@ahmed-g-gad/apothem 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +60 -0
- package/LICENSE +21 -0
- package/LICENSES/MIT.txt +18 -0
- package/LICENSES/PSF-2.0.txt +47 -0
- package/README.md +549 -0
- package/bin/README.md +37 -0
- package/bin/apothem.mjs +78 -0
- package/package.json +75 -0
- package/pyproject.toml +347 -0
- package/src/apothem/README.md +52 -0
- package/src/apothem/__init__.py +66 -0
- package/src/apothem/__main__.py +28 -0
- package/src/apothem/_vendor/.keep +0 -0
- package/src/apothem/_vendor/__init__.py +25 -0
- package/src/apothem/_vendor/attr/__init__.py +104 -0
- package/src/apothem/_vendor/attr/__init__.pyi +389 -0
- package/src/apothem/_vendor/attr/_cmp.py +160 -0
- package/src/apothem/_vendor/attr/_cmp.pyi +13 -0
- package/src/apothem/_vendor/attr/_compat.py +99 -0
- package/src/apothem/_vendor/attr/_config.py +31 -0
- package/src/apothem/_vendor/attr/_funcs.py +497 -0
- package/src/apothem/_vendor/attr/_make.py +3406 -0
- package/src/apothem/_vendor/attr/_next_gen.py +674 -0
- package/src/apothem/_vendor/attr/_typing_compat.pyi +15 -0
- package/src/apothem/_vendor/attr/_version_info.py +89 -0
- package/src/apothem/_vendor/attr/_version_info.pyi +9 -0
- package/src/apothem/_vendor/attr/converters.py +162 -0
- package/src/apothem/_vendor/attr/converters.pyi +19 -0
- package/src/apothem/_vendor/attr/exceptions.py +95 -0
- package/src/apothem/_vendor/attr/exceptions.pyi +17 -0
- package/src/apothem/_vendor/attr/filters.py +72 -0
- package/src/apothem/_vendor/attr/filters.pyi +6 -0
- package/src/apothem/_vendor/attr/py.typed +0 -0
- package/src/apothem/_vendor/attr/setters.py +79 -0
- package/src/apothem/_vendor/attr/setters.pyi +20 -0
- package/src/apothem/_vendor/attr/validators.py +750 -0
- package/src/apothem/_vendor/attr/validators.pyi +140 -0
- package/src/apothem/_vendor/attr.LICENSE +21 -0
- package/src/apothem/_vendor/attrs/__init__.py +72 -0
- package/src/apothem/_vendor/attrs/__init__.pyi +314 -0
- package/src/apothem/_vendor/attrs/converters.py +3 -0
- package/src/apothem/_vendor/attrs/exceptions.py +3 -0
- package/src/apothem/_vendor/attrs/filters.py +3 -0
- package/src/apothem/_vendor/attrs/py.typed +0 -0
- package/src/apothem/_vendor/attrs/setters.py +3 -0
- package/src/apothem/_vendor/attrs/validators.py +3 -0
- package/src/apothem/_vendor/attrs.LICENSE +21 -0
- package/src/apothem/_vendor/jsonschema/__init__.py +120 -0
- package/src/apothem/_vendor/jsonschema/__main__.py +6 -0
- package/src/apothem/_vendor/jsonschema/_format.py +546 -0
- package/src/apothem/_vendor/jsonschema/_keywords.py +449 -0
- package/src/apothem/_vendor/jsonschema/_legacy_keywords.py +449 -0
- package/src/apothem/_vendor/jsonschema/_types.py +204 -0
- package/src/apothem/_vendor/jsonschema/_typing.py +29 -0
- package/src/apothem/_vendor/jsonschema/_utils.py +355 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/__init__.py +5 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/const_vs_enum.py +30 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/contains.py +28 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/import_benchmark.py +31 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/issue232/issue.json +2653 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/issue232.py +25 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/json_schema_test_suite.py +12 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/nested_schemas.py +56 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/subcomponents.py +42 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/unused_registry.py +35 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/useless_applicator_schemas.py +106 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/useless_keywords.py +32 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/validator_creation.py +14 -0
- package/src/apothem/_vendor/jsonschema/cli.py +292 -0
- package/src/apothem/_vendor/jsonschema/exceptions.py +490 -0
- package/src/apothem/_vendor/jsonschema/protocols.py +230 -0
- package/src/apothem/_vendor/jsonschema/validators.py +1410 -0
- package/src/apothem/_vendor/jsonschema.LICENSE +19 -0
- package/src/apothem/_vendor/jsonschema_specifications/__init__.py +12 -0
- package/src/apothem/_vendor/jsonschema_specifications/_core.py +38 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/metaschema.json +42 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/applicator +56 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/content +17 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/core +57 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/format +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/meta-data +37 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/validation +98 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/metaschema.json +58 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/applicator +48 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/content +17 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/core +51 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-annotation +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-assertion +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/meta-data +37 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/unevaluated +15 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/validation +98 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft3/metaschema.json +172 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft4/metaschema.json +149 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft6/metaschema.json +153 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft7/metaschema.json +166 -0
- package/src/apothem/_vendor/jsonschema_specifications.LICENSE +19 -0
- package/src/apothem/_vendor/referencing/__init__.py +7 -0
- package/src/apothem/_vendor/referencing/_attrs.py +31 -0
- package/src/apothem/_vendor/referencing/_attrs.pyi +21 -0
- package/src/apothem/_vendor/referencing/_core.py +739 -0
- package/src/apothem/_vendor/referencing/exceptions.py +165 -0
- package/src/apothem/_vendor/referencing/jsonschema.py +642 -0
- package/src/apothem/_vendor/referencing/py.typed +0 -0
- package/src/apothem/_vendor/referencing/retrieval.py +94 -0
- package/src/apothem/_vendor/referencing/typing.py +61 -0
- package/src/apothem/_vendor/referencing.LICENSE +19 -0
- package/src/apothem/_vendor/rpds/__init__.py +251 -0
- package/src/apothem/_vendor/typing_extensions.LICENSE +279 -0
- package/src/apothem/_vendor/typing_extensions.py +4317 -0
- package/src/apothem/_vendor/vendor.txt +22 -0
- package/src/apothem/_vendor/yaml/__init__.py +389 -0
- package/src/apothem/_vendor/yaml/composer.py +138 -0
- package/src/apothem/_vendor/yaml/constructor.py +748 -0
- package/src/apothem/_vendor/yaml/cyaml.py +100 -0
- package/src/apothem/_vendor/yaml/dumper.py +61 -0
- package/src/apothem/_vendor/yaml/emitter.py +1137 -0
- package/src/apothem/_vendor/yaml/error.py +74 -0
- package/src/apothem/_vendor/yaml/events.py +85 -0
- package/src/apothem/_vendor/yaml/loader.py +63 -0
- package/src/apothem/_vendor/yaml/nodes.py +48 -0
- package/src/apothem/_vendor/yaml/parser.py +588 -0
- package/src/apothem/_vendor/yaml/reader.py +185 -0
- package/src/apothem/_vendor/yaml/representer.py +388 -0
- package/src/apothem/_vendor/yaml/resolver.py +226 -0
- package/src/apothem/_vendor/yaml/scanner.py +1435 -0
- package/src/apothem/_vendor/yaml/serializer.py +110 -0
- package/src/apothem/_vendor/yaml/tokens.py +103 -0
- package/src/apothem/_vendor/yaml.LICENSE +20 -0
- package/src/apothem/agents/README.md +60 -0
- package/src/apothem/agents/codebase-explorer.md +91 -0
- package/src/apothem/agents/convention-auditor.md +93 -0
- package/src/apothem/agents/dependency-auditor.md +97 -0
- package/src/apothem/agents/fact-checker.md +84 -0
- package/src/apothem/agents/mcp-builder.md +86 -0
- package/src/apothem/agents/memory-auditor.md +93 -0
- package/src/apothem/agents/prompt-evaluator.md +87 -0
- package/src/apothem/agents/quality-gate.md +103 -0
- package/src/apothem/agents/refactor-surgeon.md +74 -0
- package/src/apothem/agents/research-scout.md +73 -0
- package/src/apothem/agents/security-scanner.md +83 -0
- package/src/apothem/agents/test-runner.md +84 -0
- package/src/apothem/audit/README.md +73 -0
- package/src/apothem/audit/_scan_lib.py +182 -0
- package/src/apothem/audit/analyze_graph.py +260 -0
- package/src/apothem/audit/build_capability_graph.py +607 -0
- package/src/apothem/audit/build_inventory.py +657 -0
