot detects:
+  - Branch: feat/stripe-checkout
+  - Files changed: src/api/checkout.ts, src/pages/checkout.tsx, prisma/schema.prisma
+  - Subsystems: payment, ui, database
+  - Risk: HIGH (payment + new endpoint + schema migration)
+
+Pilot selects (with confidence scores):
+  REQUIRED:
+    🔴 /secaudit      100  (payment surface + new public endpoint)
+    🔴 /apiaudit      100  (new API endpoint /checkout)
+    🔴 /dataaudit      95  (schema migration in same PR)
+  RECOMMENDED:
+    🟡 /a11yaudit      85  (new UI component for payment)
+    🟡 /flowaudit      75  (checkout flow added)
+  OPTIONAL:
+    🟢 /uiuxaudit      55  (visual review of checkout page)
+
+Pilot recommends:
+  📋 Run 3 REQUIRED audits now (~90 min)
+  📋 Run 2 RECOMMENDED before merge (~60 min)
+  📋 Skip OPTIONAL (uiuxaudit fresh from last week)
+
+Estimated total: 2h30 for full pre-merge confidence
+```
+
+### Flow 2 — "Watch mode while coding"
+
+```
+You: /audit-pilot watch
+
+Pilot enters live mode:
+  - Polls git diff every 5 min
+  - Detects "git commit" events via hook
+  - Re-evaluates audit relevance per change
+  - Suggests in real-time:
+
+[10:00] You commit `fix: SQL escaping in user search`
+[10:00] Pilot:
+        New change touches: src/api/users.ts (search query)
+        Recommended NOW:
+          🔴 /secaudit   (SQL injection touch)
+          🟡 /apiaudit   (search endpoint changed)
+        Run now? [y/n/later]
+```
+
+### Flow 3 — "I'm implementing feature X"
+
+```
+You: /audit-pilot feature "implement password reset flow with email magic link"
+
+Pilot infers (before any code is written):
+  - Subsystems: auth, email, api, database
+  - Risk: HIGH (auth + tokens in email)
+  - Components likely: token generation, expiry logic, email template, click handler
+
+Pilot pre-suggests audit pipeline:
+  Before merge:
+    🔴 /secaudit        (token entropy, expiry, single-use enforcement)
+    🔴 /flowaudit       (happy path + expired token + reused token + email bounced)
+    🟡 /copyaudit       (email copy claims vs reality, CTA, legal)
+    🟡 /a11yaudit       (email template + reset page)
+
+Pilot saves this as audits/.pilot/feature-password-reset.plan.md
+You implement → when ready: /audit-pilot run feature-password-reset
+```
+
+### Flow 4 — "I just merged, what should I check?"
+
+```
+You: /audit-pilot since main~5
+
+Pilot looks at:
+  - git diff main~5..HEAD
+  - 5 commits over 3 days
+  - 23 files changed across auth, api, ui
+
+Pilot recommends a sweep:
+  /audit-pilot generates audits/.pilot/sweep-2026-05-13.plan.md
+  Runs 4 audits in parallel: secaudit + apiaudit + a11yaudit + uiuxaudit
+```
+
+---
+
+## INPUT/OUTPUT CONTRACT
+
+### Inputs the pilot reads
+- `git diff` (current uncommitted changes)
+- `git log` (commit history for branch)
+- `gh pr view` (PR metadata if exists)
+- `audits/SYNTHESIS.md` (past audit state)
+- `audits/.{name}audit/verdict.json` (per-audit scores + files audited)
+- User-provided feature description / ticket ID
+
+### Outputs the pilot writes
+- `audits/.pilot/recommendations-{timestamp}.md` — current recommendation
+- `audits/.pilot/plan-{feature_or_pr_name}.md` — saved plan for a specific feature
+- `audits/.pilot/log.jsonl` — history of all recommendations (append-only)
+- Update `audits/SYNTHESIS.md` with pilot section
+
+### Output format example
+
+```markdown
+# Audit Pilot — Recommendations
+Generated: 2026-05-13T15:30:00Z
+Trigger: /audit-pilot pr
+Branch: feat/stripe-checkout
+PR: #142 (Add Stripe checkout flow)
+
+## Change Profile
+- Files changed: 6 (TypeScript + Prisma)
+- Subsystems touched: payment, ui, database
+- Risk level: HIGH
+
+## Recommended Audits
+
+### 🔴 REQUIRED (must run before merge)
+| Audit | Score | Why | Last run | Status |
+|---|---|---|---|---|
+| /secaudit | 100 | Payment surface + new public endpoint | 14 days ago (88/A) | STALE — re-run |
+| /apiaudit | 100 | New /api/checkout endpoint | Never | RUN |
+| /dataaudit | 95 | Schema migration in same PR | 30 days ago | STALE — re-run |
+
+### 🟡 RECOMMENDED (should run)
+| Audit | Score | Why |
+|---|---|---|
+| /a11yaudit | 85 | New checkout UI component |
+| /flowaudit | 75 | Checkout flow added |
+
+### 🟢 SKIP
+- /uiuxaudit (fresh from 3 days ago, no design system changes)
+- /perfaudit (no perf-impacting changes)
+- /seoaudit (no public marketing pages changed)
+
+## Action
+
+Run REQUIRED + RECOMMENDED in parallel:
+```bash
+/quality-arsenal go-live  # because payment + new endpoint
+```
+
+Or surgically:
+```bash
+/secaudit --files=src/api/checkout.ts,src/pages/checkout.tsx
+/apiaudit --files=src/api/checkout.ts
+/dataaudit --files=prisma/schema.prisma
+```
+
+Estimated: 90 min (parallel), 4h (sequential).