- package/src/apothem/audit/build_plans_provenance.py +997 -0
- package/src/apothem/audit/check_links.py +389 -0
- package/src/apothem/audit/classify_artifacts.py +381 -0
- package/src/apothem/audit/deprecated-tokens.txt +10 -0
- package/src/apothem/audit/execute_plans_migration.py +491 -0
- package/src/apothem/audit/known-projects.txt +15 -0
- package/src/apothem/audit/render_capability_index.py +467 -0
- package/src/apothem/audit/render_inventory.py +405 -0
- package/src/apothem/audit/scan_ai_surfaces.py +1125 -0
- package/src/apothem/audit/scan_ai_surfaces_coarse.py +261 -0
- package/src/apothem/audit/scan_drift_features.py +143 -0
- package/src/apothem/audit/scan_frontmatter.py +293 -0
- package/src/apothem/audit/scan_header_coverage.py +1134 -0
- package/src/apothem/audit/scan_plan_leakage.py +540 -0
- package/src/apothem/audit/scan_plans_discipline.py +188 -0
- package/src/apothem/audit/scan_secrets_pii.py +245 -0
- package/src/apothem/audit/scan_stale_tokens.py +296 -0
- package/src/apothem/audit/synthesize_drift.py +205 -0
- package/src/apothem/benchmarks/README.md +33 -0
- package/src/apothem/benchmarks/__init__.py +3 -0
- package/src/apothem/benchmarks/bench_agents.py +63 -0
- package/src/apothem/benchmarks/bench_hooks.py +93 -0
- package/src/apothem/benchmarks/bench_install.py +58 -0
- package/src/apothem/benchmarks/bench_tests.py +93 -0
- package/src/apothem/benchmarks/bench_validate_ecosystem.py +84 -0
- package/src/apothem/cli/README.md +33 -0
- package/src/apothem/cli/__init__.py +229 -0
- package/src/apothem/cli/_cmd_completion.py +88 -0
- package/src/apothem/cli/_cmd_diff.py +181 -0
- package/src/apothem/cli/_cmd_doctor.py +143 -0
- package/src/apothem/cli/_cmd_harnesses.py +167 -0
- package/src/apothem/cli/_cmd_install.py +327 -0
- package/src/apothem/cli/_cmd_migrate_workspace.py +143 -0
- package/src/apothem/cli/_cmd_profile.py +341 -0
- package/src/apothem/cli/_cmd_status.py +180 -0
- package/src/apothem/cli/_cmd_uninstall.py +215 -0
- package/src/apothem/cli/_cmd_update.py +397 -0
- package/src/apothem/cli/_cmd_verify.py +194 -0
- package/src/apothem/cli/_common_flags.py +90 -0
- package/src/apothem/cli/_epilogs.py +296 -0
- package/src/apothem/cli/_helpers.py +857 -0
- package/src/apothem/cli/_json_formatter.py +21 -0
- package/src/apothem/cli/_materialize.py +376 -0
- package/src/apothem/cli/completions/apothem.bash +30 -0
- package/src/apothem/cli/completions/apothem.fish +19 -0
- package/src/apothem/cli/completions/apothem.ps1 +27 -0
- package/src/apothem/cli/completions/apothem.zsh +42 -0
- package/src/apothem/cli/reference_export.py +126 -0
- package/src/apothem/commands/README.md +125 -0
- package/src/apothem/commands/a11y-audit.md +203 -0
- package/src/apothem/commands/architecture-review.md +194 -0
- package/src/apothem/commands/audit.md +165 -0
- package/src/apothem/commands/code-audit.md +218 -0
- package/src/apothem/commands/code-review.md +193 -0
- package/src/apothem/commands/dependency-audit.md +209 -0
- package/src/apothem/commands/docs-review.md +199 -0
- package/src/apothem/commands/elevate.md +285 -0
- package/src/apothem/commands/eval.md +149 -0
- package/src/apothem/commands/fortress.md +172 -0
- package/src/apothem/commands/freshify.md +168 -0
- package/src/apothem/commands/github-deploy-fresh.md +178 -0
- package/src/apothem/commands/github-deploy-next.md +167 -0
- package/src/apothem/commands/perf-audit.md +198 -0
- package/src/apothem/commands/plan-amend.md +104 -0
- package/src/apothem/commands/plan-audit.md +127 -0
- package/src/apothem/commands/plan-design.md +257 -0
- package/src/apothem/commands/plan-execute.md +495 -0
- package/src/apothem/commands/plan-generate.md +351 -0
- package/src/apothem/commands/plan-review.md +555 -0
- package/src/apothem/commands/plan-spec.md +359 -0
- package/src/apothem/commands/plan-status.md +222 -0
- package/src/apothem/commands/plan.md +173 -0
- package/src/apothem/commands/projectify.md +142 -0
- package/src/apothem/commands/release-readiness.md +142 -0
- package/src/apothem/commands/research-analysis.md +241 -0
- package/src/apothem/commands/research-design.md +231 -0
- package/src/apothem/commands/research-disseminate.md +225 -0
- package/src/apothem/commands/research-experiment.md +232 -0
- package/src/apothem/commands/research-ideate.md +213 -0
- package/src/apothem/commands/research-paper.md +252 -0
- package/src/apothem/commands/research-proposal.md +220 -0
- package/src/apothem/commands/research-publish.md +255 -0
- package/src/apothem/commands/research-review.md +251 -0
- package/src/apothem/commands/research-sources.md +266 -0
- package/src/apothem/commands/research-spec.md +255 -0
- package/src/apothem/commands/research-synthesis.md +233 -0
- package/src/apothem/commands/research-theory.md +218 -0
- package/src/apothem/commands/research.md +181 -0
- package/src/apothem/commands/security-audit.md +196 -0
- package/src/apothem/commands/supply-chain-audit.md +192 -0
- package/src/apothem/commands/test-suite.md +146 -0
- package/src/apothem/commands/threat-model-audit.md +199 -0
- package/src/apothem/commands/ux-review.md +202 -0
- package/src/apothem/commands/workflow.md +162 -0
- package/src/apothem/conformity/README.md +173 -0
- package/src/apothem/conformity/__init__.py +1 -0
- package/src/apothem/conformity/_grep_base.py +93 -0
- package/src/apothem/conformity/agent_capability_grep.py +306 -0
- package/src/apothem/conformity/agents_md_coverage_grep.py +382 -0
- package/src/apothem/conformity/agnosticism_grep.py +311 -0
- package/src/apothem/conformity/always_on_budget_grep.py +318 -0
- package/src/apothem/conformity/bare_except_grep.py +115 -0
- package/src/apothem/conformity/binding_reciprocity_grep.py +151 -0
- package/src/apothem/conformity/brand_mark_grep.py +272 -0
- package/src/apothem/conformity/commented_out_code_grep.py +176 -0
- package/src/apothem/conformity/completion_claim_grep.py +169 -0
- package/src/apothem/conformity/conventional_commit_grep.py +319 -0
- package/src/apothem/conformity/copilot_instructions_presence_grep.py +324 -0
- package/src/apothem/conformity/cross_platform_matrix_grep.py +297 -0
- package/src/apothem/conformity/determinism_grep.py +306 -0
- package/src/apothem/conformity/diagram_staleness_grep.py +154 -0
- package/src/apothem/conformity/dynamism_grep.py +284 -0
- package/src/apothem/conformity/editorconfig_presence_grep.py +281 -0
- package/src/apothem/conformity/file_header_grep.py +502 -0
- package/src/apothem/conformity/freshness_token_grep.py +233 -0
- package/src/apothem/conformity/frontmatter_grep.py +274 -0
- package/src/apothem/conformity/frontmatter_value_grep.py +386 -0
- package/src/apothem/conformity/gate.py +1386 -0
- package/src/apothem/conformity/gitattributes_presence_grep.py +238 -0
- package/src/apothem/conformity/harden_runner_grep.py +320 -0
- package/src/apothem/conformity/hedging_grep.py +129 -0
- package/src/apothem/conformity/license_author_consistency_grep.py +204 -0
- package/src/apothem/conformity/link_check.py +327 -0
- package/src/apothem/conformity/magic_number_grep.py +182 -0
- package/src/apothem/conformity/multi_surface_coherence_grep.py +620 -0
- package/src/apothem/conformity/naming_grep.py +224 -0
- package/src/apothem/conformity/no_global_plans_grep.py +339 -0
- package/src/apothem/conformity/no_toplevel_docs_grep.py +120 -0
- package/src/apothem/conformity/oidc_trusted_publishing_grep.py +291 -0
- package/src/apothem/conformity/option_annotation_grep.py +352 -0
- package/src/apothem/conformity/orphan_output_grep.py +206 -0
- package/src/apothem/conformity/permissions_minimum_scope_grep.py +299 -0
- package/src/apothem/conformity/plain_language_grep.py +559 -0
- package/src/apothem/conformity/plan_next_step_consistency_grep.py +450 -0
- package/src/apothem/conformity/plan_suite_structure_grep.py +534 -0
- package/src/apothem/conformity/plans_discipline_language_grep.py +245 -0
- package/src/apothem/conformity/production_ready_pr_grep.py +200 -0
- package/src/apothem/conformity/recommend_next_step_grep.py +250 -0
- package/src/apothem/conformity/redundancy_grep.py +401 -0
- package/src/apothem/conformity/reference_token_grep.py +230 -0
- package/src/apothem/conformity/registry_capability_consistency_grep.py +368 -0
- package/src/apothem/conformity/secret_leak_grep.py +193 -0
- package/src/apothem/conformity/semver_stability_grep.py +358 -0
- package/src/apothem/conformity/smoke_install_grep.py +194 -0
- package/src/apothem/conformity/static_version_grep.py +284 -0
- package/src/apothem/conformity/token_efficiency_grep.py +185 -0
- package/src/apothem/conformity/unpinned_action_grep.py +115 -0
- package/src/apothem/conformity/user_confirm_grep.py +74 -0
- package/src/apothem/conformity/workflow_concurrency_grep.py +283 -0
- package/src/apothem/harnesses/README.md +63 -0
- package/src/apothem/harnesses/__init__.py +16 -0
- package/src/apothem/harnesses/_shared/README.md +36 -0
- package/src/apothem/harnesses/_shared/__init__.py +12 -0
- package/src/apothem/harnesses/_shared/install_driver.py +281 -0
- package/src/apothem/harnesses/_shared/install_driver_apply.py +612 -0
- package/src/apothem/harnesses/_shared/install_driver_backup.py +535 -0
- package/src/apothem/harnesses/_shared/install_driver_converters.py +310 -0
- package/src/apothem/harnesses/_shared/install_driver_lifecycle.py +495 -0
- package/src/apothem/harnesses/_shared/install_driver_materialize.py +675 -0
- package/src/apothem/harnesses/_shared/install_driver_merge.py +656 -0
- package/src/apothem/harnesses/_shared/install_driver_pathsafety.py +137 -0
- package/src/apothem/harnesses/_shared/install_driver_planvalidation.py +240 -0
- package/src/apothem/harnesses/_shared/install_driver_removal.py +366 -0
- package/src/apothem/harnesses/_shared/install_driver_treeops.py +248 -0
- package/src/apothem/harnesses/_shared/install_driver_types.py +330 -0
- package/src/apothem/harnesses/_shared/wrapper_factories.py +448 -0
- package/src/apothem/harnesses/antigravity/STANDARD-CONVENTION-PIN.md +91 -0
- package/src/apothem/harnesses/antigravity/__init__.py +70 -0
- package/src/apothem/harnesses/antigravity/capabilities.yml +40 -0
- package/src/apothem/harnesses/antigravity/install.py +63 -0
- package/src/apothem/harnesses/antigravity/templates/GEMINI.md +40 -0
- package/src/apothem/harnesses/antigravity/templates/plugin.json +5 -0
- package/src/apothem/harnesses/antigravity/uninstall.py +22 -0
- package/src/apothem/harnesses/antigravity/update.py +10 -0
- package/src/apothem/harnesses/antigravity/verify.py +11 -0
- package/src/apothem/harnesses/claude_code/STANDARD-CONVENTION-PIN.md +65 -0
- package/src/apothem/harnesses/claude_code/__init__.py +107 -0
- package/src/apothem/harnesses/claude_code/capabilities.yml +42 -0
- package/src/apothem/harnesses/claude_code/install.py +147 -0
- package/src/apothem/harnesses/claude_code/templates/settings.json +351 -0
- package/src/apothem/harnesses/claude_code/uninstall.py +23 -0
- package/src/apothem/harnesses/claude_code/update.py +10 -0
- package/src/apothem/harnesses/claude_code/verify.py +11 -0
- package/src/apothem/harnesses/codebuddy/STANDARD-CONVENTION-PIN.md +74 -0
- package/src/apothem/harnesses/codebuddy/__init__.py +49 -0
- package/src/apothem/harnesses/codebuddy/capabilities.yml +34 -0
- package/src/apothem/harnesses/codebuddy/install.py +40 -0
- package/src/apothem/harnesses/codebuddy/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/codebuddy/uninstall.py +25 -0
- package/src/apothem/harnesses/codebuddy/update.py +10 -0
- package/src/apothem/harnesses/codebuddy/verify.py +11 -0
- package/src/apothem/harnesses/codex/STANDARD-CONVENTION-PIN.md +79 -0
- package/src/apothem/harnesses/codex/__init__.py +72 -0
- package/src/apothem/harnesses/codex/capabilities.yml +40 -0
- package/src/apothem/harnesses/codex/install.py +69 -0
- package/src/apothem/harnesses/codex/templates/AGENTS.md +40 -0
- package/src/apothem/harnesses/codex/templates/hooks.json +127 -0
- package/src/apothem/harnesses/codex/uninstall.py +23 -0
- package/src/apothem/harnesses/codex/update.py +10 -0
- package/src/apothem/harnesses/codex/verify.py +11 -0
- package/src/apothem/harnesses/cursor/STANDARD-CONVENTION-PIN.md +79 -0
- package/src/apothem/harnesses/cursor/__init__.py +48 -0
- package/src/apothem/harnesses/cursor/capabilities.yml +42 -0
- package/src/apothem/harnesses/cursor/install.py +38 -0
- package/src/apothem/harnesses/cursor/templates/apothem-rules.mdc +40 -0
- package/src/apothem/harnesses/cursor/uninstall.py +25 -0
- package/src/apothem/harnesses/cursor/update.py +10 -0
- package/src/apothem/harnesses/cursor/verify.py +11 -0
- package/src/apothem/harnesses/gemini_cli/STANDARD-CONVENTION-PIN.md +102 -0
- package/src/apothem/harnesses/gemini_cli/__init__.py +52 -0
- package/src/apothem/harnesses/gemini_cli/capabilities.yml +43 -0
- package/src/apothem/harnesses/gemini_cli/install.py +43 -0
- package/src/apothem/harnesses/gemini_cli/templates/GEMINI.md +38 -0
- package/src/apothem/harnesses/gemini_cli/uninstall.py +25 -0
- package/src/apothem/harnesses/gemini_cli/update.py +10 -0
- package/src/apothem/harnesses/gemini_cli/verify.py +11 -0
- package/src/apothem/harnesses/github_copilot/STANDARD-CONVENTION-PIN.md +84 -0
- package/src/apothem/harnesses/github_copilot/__init__.py +47 -0
- package/src/apothem/harnesses/github_copilot/capabilities.yml +42 -0
- package/src/apothem/harnesses/github_copilot/install.py +40 -0
- package/src/apothem/harnesses/github_copilot/templates/copilot-instructions.md +33 -0
- package/src/apothem/harnesses/github_copilot/uninstall.py +25 -0
- package/src/apothem/harnesses/github_copilot/update.py +10 -0
- package/src/apothem/harnesses/github_copilot/verify.py +11 -0
- package/src/apothem/harnesses/glm/STANDARD-CONVENTION-PIN.md +77 -0
- package/src/apothem/harnesses/glm/__init__.py +56 -0
- package/src/apothem/harnesses/glm/capabilities.yml +33 -0
- package/src/apothem/harnesses/glm/install.py +45 -0
- package/src/apothem/harnesses/glm/templates/glm.toml +58 -0
- package/src/apothem/harnesses/glm/uninstall.py +25 -0
- package/src/apothem/harnesses/glm/update.py +10 -0
- package/src/apothem/harnesses/glm/verify.py +11 -0
- package/src/apothem/harnesses/hermes/STANDARD-CONVENTION-PIN.md +57 -0
- package/src/apothem/harnesses/hermes/__init__.py +33 -0
- package/src/apothem/harnesses/hermes/capabilities.yml +36 -0
- package/src/apothem/harnesses/hermes/install.py +17 -0
- package/src/apothem/harnesses/hermes/materializer.py +35 -0
- package/src/apothem/harnesses/hermes/uninstall.py +33 -0
- package/src/apothem/harnesses/hermes/update.py +10 -0
- package/src/apothem/harnesses/hermes/verify.py +11 -0
- package/src/apothem/harnesses/kimi_code/STANDARD-CONVENTION-PIN.md +128 -0
- package/src/apothem/harnesses/kimi_code/__init__.py +59 -0
- package/src/apothem/harnesses/kimi_code/capabilities.yml +40 -0
- package/src/apothem/harnesses/kimi_code/install.py +42 -0
- package/src/apothem/harnesses/kimi_code/templates/AGENTS.md +43 -0
- package/src/apothem/harnesses/kimi_code/uninstall.py +27 -0
- package/src/apothem/harnesses/kimi_code/update.py +10 -0
- package/src/apothem/harnesses/kimi_code/verify.py +11 -0
- package/src/apothem/harnesses/kiro/STANDARD-CONVENTION-PIN.md +77 -0
- package/src/apothem/harnesses/kiro/__init__.py +49 -0
- package/src/apothem/harnesses/kiro/capabilities.yml +36 -0
- package/src/apothem/harnesses/kiro/install.py +39 -0
- package/src/apothem/harnesses/kiro/templates/apothem-rules.md +36 -0
- package/src/apothem/harnesses/kiro/uninstall.py +25 -0
- package/src/apothem/harnesses/kiro/update.py +10 -0
- package/src/apothem/harnesses/kiro/verify.py +11 -0
- package/src/apothem/harnesses/open_claw/STANDARD-CONVENTION-PIN.md +62 -0
- package/src/apothem/harnesses/open_claw/__init__.py +35 -0
- package/src/apothem/harnesses/open_claw/capabilities.yml +35 -0
- package/src/apothem/harnesses/open_claw/install.py +17 -0
- package/src/apothem/harnesses/open_claw/materializer.py +36 -0
- package/src/apothem/harnesses/open_claw/uninstall.py +32 -0
- package/src/apothem/harnesses/open_claw/update.py +10 -0
- package/src/apothem/harnesses/open_claw/verify.py +11 -0
- package/src/apothem/harnesses/opencode/STANDARD-CONVENTION-PIN.md +76 -0
- package/src/apothem/harnesses/opencode/__init__.py +35 -0
- package/src/apothem/harnesses/opencode/capabilities.yml +43 -0
- package/src/apothem/harnesses/opencode/install.py +17 -0
- package/src/apothem/harnesses/opencode/materializer.py +31 -0
- package/src/apothem/harnesses/opencode/uninstall.py +34 -0
- package/src/apothem/harnesses/opencode/update.py +10 -0
- package/src/apothem/harnesses/opencode/verify.py +11 -0
- package/src/apothem/harnesses/qwen_code/STANDARD-CONVENTION-PIN.md +87 -0
- package/src/apothem/harnesses/qwen_code/__init__.py +37 -0
- package/src/apothem/harnesses/qwen_code/capabilities.yml +43 -0
- package/src/apothem/harnesses/qwen_code/install.py +19 -0
- package/src/apothem/harnesses/qwen_code/materializer.py +174 -0