+```
+
+---
+
+## VERIFICATION GATE
+
+Before reporting "recommendation ready":
+- [ ] Read git diff (not assumed)
+- [ ] Read audits/SYNTHESIS.md (not stale)
+- [ ] Score ≥ 4 audits with concrete justification (not vibes)
+- [ ] Identify ≥ 1 audit to SKIP with justification (proves selectivity)
+- [ ] Estimate total time (parallel + sequential)
+- [ ] Provide both `/quality-arsenal` shortcut AND per-audit commands
+- [ ] Save plan to `audits/.pilot/` for reproducibility
+
+---
+
+## SMART FEATURES
+
+### Feature 1 — Diff-aware audit scoping
+
+When running a recommended audit, the pilot passes the changed files as scope:
+
+```bash
+/secaudit --files=src/api/checkout.ts,src/api/webhooks/stripe.ts
+```
+
+This makes audits **5–10× faster** by skipping unchanged code (codeaudit can take 90 min on a big repo, 8 min on 3 files).
+
+### Feature 2 — Conflict detection across audits
+
+If `/apiaudit` is recommended AND `/secaudit` (which reads apiaudit verdict), the pilot **orders them**: apiaudit first, secaudit second. Prevents secaudit running on stale apiaudit data.
+
+### Feature 3 — Confidence calibration
+
+After each run, the pilot tracks "how often did I recommend audit X and did the audit find P0/P1 issues?". Adjusts future relevance scores. Self-tuning.
+
+### Feature 4 — Team-wide patterns
+
+If the project has 5 contributors and pilot's `log.jsonl` shows "every PR touching `auth/*` had P0 secaudit findings 8/10 times", future PRs touching `auth/*` get a STRONGER secaudit recommendation.
+
+### Feature 5 — Cost budget mode
+
+```
+/audit-pilot pr --budget=30min
+```
+
+Pilot picks ONLY the audits whose combined time fits in 30 min. Greedy by relevance/time ratio.
+
+### Feature 6 — Watch mode with hooks
+
+`/audit-pilot watch --hook=pre-commit` writes a `.git/hooks/pre-commit` that calls `/audit-pilot check` on the staged diff before each commit. Blocks commit if REQUIRED audit hasn't run.