- package/src/apothem/harnesses/qwen_code/templates/QWEN.md +30 -0
- package/src/apothem/harnesses/qwen_code/uninstall.py +34 -0
- package/src/apothem/harnesses/qwen_code/update.py +10 -0
- package/src/apothem/harnesses/qwen_code/verify.py +11 -0
- package/src/apothem/harnesses/trae/STANDARD-CONVENTION-PIN.md +70 -0
- package/src/apothem/harnesses/trae/__init__.py +49 -0
- package/src/apothem/harnesses/trae/capabilities.yml +34 -0
- package/src/apothem/harnesses/trae/install.py +38 -0
- package/src/apothem/harnesses/trae/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/trae/uninstall.py +25 -0
- package/src/apothem/harnesses/trae/update.py +10 -0
- package/src/apothem/harnesses/trae/verify.py +11 -0
- package/src/apothem/harnesses/windsurf/STANDARD-CONVENTION-PIN.md +91 -0
- package/src/apothem/harnesses/windsurf/__init__.py +52 -0
- package/src/apothem/harnesses/windsurf/capabilities.yml +40 -0
- package/src/apothem/harnesses/windsurf/install.py +41 -0
- package/src/apothem/harnesses/windsurf/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/windsurf/uninstall.py +25 -0
- package/src/apothem/harnesses/windsurf/update.py +10 -0
- package/src/apothem/harnesses/windsurf/verify.py +11 -0
- package/src/apothem/harnesses/zed/STANDARD-CONVENTION-PIN.md +92 -0
- package/src/apothem/harnesses/zed/__init__.py +57 -0
- package/src/apothem/harnesses/zed/capabilities.yml +38 -0
- package/src/apothem/harnesses/zed/install.py +41 -0
- package/src/apothem/harnesses/zed/templates/apothem-rules.md +32 -0
- package/src/apothem/harnesses/zed/uninstall.py +28 -0
- package/src/apothem/harnesses/zed/update.py +10 -0
- package/src/apothem/harnesses/zed/verify.py +11 -0
- package/src/apothem/hooks/README.md +81 -0
- package/src/apothem/hooks/__init__.py +24 -0
- package/src/apothem/hooks/askuserquestion_validator.py +380 -0
- package/src/apothem/hooks/dispatch.py +296 -0
- package/src/apothem/hooks/emit_hook_context.py +444 -0
- package/src/apothem/hooks/hooks.json +318 -0
- package/src/apothem/hooks/lib/README.md +39 -0
- package/src/apothem/hooks/lib/__init__.py +18 -0
- package/src/apothem/hooks/lib/bootstrap.ps1 +129 -0
- package/src/apothem/hooks/lib/bootstrap.sh +103 -0
- package/src/apothem/hooks/lib/events.py +51 -0
- package/src/apothem/hooks/lib/find-pwsh.ps1 +78 -0
- package/src/apothem/hooks/lib/find-pwsh.sh +76 -0
- package/src/apothem/hooks/lib/find-python.ps1 +63 -0
- package/src/apothem/hooks/lib/find-python.sh +97 -0
- package/src/apothem/hooks/lib/log.py +43 -0
- package/src/apothem/hooks/lib/resolve_root.py +264 -0
- package/src/apothem/hooks/messages/postcompact.md +14 -0
- package/src/apothem/hooks/messages/posttooluse-proactive-compaction.md +46 -0
- package/src/apothem/hooks/messages/precompact.md +14 -0
- package/src/apothem/hooks/messages/pretooluse-askuserquestion-recommended.md +65 -0
- package/src/apothem/hooks/messages/pretooluse-bash-plan-guard.md +97 -0
- package/src/apothem/hooks/messages/pretooluse-bash.md +39 -0
- package/src/apothem/hooks/messages/pretooluse-conformity.md +70 -0
- package/src/apothem/hooks/messages/pretooluse-dependency-guard.md +21 -0
- package/src/apothem/hooks/messages/pretooluse-edit-header-guard.md +61 -0
- package/src/apothem/hooks/messages/pretooluse-edit.md +21 -0
- package/src/apothem/hooks/messages/pretooluse-eval-guard.md +39 -0
- package/src/apothem/hooks/messages/pretooluse-notebookedit.md +11 -0
- package/src/apothem/hooks/messages/pretooluse-write-header-guard.md +45 -0
- package/src/apothem/hooks/messages/pretooluse-write-plan-guard.md +72 -0
- package/src/apothem/hooks/messages/pretooluse-write.md +21 -0
- package/src/apothem/hooks/messages/sessionstart.md +15 -0
- package/src/apothem/hooks/messages/stop.md +27 -0
- package/src/apothem/hooks/proactive_compaction_tracker.py +327 -0
- package/src/apothem/hooks/session_start_bootstrap.py +472 -0
- package/src/apothem/lib/README.md +42 -0
- package/src/apothem/lib/__init__.py +13 -0
- package/src/apothem/lib/atomic_io.py +189 -0
- package/src/apothem/lib/auditor.py +687 -0
- package/src/apothem/lib/clean_slate.py +396 -0
- package/src/apothem/lib/contexts.py +352 -0
- package/src/apothem/lib/data_home.py +255 -0
- package/src/apothem/lib/frontmatter.py +101 -0
- package/src/apothem/lib/harness_materializer.py +213 -0
- package/src/apothem/lib/harness_protocol.py +59 -0
- package/src/apothem/lib/harness_registry.py +282 -0
- package/src/apothem/lib/harness_registry_data.py +843 -0
- package/src/apothem/lib/install_ledger.py +347 -0
- package/src/apothem/lib/learning.py +540 -0
- package/src/apothem/lib/memory.py +347 -0
- package/src/apothem/lib/parallel_sweep.py +234 -0
- package/src/apothem/lib/plan_tiers.py +200 -0
- package/src/apothem/lib/plugin_bootstrap.py +132 -0
- package/src/apothem/lib/plugin_tree.py +599 -0
- package/src/apothem/lib/profile.py +755 -0
- package/src/apothem/lib/profile_projection.py +198 -0
- package/src/apothem/lib/propagation-manifest.yaml +878 -0
- package/src/apothem/lib/propagation.py +220 -0
- package/src/apothem/lib/python_resolver.py +189 -0
- package/src/apothem/lib/reporter.py +62 -0
- package/src/apothem/lib/workspace_migration.py +323 -0
- package/src/apothem/output-styles/README.md +41 -0
- package/src/apothem/output-styles/concise-engineer.md +49 -0
- package/src/apothem/output-styles/default-architect.md +52 -0
- package/src/apothem/output-styles/default.md +113 -0
- package/src/apothem/output-styles/forensic-auditor.md +63 -0
- package/src/apothem/py.typed +0 -0
- package/src/apothem/rules/README.md +121 -0
- package/src/apothem/rules/agent-capability-discipline-matrix.md +89 -0
- package/src/apothem/rules/agent-capability-discipline.md +78 -0
- package/src/apothem/rules/agent-orchestration-patterns.md +144 -0
- package/src/apothem/rules/agent-orchestration.md +65 -0
- package/src/apothem/rules/agents-md-convention.md +86 -0
- package/src/apothem/rules/agile-sprints-elements.md +135 -0
- package/src/apothem/rules/agile-sprints.md +64 -0
- package/src/apothem/rules/agnostic-posture-checklist.md +47 -0
- package/src/apothem/rules/agnostic-posture.md +48 -0
- package/src/apothem/rules/authoritative-referencing-quotation.md +50 -0
- package/src/apothem/rules/authoritative-referencing.md +66 -0
- package/src/apothem/rules/authority-inquiry-categories.md +58 -0
- package/src/apothem/rules/authority-inquiry.md +54 -0
- package/src/apothem/rules/auto-memory-topic-files.md +86 -0
- package/src/apothem/rules/auto-memory.md +67 -0
- package/src/apothem/rules/bidirectional-binding.md +123 -0
- package/src/apothem/rules/canonical-layout-reporting-tiers.md +212 -0
- package/src/apothem/rules/canonical-layout.md +60 -0
- package/src/apothem/rules/clean-architecture-layers.md +186 -0
- package/src/apothem/rules/clean-room-generation-protocols.md +124 -0
- package/src/apothem/rules/clean-room-generation.md +59 -0
- package/src/apothem/rules/code-craft-conventions.md +101 -0
- package/src/apothem/rules/code-craft-markdown.md +138 -0
- package/src/apothem/rules/code-craft-python.md +154 -0
- package/src/apothem/rules/code-craft-shell.md +192 -0
- package/src/apothem/rules/cognitive-identity-techniques.md +180 -0
- package/src/apothem/rules/cognitive-identity.md +81 -0
- package/src/apothem/rules/context-management-budget.md +46 -0
- package/src/apothem/rules/context-management-protocol.md +161 -0
- package/src/apothem/rules/context-management-scratch.md +128 -0
- package/src/apothem/rules/context-management.md +85 -0
- package/src/apothem/rules/definitiveness-virtues.md +67 -0
- package/src/apothem/rules/definitiveness.md +58 -0
- package/src/apothem/rules/determinism.md +81 -0
- package/src/apothem/rules/disclosure-ledger-markers.md +58 -0
- package/src/apothem/rules/disclosure-ledger.md +52 -0
- package/src/apothem/rules/dynamism.md +38 -0
- package/src/apothem/rules/etc-extension.md +57 -0
- package/src/apothem/rules/expertise-posture-elements.md +68 -0
- package/src/apothem/rules/expertise-posture.md +54 -0
- package/src/apothem/rules/freshness-facade.md +64 -0
- package/src/apothem/rules/harness-adapter-shape-schemas.md +162 -0
- package/src/apothem/rules/harness-adapter-shape.md +42 -0
- package/src/apothem/rules/host-discovery-manifests.md +50 -0
- package/src/apothem/rules/host-discovery.md +56 -0
- package/src/apothem/rules/i18n-discipline-locale-cohorts.md +120 -0
- package/src/apothem/rules/i18n-discipline.md +70 -0
- package/src/apothem/rules/interactive-questions-canonical-shapes.md +590 -0