+
+---
+
+## INTEGRATION WITH EXISTING SKILLS
+
+```
+/audit-pilot        →  decides WHICH audits to run
+       ↓
+/audit-orchestrator →  decides WHICH POWER LEVEL (quick/standard/forensic)
+       ↓
+/codeaudit, /secaudit, etc.  →  actually run the audits
+       ↓
+/audit-tracker      →  dashboard + freshness tracking
+       ↓
+/quality-arsenal    →  master entry that ties it all together
+```
+
+In practice users just type one of:
+- `/audit-pilot pr` → pilot picks + dispatches automatically
+- `/audit-pilot status` → see what's currently recommended
+- `/audit-pilot run <plan>` → execute a saved plan
+
+---
+
+## DOMAIN EXPERTISE — File-to-Audit Mapping
+
+Specific patterns the pilot uses (NOT "look for issues"):
+
+### Auth subsystem
+- File patterns: `src/auth/**`, `**/auth.*`, `middleware.ts`, `**/session.ts`
+- Mandatory: /secaudit
+- Recommended: /apiaudit, /flowaudit (recovery paths)
+
+### Payment subsystem
+- File patterns: `**/checkout*`, `**/stripe*`, `**/payment*`, `**/billing*`
+- Mandatory: /secaudit + /apiaudit
+- Recommended: /flowaudit, /dataaudit, /copyaudit (legal claims)
+
+### Database schema
+- File patterns: `**/*.prisma`, `**/schema.ts`, `**/migrations/**`, `convex/schema.ts`
+- Mandatory: /dataaudit
+- Recommended: /apiaudit (contract drift)
+
+### Public API endpoints
+- File patterns: `**/api/**/*.ts`, `**/routes/**`, `**/handlers/**`
+- Mandatory: /apiaudit
+- Recommended: /secaudit (auth surface), /perfaudit (response time)
+
+### UI components
+- File patterns: `**/*.tsx`, `**/*.jsx`, `**/components/**`
+- Mandatory: /a11yaudit (if user-facing)
+- Recommended: /uiuxaudit (design consistency), /motionaudit (if animations)
+
+### Marketing pages
+- File patterns: `**/page.tsx` in app dir, `**/(marketing)/**`, `**/(landing)/**`
+- Mandatory: /copyaudit + /seoaudit
+- Recommended: /a11yaudit, /perfaudit
+
+### Cron / Scripts / Daemons
+- File patterns: `scripts/**`, `cron/**`, `**/*.cron`, `**/daemon*`
+- Mandatory: /automationaudit
+- Recommended: /secaudit (secret exposure in scripts)
+
+### Documentation
+- File patterns: `README.md`, `CONTRIBUTING.md`, `docs/**`
+- Mandatory: /dxaudit + /copyaudit
+- Recommended: /seoaudit (if public-facing docs)
+
+---
+
+## ANTI-PATTERNS (what the pilot WON'T do)
+
+- ❌ Recommend ALL 18 audits "just in case" (that's `/quality-arsenal full`, different intent)
+- ❌ Re-run audits that are fresh AND unrelated to current change
+- ❌ Skip critical audits because user said "be quick" (security on payment = non-negotiable)
+- ❌ Run audits sequentially when DAG allows parallel
+- ❌ Use vague language ("might want to check") — be specific or skip
+- ❌ Save recommendations without timestamp (loses freshness signal)
+
+---
+
+## ECOSYSTEM INTEGRATION
+
+**Before**:
+- `/audit-pilot init` — sets up `audits/.pilot/` directory + git hooks (optional)
+- Make sure `/quality-arsenal` is installed
+
+**After**:
+- `/audit-orchestrator` to actually run the audits (or `/quality-arsenal` shortcut)
+- `/audit-tracker` to see results
+- Push to GitHub with confidence
+
+**Sister skills**:
+- `/audit-orchestrator` — picks power level
+- `/audit-tracker` — dashboard
+- `/quality-arsenal` — master entry
+- `/newcmd` — for adding new audits to the arsenal
+
+---
+
+## SOURCES
+
+- Internal: Agentik OS `audit-selector.py` (Linear-ticket-driven dispatcher), generalized here
+- Public: https://github.com/agentik-os/claude-code-quality-audits
+- File-to-audit mappings: derived from 18-audit cross-validation matrix
+- Confidence calibration model: empirical from 6 months / 3 codebases dogfooding

package/omega/Agentik_SSOT/skills/audit-tracker.md

@@ -0,0 +1,147 @@
+---
+name: audit-tracker
+description: >
+  Audit setup + tracking dashboard. Use when user says "/audit-tracker", "audit
+  status", "audit dashboard", "audit history", "list audits", "where am I with
+  audits", "setup audits", "init audits". Ensures audits/ folder exists, .gitignore
+  configured, tracks all audits run with scores + freshness, recommends re-runs
+  when stale (>30 days). Reads audits/.{name}audit/verdict.json across all
+  audit subdirs to build dashboard.
+disable-model-invocation: false
+---
+
+# /audit-tracker — Setup + Progress Dashboard
+
+You are the **audit accountant**. Init audit infrastructure for a project and
+report status of all past + ongoing audits.
+
+## Modes
+
+```bash
+/audit-tracker init           # setup audits/ + .gitignore + initial SYNTHESIS.md
+/audit-tracker                # dashboard: status of all audits
+/audit-tracker stale          # only audits older than 30 days
+/audit-tracker scores         # only the scores table (compact)
+/audit-tracker latest         # most recent audit + summary
+```
+
+## Mode 1 — `/audit-tracker init`
+
+Bootstrap audits infrastructure in the current project:
+
+1. Create `audits/` directory if missing
+2. Append to `.gitignore` (idempotent — only if not already present):
+   ```gitignore
+   # Audit outputs (Quality Arsenal)
+   /audits/.*audit*/
+   !/audits/.*audit*/verdict.json
+   !/audits/.*audit*/REPORT.md
+   !/audits/.*audit*/CHECKLIST.md
+   !/audits/SYNTHESIS.md
+   ```
+   This ignores the bulky audit artifacts but preserves the headline outputs
+   (verdict.json, REPORT.md, SYNTHESIS.md).