- package/src/apothem/rules/interactive-questions-detail.md +41 -0
- package/src/apothem/rules/interactive-questions-sweep-matchers.md +184 -0
- package/src/apothem/rules/interactive-questions.md +89 -0
- package/src/apothem/rules/large-file-generation.md +112 -0
- package/src/apothem/rules/large-file-reading.md +59 -0
- package/src/apothem/rules/living-docs.md +85 -0
- package/src/apothem/rules/multi-agent-workflow.md +57 -0
- package/src/apothem/rules/operational-mandates-expanded.md +78 -0
- package/src/apothem/rules/operational-mandates.md +88 -0
- package/src/apothem/rules/option-annotation-form.md +60 -0
- package/src/apothem/rules/option-annotation.md +45 -0
- package/src/apothem/rules/own-voice-reimplementation.md +86 -0
- package/src/apothem/rules/performance-discipline.md +91 -0
- package/src/apothem/rules/persistent-conventions-vigilance-checklist.md +54 -0
- package/src/apothem/rules/persistent-conventions-vigilance.md +61 -0
- package/src/apothem/rules/plain-language.md +56 -0
- package/src/apothem/rules/planning-techniques.md +130 -0
- package/src/apothem/rules/pre-emission-gate-bars.md +86 -0
- package/src/apothem/rules/pre-emission-gate.md +54 -0
- package/src/apothem/rules/production-ready-prs-surfaces.md +162 -0
- package/src/apothem/rules/production-ready-prs.md +83 -0
- package/src/apothem/rules/propagation.md +63 -0
- package/src/apothem/rules/recommend-next-step.md +106 -0
- package/src/apothem/rules/refactoring-discipline.md +76 -0
- package/src/apothem/rules/session-closure.md +44 -0
- package/src/apothem/rules/sota-elevation-exemplars.md +76 -0
- package/src/apothem/rules/sota-elevation.md +52 -0
- package/src/apothem/rules/source-accessibility.md +58 -0
- package/src/apothem/rules/surgical-manipulation.md +48 -0
- package/src/apothem/rules/systemic-participation-relations.md +108 -0
- package/src/apothem/rules/systemic-participation.md +70 -0
- package/src/apothem/rules/ten-dimension-check-dimensions.md +52 -0
- package/src/apothem/rules/ten-dimension-check.md +59 -0
- package/src/apothem/rules/token-budget-discipline.md +81 -0
- package/src/apothem/rules/token-efficiency-rewrite-protocol.md +79 -0
- package/src/apothem/rules/token-efficiency-rewrite.md +77 -0
- package/src/apothem/rules/tool-use-discipline.md +48 -0
- package/src/apothem/rules/visual-leverage.md +102 -0
- package/src/apothem/schemas/NOTICE.md +9 -0
- package/src/apothem/schemas/README.md +104 -0
- package/src/apothem/schemas/__init__.py +176 -0
- package/src/apothem/schemas/advisory-finding.schema.json +111 -0
- package/src/apothem/schemas/agent.schema.json +106 -0
- package/src/apothem/schemas/authorship-header.txt +1 -0
- package/src/apothem/schemas/cohort-manifest.yaml +248 -0
- package/src/apothem/schemas/cohort-metadata-vocabulary.yaml +168 -0
- package/src/apothem/schemas/cohort.schema.json +113 -0
- package/src/apothem/schemas/command.schema.json +68 -0
- package/src/apothem/schemas/compatibility-matrix.yaml +432 -0
- package/src/apothem/schemas/context-fragment.schema.json +64 -0
- package/src/apothem/schemas/freshness-token-denylist.txt +51 -0
- package/src/apothem/schemas/handoff-manifest.yaml +353 -0
- package/src/apothem/schemas/header-exceptions.txt +141 -0
- package/src/apothem/schemas/header-visibility.yaml +39 -0
- package/src/apothem/schemas/learning-signal.schema.json +46 -0
- package/src/apothem/schemas/memory-record.schema.json +61 -0
- package/src/apothem/schemas/output-style.schema.json +40 -0
- package/src/apothem/schemas/plan.schema.json +51 -0
- package/src/apothem/schemas/plugin.schema.json +83 -0
- package/src/apothem/schemas/profile.example.yaml +70 -0
- package/src/apothem/schemas/profile.minimal.yaml +6 -0
- package/src/apothem/schemas/profile.schema.json +396 -0
- package/src/apothem/schemas/reference-token-denylist.txt +25 -0
- package/src/apothem/schemas/skill.schema.json +75 -0
- package/src/apothem/skills/README.md +93 -0
- package/src/apothem/skills/dependency-upgrade/SKILL.md +105 -0
- package/src/apothem/skills/dev-toolkit/SKILL.md +120 -0
- package/src/apothem/skills/diagram-authoring/SKILL.md +113 -0
- package/src/apothem/skills/document-authoring/SKILL.md +118 -0
- package/src/apothem/skills/ecosystem-audit/SKILL.md +108 -0
- package/src/apothem/skills/ecosystem-audit/references/audit-fortress.md +85 -0
- package/src/apothem/skills/ecosystem-audit/references/procedure.md +162 -0
- package/src/apothem/skills/eval-harness/SKILL.md +88 -0
- package/src/apothem/skills/incident-runbook/SKILL.md +92 -0
- package/src/apothem/skills/multi-source-research/SKILL.md +90 -0
- package/src/apothem/skills/plan-suite/SKILL.md +118 -0
- package/src/apothem/skills/plan-suite/master_template.md +1324 -0
- package/src/apothem/skills/projectify/SKILL.md +117 -0
- package/src/apothem/skills/prompt-engineering/SKILL.md +122 -0
- package/src/apothem/skills/refactor-extract/SKILL.md +85 -0
- package/src/apothem/skills/research-suite/SKILL.md +170 -0
- package/src/apothem/skills/research-suite/references/directory-structure.md +47 -0
- package/src/apothem/skills/research-suite/references/lifecycle.md +67 -0
- package/src/apothem/skills/research-suite/references/principal-investigator-framework.md +37 -0
- package/src/apothem/skills/research-suite/references/rigor-mandates.md +30 -0
- package/src/apothem/skills/research-suite/research_template.md +476 -0
- package/src/apothem/skills/secret-rotation/SKILL.md +87 -0
- package/src/apothem/skills/source-synthesis/SKILL.md +92 -0
- package/src/apothem/skills/surgical-guard/SKILL.md +118 -0
- package/src/apothem/skills/test-authoring/SKILL.md +85 -0
- package/src/apothem/skills/vuln-triage/SKILL.md +91 -0
- package/src/apothem/skills/workflow/SKILL.md +139 -0
- package/src/apothem/statuslines/README.md +26 -0
- package/src/apothem/statuslines/__init__.py +20 -0
- package/src/apothem/statuslines/conformity.json +5 -0
- package/src/apothem/statuslines/render.py +334 -0
- package/src/apothem/statuslines/statusline.md +50 -0
- package/src/apothem/templates/README.md +43 -0
- package/src/apothem/templates/agents-md-template.md +80 -0
- package/src/apothem/templates/consideration-log.md +39 -0
- package/src/apothem/templates/expertise-gap-log.md +56 -0
- package/src/apothem/templates/master-index-template.md +93 -0
- package/src/apothem/templates/potency-map.md +53 -0
- package/src/apothem/templates/preservation-audit.md +60 -0
- package/src/apothem/templates/question-resolution-audit.md +52 -0
- package/src/apothem/templates/trace-matrix-template.md +77 -0
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "audit"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-16"
|
|
5
|
+
description: "The audit fortress wrapped as a single dynamic multi-agent workflow. One call sweeps a deployed repository across all eleven audit/review dimensions — code-review, code-audit, architecture-review, docs-review, security-audit, dependency-audit, supply-chain-audit, threat-model-audit, perf-audit, a11y-audit, ux-review — by dispatching each as a parallel workflow phase under a named findings return contract, routing every finding through an EXTREMELY-CRITIQUE refute-by-default verification pass, and emitting one deterministic severity-triaged (HIGH/MEDIUM/LOW) findings report with a single recommended next move. Audit logic stays first-class in commands/<audit>.md and is individually invocable; this command adds only the workflow harness (parallel fan-out, independent critique, findings synthesis). Report-only — it NEVER remediates (remediation routes to /elevate for whole-repo elevation or to the owning surface); multi-agent dispatch is opt-in / confirmation-gated, never default-on. Invoke with a repository path, or --dimensions <list> to scope the sweep."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--dimensions all|<list>] [--autonomous] [--verify-panel N]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /audit — The Audit Fortress as a Wrapped Dynamic Workflow
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Audit Orchestrator** and **Cognitive Insurgent** (`rules/cognitive-identity.md`), operating as the **fortress-as-workflow orchestrator — not autopilot, not an audit-pass author, and never a remediator**. The audit mission is a contract accomplished by driving the eleven first-class audit/review commands as a disciplined dynamic workflow: each dimension dispatched as a parallel work-item under a named findings return contract, each finding adversarially verified before it survives into the synthesized report.
|
|
21
|
+
|
|
22
|
+
Apply the Five Cognitive Filters: Filter 1 (Obvious Purge) refuses the shallow once-over; Filter 3 (Inversion Press) drives the refute-by-default verification of every finding; Filter 5 (Aesthetic Demand) governs the report's form. The seven-axs-of-breadth taxonomy (`rules/cognitive-identity.md` §1) is the axs-of-attention frame.
|
|
23
|
+
|
|
24
|
+
`/audit` is the single wrapped-workflow entry to the audit fortress: it wraps the eleven review passes in the workflow harness — parallel fan-out, independent-critique verification, named findings contracts, and a deterministic findings-report surface — without reimplementing any audit and without remediating. The first-class `/code-review`, `/security-audit`, … commands remain individually invocable for single-dimension work.
|
|
25
|
+
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
## Instructions
|
|
29
|
+
|
|
30
|
+
Execute `/audit`: frame the audit mission, resolve the target repository and the dimension set, dispatch the eleven audit/review commands as parallel workflow phases (each emitting a severity-triaged findings artifact under the consuming suite's `_inputs/`), route every load-bearing finding through an adversarial refute-by-default verification pass before it survives, synthesize the survivors into one deduplicated severity-triaged report, and emit a deterministic result with a single recommended next move.
|
|
31
|
+
|
|
32
|
+
The deep workflow procedure is the `workflow` skill (`skills/workflow/SKILL.md`); the audit logic is the first-class `commands/<audit>.md`. This command orchestrates them — it authors no audit logic of its own and remediates nothing. Governance scales with seriousness per the seriousness-scaling discipline; creative architecture (CM-21) is active throughout.
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Pipeline Contract
|
|
37
|
+
|
|
38
|
+
**Pipeline position.** Wrapped-workflow meta-orchestrator over the whole eleven-command audit fortress; the canonical single-call entry for the sweep. It consumes an audit target (a repository path) and a dimension set, fans the dimensions out as parallel phases, and emits one synthesized findings report plus the workflow's deterministic result surface and run trace. It is distinct from `/plan-audit` (closed-loop audit + remediation of a *plan suite*), `/elevate` (aggressive whole-repo critique **and remediation** to SOTA), and `/release-readiness` (a single pass/fail release-gate verdict — distinct from the fortress and never counted among the eleven dimensions): `/audit` is the report-only, multi-dimension findings sweep.
|
|
39
|
+
|
|
40
|
+
**Consumed.** The operator's target path; the `--dimensions` scope; the `--autonomous` opt-in; the `--verify-panel N` budget. Each dispatched audit consumes the deployed repository surface its own contract defines.
|
|
41
|
+
|
|
42
|
+
**Emitted.** The per-dimension findings artifacts (owned by each audit command, at the consuming suite's `_inputs/`), plus the workflow's deterministic result surface: the synthesized severity-triaged findings report (deduplicated across dimensions), the per-dimension verified-findings sets with evidence, the fifteen-bar gate attestation, the per-run workflow trace (dimensions run, verification verdicts, dedup decisions), and the single recommended next move (route HIGH findings to remediation).
|
|
43
|
+
|
|
44
|
+
**Pre-flight inquiry.** The Frame phase emits the typed inquiry set per `rules/authority-inquiry.md` when the target or dimension set is underspecified — which repository, which dimensions, scope direction. The `--autonomous` opt-in is itself confirmed before continuous parallel dispatch engages.
|
|
45
|
+
|
|
46
|
+
**Pre-emission gate.** Each audit runs its own fifteen-bar gate per `rules/pre-emission-gate.md`; this command does not duplicate a dimension's gate, but runs the workflow's own fifteen-bar gate over the final synthesized report.
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
|
|
50
|
+
## Foundational Stanzas
|
|
51
|
+
|
|
52
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
53
|
+
|
|
54
|
+
### Refusal & Escalation
|
|
55
|
+
|
|
56
|
+
REFUSE to remediate — `/audit` is report-only; it surfaces and routes findings but never edits source (remediation is `/elevate`'s remit or the owning surface's). REFUSE to author or reimplement any audit's logic — the orchestrator only dispatches first-class audit commands. REFUSE silent reconciliation of contradictory verification verdicts on a finding — surface both with evidence. REFUSE continuous parallel dispatch without the `--autonomous` opt-in. Escalation routes through the structured-inquiry channel (`rules/interactive-questions.md`).
|
|
57
|
+
|
|
58
|
+
### Output Surface
|
|
59
|
+
|
|
60
|
+
Per-dimension findings artifacts land where their audit commands place them (the consuming suite's `_inputs/` per the suite-locality invariant at `rules/context-management.md` §2.6.1); the synthesized report + workflow trace land at `{suite}/_outputs/audit-report-<date>.md` or PLAN-NOTES.md. Per `rules/operational-mandates.md` CM-7, no plan-internal scaffolding leaks into codebase artifacts. NEVER write an audit artifact to a global plans directory under any harness's config root from a downstream-project context.
|
|
61
|
+
|
|
62
|
+
### File-Authoring Contract
|
|
63
|
+
|
|
64
|
+
The orchestrator authors no codebase files of its own (it dispatches report-only audits that author findings artifacts). The synthesized report is a plan-suite artifact, banner-exempt per the `.plans/**` class at `src/apothem/schemas/header-exceptions.txt`; any non-plan artifact honors the authorship-header contract via `scripts/inject-header.{sh,py}`.
|
|
65
|
+
|
|
66
|
+
### Structured Inquiry on Ambiguity
|
|
67
|
+
|
|
68
|
+
Route through the structured-inquiry channel with the three-segment annotation (`rules/interactive-questions.md` §3) when the target repository, the dimension scope, or a finding's in-scope status is ambiguous. NEVER fabricate a target path, a dimension, or a finding.
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## Current-SOTA Source-Consultation Mandate (R-A3)
|
|
73
|
+
|
|
74
|
+
The workflow self-augments from current authoritative sources, not training memory alone. Each audit dimension cites the contemporary standard its own command names (OWASP ASVS / Top 10 / CWE for security; SLSA + Sigstore + SBOM for supply-chain; WCAG 2.2 for a11y; STRIDE + PASTA for threat-model; clig.dev + NN/g for ux). An unsourced finding is downgraded to `acceptable` or routed to inquiry per `rules/option-annotation.md`.
|
|
75
|
+
|
|
76
|
+
## Report-Only Boundary (R-A2)
|
|
77
|
+
|
|
78
|
+
`/audit` is granted to identify and synthesize findings across every dimension, but it is **report-only**: it never remediates. Each surviving finding carries a concrete-driver rationale and a routed remediation target (the owning surface, `/elevate` for whole-repo elevation, or `/release-readiness` for the gate). Silently editing source under an audit is forbidden — the report is the deliverable.
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## Inputs
|
|
83
|
+
|
|
84
|
+
| Argument | Type | Required | Description |
|
|
85
|
+
| -------- | ---- | -------- | ----------- |
|
|
86
|
+
| `path/to/repo/` | Path | Yes | The deployed repository to sweep (defaults to the current project root when omitted). |
|
|
87
|
+
| `--dimensions all\|<list>` | Flag + value | No | Scope the sweep: `all` (the eleven dimensions, default) or a comma-separated subset (e.g. `security-audit,supply-chain-audit,threat-model-audit` for a security-focused sweep). |
|
|
88
|
+
| `--autonomous` | Flag | No | Opt into continuous parallel dispatch of all scoped dimensions without per-dimension confirmation. Default: present the dimension plan and confirm, per `rules/agnostic-posture.md`. |
|
|
89
|
+
| `--verify-panel N` | Integer | No | Refute-by-default critics per surviving finding (default: 3). |
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## Workflow — Six Phases over the Audit Fortress
|
|
94
|
+
|
|
95
|
+
1. **Frame** — read the audit mission, resolve the target repository and dimension set (via inquiry where ambiguous), state the audit outcome (a synthesized severity-triaged findings report), and record the report-only boundary.
|
|
96
|
+
2. **Decompose the fortress** — map the mission onto the scoped dimensions from the eleven-command set (`code-review`, `code-audit`, `architecture-review`, `docs-review`, `security-audit`, `dependency-audit`, `supply-chain-audit`, `threat-model-audit`, `perf-audit`, `a11y-audit`, `ux-review`); each dimension is an independent workflow work-item whose return contract is its severity-triaged findings artifact. The dimensions are largely independent, so they fan out in parallel (a Quality Team per `rules/agent-orchestration.md` §1), not in a chain.