+3. Write `audits/SYNTHESIS.md` skeleton:
+   ```markdown
+   # Audit Synthesis — {project_name}
+
+   Last update: 2026-05-13
+   Status: 🟡 No audits run yet
+
+   ## Recommended starting audits
+
+   - `/audit-orchestrator quick` — gut-check (15 min)
+   - `/audit-orchestrator standard` — regular quality cycle (60 min)
+   - `/audit-orchestrator full` — complete arsenal (4h)
+
+   ## Past runs
+
+   _none yet_
+   ```
+4. Output to user: "✅ Audits initialized. Run /audit-orchestrator to start."
+
+## Mode 2 — `/audit-tracker` (dashboard)
+
+Scan `audits/` for all `.{name}audit*/verdict.json` files. Build a markdown table:
+
+```
+🎯 AUDIT DASHBOARD — {project_name}
+
+┌──────────────────────┬──────┬──────┬───────────┬────────────────┐
+│ Audit                │ Score │ Grade │ Age      │ Status         │
+├──────────────────────┼──────┼──────┼───────────┼────────────────┤
+│ codeaudit (v2)       │  92  │  A   │  2 days   │ ✅ Fresh       │
+│ secaudit             │  88  │  A   │  5 days   │ ✅ Fresh       │
+│ uiuxaudit (v3)       │  91  │  S   │  3 days   │ ✅ Fresh       │
+│ a11yaudit (v2)       │  88  │  A   │ 14 days   │ ⚠️ Aging       │
+│ perfaudit            │  79  │  B   │ 35 days   │ 🔴 Stale       │
+│ apiaudit             │  67  │  C   │ 12 days   │ 🟡 Re-audit    │
+└──────────────────────┴──────┴──────┴───────────┴────────────────┘
+
+Overall health: 84/100 (Grade A-)
+Recommended: re-run /perfaudit (stale 35d), push /apiaudit to >85 (re-audit)
+```
+
+Status thresholds:
+- **Fresh** ≤ 7 days
+- **Aging** 8-30 days
+- **Stale** > 30 days (recommend re-run)
+- **Re-audit** score < 85 (recommend fix cycle)
+
+## Mode 3 — `/audit-tracker stale`
+
+Filter dashboard to only show audits > 30 days old.
+
+## Mode 4 — `/audit-tracker scores`
+
+Compact one-liner per audit:
+```
+codeaudit: 92/A · secaudit: 88/A · uiuxaudit: 91/S · ...
+```
+
+## Mode 5 — `/audit-tracker latest`
+
+Show the single most recent audit + its findings summary + verdict link.
+
+## Implementation hints
+
+To parse a verdict.json:
+```bash
+jq -r '.score, .grade, .timestamp' audits/.{name}audit/verdict.json
+```
+
+If the audit has v2/v3/v4 variants (e.g., `.codeaudit-v3/`), prefer the
+HIGHEST version (most recent re-audit cycle).
+
+Detect project name from:
+1. `package.json` "name" field
+2. Else basename of cwd
+
+Detect audit freshness:
+- File mtime of `verdict.json` → compare to `now()`
+- Days = int((now - mtime) / 86400)
+
+## Anti-patterns
+
+- ❌ Listing audits in random order (sort by mtime desc OR by score asc)
+- ❌ Missing the "Recommended actions" footer
+- ❌ Including audits that have no verdict.json (incomplete runs)
+- ❌ Modifying audit outputs (read-only)
+- ❌ Running an audit directly (delegate to `/audit-orchestrator`)
+
+## Output format
+
+Always end with **3 actionable recommendations** like:
+```
+📋 Next actions:
+1. Re-run /perfaudit (last run 35d ago, scores drift)
+2. Push /apiaudit from C → A via 2 fix cycles
+3. Run /retentionaudit (never run, would unlock new feature ideas)
+```
+
+## Sources
+
+- Reads: `audits/SYNTHESIS.md`, `audits/.{name}audit*/verdict.json`
+- Writes: `audits/SYNTHESIS.md` (updates), `.gitignore` (init mode)
+- Related: `/audit-orchestrator` to actually RUN audits
+- Public mirror: https://github.com/agentik-os/quality-arsenal