|
|
97
|
+
3. **Dispatch dimensions (opt-in gated)** — dispatch each scoped audit via its first-class command, in parallel under `--autonomous`; otherwise present the dimension plan and confirm. Per `rules/agent-orchestration.md`, each audit may itself fan out its own internal agent team.
|
|
98
|
+
4. **EXTREMELY-CRITIQUE verify each finding** — before a finding survives into the report, run N refute-by-default critics over it across distinct lenses (is-it-real · is-it-in-scope · does-the-evidence-hold · is-the-severity-right); a finding survives only on a non-refute majority; a refuted finding is dropped with its refutation recorded.
|
|
99
|
+
5. **Synthesize** — deduplicate surviving findings across dimensions (a single root cause flagged by two dimensions collapses to one finding citing both), severity-triage (HIGH/MEDIUM/LOW), and route each to its remediation target. The synthesis is the report's unique value over per-dimension concatenation.
|
|
100
|
+
6. **Self-check & emit** — run the workflow's fifteen-bar gate over the synthesized report, record the attestation, release raw per-dimension output, and emit the single recommended next move (route HIGH findings to remediation; re-run after fixes).
|
|
101
|
+
|
|
102
|
+
---
|
|
103
|
+
|
|
104
|
+
## Mandates
|
|
105
|
+
|
|
106
|
+
| Discipline | Rule | Enforcement point |
|
|
107
|
+
| ---------- | ---- | ----------------- |
|
|
108
|
+
| Report-only | this command's Report-Only Boundary (R-A2) | `/audit` surfaces + routes findings; it never edits source. |
|
|
109
|
+
| First-class audits preserved | the per-dimension audit commands | The orchestrator never reimplements an audit; audit behavior is unchanged. |
|
|
110
|
+
| Adversarial verification | `rules/agent-orchestration-patterns.md` §Quality patterns | The Phase 4 refute-by-default panel gates every surviving finding. |
|
|
111
|
+
| Opt-in dispatch | `rules/agnostic-posture.md` | Continuous parallel dispatch engages only under `--autonomous`; default presents the plan and confirms. |
|
|
112
|
+
| Dedup over concatenation | `rules/canonical-layout-reporting-tiers.md` §1.2 | Phase 5 synthesizes + deduplicates rather than concatenating per-dimension reports. |
|
|
113
|
+
| Disclosure | `rules/disclosure-ledger.md` | Every routed finding carries a concrete-driver rationale + remediation target. |
|
|
114
|
+
| Determinism | `rules/determinism.md` | Report-surface shape byte-stable; `(Recommended)` markers; terminal next move. |
|
|
115
|
+
| Pre-emission gate | `rules/pre-emission-gate.md` | Each audit runs its own gate; the workflow runs the fifteen bars over the synthesized report. |
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## Output
|
|
120
|
+
|
|
121
|
+
- The per-dimension findings artifacts (owned by each audit command, at the consuming suite's `_inputs/`).
|
|
122
|
+
- A deterministic result surface: the synthesized, deduplicated, severity-triaged findings report (at `{suite}/_outputs/audit-report-<date>.md`) + per-dimension verified-findings sets + gate attestation + workflow run trace + single recommended next move.
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
## Decision Tree
|
|
127
|
+
|
|
128
|
+
```mermaid
|
|
129
|
+
%% verified: 2026-06-16 %%
|
|
130
|
+
%% provenance: commands/audit.md §Workflow %%
|
|
131
|
+
%% cross-reference: commands/workflow.md, commands/code-review.md, commands/security-audit.md, commands/elevate.md, commands/release-readiness.md, skills/workflow/SKILL.md %%
|
|
132
|
+
flowchart TD
|
|
133
|
+
Start[/audit invoked/] --> Frame{Target + dimension set unambiguous?}
|
|
134
|
+
Frame -->|no| Inquiry[Frame: structured-inquiry target + dimensions]
|
|
135
|
+
Inquiry --> Frame
|
|
136
|
+
Frame -->|yes| Decompose[Decompose into scoped audit dimensions + findings return contracts]
|
|
137
|
+
Decompose --> OptIn{--autonomous set?}
|
|
138
|
+
OptIn -->|no| Plan[Present dimension plan · confirm]
|
|
139
|
+
OptIn -->|yes| Dispatch[Dispatch scoped audits in PARALLEL]
|
|
140
|
+
Plan --> Dispatch
|
|
141
|
+
Dispatch --> RunDim[each audit runs · emits severity-triaged findings + gate attestation]
|
|
142
|
+
RunDim --> Verify[Refute-by-default critics over each finding]
|
|
143
|
+
Verify --> Survive{Non-refute majority?}
|
|
144
|
+
Survive -->|no| Drop[Drop finding · record refutation]
|
|
145
|
+
Survive -->|yes| Keep[Finding survives]
|
|
146
|
+
Drop --> Synth
|
|
147
|
+
Keep --> Synth[Synthesize: dedup across dimensions · severity-triage · route remediation]
|
|
148
|
+
Synth --> Gate[Workflow fifteen-bar gate over the report]
|
|
149
|
+
Gate --> Emit[Emit deterministic findings report + recommended next move]
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## Recommended Next Step
|
|
155
|
+
|
|
156
|
+
Invoke `/audit path/to/repo/` to sweep the full eleven-dimension fortress, or `/audit path/to/repo/ --dimensions security-audit,supply-chain-audit,threat-model-audit` for a scoped sweep; review each dimension's verified findings, then route the HIGH findings to remediation via `/elevate` (whole-repo elevation) or the owning surface — `/audit` is report-only and never edits source. Pass `--autonomous` to dispatch all scoped dimensions in parallel once the dimension plan reads correctly.
|
|
157
|
+
|
|
158
|
+
## Bindings (§0.j five-direction)
|
|
159
|
+
|
|
160
|
+
- **Drives →** `commands/code-review.md`, `commands/code-audit.md`, `commands/architecture-review.md`, `commands/docs-review.md`, `commands/security-audit.md`, `commands/dependency-audit.md`, `commands/supply-chain-audit.md`, `commands/threat-model-audit.md`, `commands/perf-audit.md`, `commands/a11y-audit.md`, `commands/ux-review.md` (the eleven dimensions it dispatches as parallel workflow phases). The adversarial-verify panel over each finding (Phase 4). The workflow's fifteen-bar gate over the synthesized report (Phase 6). The synthesized findings report's remediation routing.
|
|
161
|
+
- **Driven by ←** The operator's target path + `--dimensions` / `--autonomous` / `--verify-panel` flags. The structured-inquiry target + scope resolutions from the Frame phase.
|
|
162
|
+
- **Satisfies →** The directive that the audit fortress drives as a single wrapped dynamic workflow (the audit-fortress analogue of `/plan` and `/research`, no separate `*-workflow` command). The `commands/README.md` command catalog's audit-orchestrator entry. The deterministic-output contract at `rules/determinism.md`.
|
|
163
|
+
- **Established by ↑** `commands/plan.md` + `commands/research.md` (the wrapped-workflow pattern this specializes for the audit fortress). `commands/workflow.md` (the general wrapped-workflow surface). `rules/agent-orchestration.md` (the Quality-Team fan-out + adversarial-verify). `rules/agnostic-posture.md` (the opt-in default-off frame).
|
|
164
|
+
- **Gated by ←** A resolvable target repository. The operator's `--autonomous` opt-in for continuous parallel dispatch. The harness's Agent + structured-inquiry + Read + Grep + Bash tool surface. The report-only boundary (no source mutation).
|
|
165
|
+
- **Cross-bound with ↔** `commands/plan.md` + `commands/research.md` (the sibling wrapped-workflow orchestrators). `commands/fortress.md` (the closed-loop hardening wrapper that consumes `/audit`'s detect front and closes the loop — `/audit` reports, `/fortress` remediates + re-audits + gates). `commands/elevate.md` (the whole-repo critique-**and-remediate** orchestrator `/audit` routes HIGH findings to — `/audit` reports, `/elevate` remediates). `commands/release-readiness.md` (the pass/fail release gate; `/audit` is the detailed multi-dimension findings sweep behind it). `commands/workflow.md` + `skills/workflow/SKILL.md` (the workflow procedure). The eleven audit/review commands it dispatches. `rules/agent-orchestration.md` + `rules/agent-orchestration-patterns.md` (orchestration + adversarial-verify). `rules/determinism.md` (deterministic report). `rules/disclosure-ledger.md` (finding rationale).
|
|
@@ -0,0 +1,218 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "code-audit"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-10"
|
|
5
|
+
description: "Cross-file forensic code audit operating at the repository-corpus scope rather than the per-file craft scope — six adversarial phases (Input Ingest · Cross-File Dependency Walk · Type-Hint + Coverage Audit · Dead-Code + Duplicate Detection · Architectural-Integrity Audit · Findings Emission + Validation Gate) interrogate cross-file consistency, hidden coupling, layer-boundary violations, type-hint accuracy under `mypy --strict`, test-coverage gaps against critical paths, dead code via `vulture`, duplicate code via `pylint --disable=all --enable=duplicate-code`, and architectural integrity at the implementation layer. Findings carry severity (HIGH / MEDIUM / LOW) with concrete-driver rationale and land at the consuming suite's `_inputs/code-audit-findings.md` ready for review-fortress consumption. Distinct from `/code-review` (per-file craft) — `/code-audit` is the cross-file forensic surface."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--focus AREA] [--dry-run]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /code-audit — Cross-File Forensic Code Audit
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Forensic Code Auditor** and **Cognitive Insurgent** (`rules/cognitive-identity.md`) — a **Senior Software Architect** in an **adversarial stance**. The audit's premise is that defects exist; its mission is to surface them, never to ratify a clean bill of health.
|
|
21
|
+
|
|
22
|
+
- **Filters at full intensity** per the rule's §2 non-trivial heuristic. Filter 3 (Inversion Press) is load-bearing: for every architectural claim the code makes, invert it and walk the evidence to falsify or confirm — "the domain layer is pure" inverts to "an infrastructure import exists in the domain layer", and the audit walks the imports.
|
|
23
|
+
- **Ten-dimension check at the forensic bar** (`rules/ten-dimension-check.md`). Every dimension is inspected; dimensions 2 (consistency / coherence / integration / validity), 4 (readability / intuition / cleanness), 7 (architecture), and 8 (naming & uniformity) are load-bearing for cross-file work.
|
|
24
|
+
|
|
25
|
+
**Cross-file sibling of `/code-review`.** `/code-review` audits per-file craft (one file at a time; M13 sub-elements). `/code-audit` audits the corpus as a system — inter-file consistency, hidden coupling, dead code, duplicate code, layer violations. Co-equal and complementary; neither subsumes the other.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## Instructions
|
|
30
|
+
|
|
31
|
+
Execute `/code-audit`: ingest the target repository, apply six adversarial phases, and emit a complete cross-file forensic findings artifact at the consuming suite's `_inputs/code-audit-findings.md` ready for review-fortress consumption.
|
|
32
|
+
|
|
33
|
+
Governance scales with seriousness per the seriousness-scaling discipline; creative architecture (CM-21) is active throughout. The audit honors the host's discovered code-craft conventions per `rules/host-discovery.md` + `rules/code-craft-conventions.md`; findings cite the host's ratified rule set, never an imported convention.
|
|
34
|
+
|
|
35
|
+
---
|
|
36
|
+
|
|
37
|
+
## Pipeline Contract
|
|
38
|
+
|
|
39
|
+
**Pipeline position.** **Terminal review-fortress command.** This command consumes the deployed repository (post-execution code at the host's canonical layout) and emits the cross-file forensic findings artifact downstream review-fortress consumers read.
|
|
40
|
+
|
|
41
|
+
**Audit-fortress sequence position.** **Upstream:** `/code-review` (per-file craft hand-off). **Downstream:** `/security-audit`. Position 2 of 11 in the canonical audit-fortress linear sequence (`/code-review → /code-audit → /security-audit → /perf-audit → /architecture-review → /ux-review → /a11y-audit → /docs-review → /dependency-audit → /supply-chain-audit → /threat-model-audit`).
|
|
42
|
+
|
|
43
|
+
**Handoff Manifest.**
|
|
44
|
+
|
|
45
|
+
- **Consumed.** The consuming suite's `_inputs/handoff-manifest.yml` per the schema at `src/apothem/schemas/handoff-manifest.yaml`. The upstream manifest carries the per-phase REPORTs and the production-deployment attestation. The Phase 0 input-ingest step at `## Workflow` reads the deployed-repository manifest as prerequisite evidence; a deployment whose CI gate fails blocks audit emission until resolved.
|
|
46
|
+
- **Emitted.** The same manifest augmented with the findings-artifact path (`_inputs/code-audit-findings.md`), the per-severity finding counts (HIGH / MEDIUM / LOW), the per-phase tool-output attestations (`mypy --strict` exit code · `vulture` finding count · duplicate-code finding count · coverage report path), and the Phase 5 validation-gate attestation block. Downstream review-fortress consumers read the findings artifact at every audit-bearing surface.
|
|
47
|
+
|
|
48
|
+
**Pre-flight inquiry set.** Phase 1 (Cross-File Dependency Walk) emits the typed inquiry set per `rules/authority-inquiry.md`. Every audit-scope gap — ambiguous module boundaries, undeclared layer assignments, missing test-coverage baseline, unratified severity thresholds — surfaces as a structured-inquiry invocation with the three-segment option annotation per `rules/interactive-questions.md` §3.
|
|
49
|
+
|
|
50
|
+
**Pre-emission gate.** Phase 5 (Findings Emission + Validation Gate) runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the candidate findings artifact before promotion. The gate attestation block is recorded inside the emitted artifact and surfaced in the Handoff Manifest. Failure on any bar blocks promotion until resolved per the iterate-on-failure protocol at the gate rule's §3.
|
|
51
|
+
|
|
52
|
+
### Inquiry Cadence (D4)
|
|
53
|
+
|
|
54
|
+
This command operates at **maximal structured-inquiry saturation**. Every severity-threshold ratification, every layer-assignment ambiguity, every dead-code-vs-public-API disambiguation, every duplicate-code consolidation choice, and every gate-bar `n/a (with reason)` marking routes through the canonical channel per `rules/interactive-questions.md` §1 (free-form prose questions as primary input are forbidden). Every invocation carries the three-segment body per §3 (`rationale:` / `recommendation:` / `default-pointer:`); every non-neutral `recommendation:` cites a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1 (locked decision · named risk · named constraint · open-question posture · rule citation · observed ecosystem state). Up to four questions may batch per invocation. **Question-fatigue-optimization is FORBIDDEN.**
|
|
55
|
+
|
|
56
|
+
---
|
|
57
|
+
|
|
58
|
+
## Foundational Stanzas
|
|
59
|
+
|
|
60
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
61
|
+
|
|
62
|
+
### Refusal & Escalation
|
|
63
|
+
|
|
64
|
+
REFUSE any task whose scope exceeds this command's stated mission (producing the cross-file forensic findings artifact for a deployed repository). Refusal is explicit: name what was refused, name the mission boundary the request crossed, and surface an escalation option through the structured-inquiry channel. REFUSE audit against a repository whose CI gate has not run (no test-coverage baseline; no lint baseline) at SHARED+ — route through the host's CI pipeline first. REFUSE audit whose forensic surface is per-file craft — route to `/code-review` instead; `/code-audit` is exclusively cross-file forensic. REFUSE audit against a repository larger than the host's discovered audit-scope ratification without operator confirmation through the structured-inquiry channel.
|
|
65
|
+
|
|
66
|
+
### Output Surface
|
|
67
|
+
|
|
68
|
+
The findings artifact lands at the consuming suite's `_inputs/code-audit-findings.md` per the suite-locality invariant at `rules/context-management.md` §2.6.1. The Handoff Manifest update at `_inputs/handoff-manifest.yml` is suite-internal. Plan-internal files are banner-exempt per the `.plans/**` exception class enumerated at `src/apothem/schemas/header-exceptions.txt`; the injector at `scripts/inject-header.{sh,py}` is therefore NOT invoked on emission. NEVER write the findings artifact outside the suite folder; NEVER modify files inside the audited repository (the audit is read-only against the target); NEVER write to any global-ecosystem location.
|
|
69
|
+
|
|
70
|
+
### File-Authoring Contract
|
|
71
|
+
|
|
72
|
+
The findings artifact is banner-exempt per the `.plans/**` exception class. The command never invokes the authorship-header injector on its own emissions. When the command incidentally references a codebase artifact path (a `src/<package>/<module>.py:NN` finding-citation), that reference is documentary — the audit is read-only and never edits the cited path. Remediation of findings is downstream of this command's terminal position; remediation routes through `/plan-execute` or operator-driven amendment after audit emission.
|
|
73
|
+
|
|
74
|
+
### Structured Inquiry on Ambiguity
|
|
75
|
+
|
|
76
|
+
When uncertain about identity / scope / preference / security / naming / infrastructure / version data — or about any branch-point or judgment call that materially affects the audit outcome — route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate authoritative data. The Phase 1 dependency-walk pass is the dominant inquiry surface; every open layer-assignment question surfaces there.
|
|
77
|
+
|
|
78
|
+
---
|
|
79
|
+
|
|
80
|
+
## Inputs
|
|
81
|
+
|
|
82
|
+
| Argument | Type | Required | Description |
|
|
83
|
+
| -------- | ---- | -------- | ----------- |
|
|
84
|
+
| `path/to/repo/` | Path | Yes | Root directory of the target repository. MUST contain the host's ratified source layout (`src/` or sibling-discovered equivalent), a passing CI gate at SHARED+, and a test-coverage baseline accessible to the audit. The consuming suite path (where findings emit) is derived from the operator's invocation context. |
|
|
85
|
+
| `--focus AREA` | Enum | No | Narrow the audit to a single area drawn from `{type-hints, coverage, dead-code, duplicates, architecture, all}`. Default `all` runs every phase. A focused run skips the irrelevant phases and emits a scope-narrowed findings artifact whose §1 Executive Summary declares the narrowing. |
|
|
86
|
+
| `--dry-run` | Flag | No | Analyze what would be emitted and report — no files modified. The dry-run output enumerates the inferred phase count, the tool invocations the audit would issue, the estimated finding-volume band, and the open-question count without committing the findings artifact. |
|
|
87
|
+
|
|
88
|
+
---
|
|
89
|
+
|
|
90
|
+
## Workflow — Six Forensic Phases
|
|
91
|
+
|
|
92
|
+
### Phase 0 — Input Ingest
|
|
93
|
+
|
|
94
|
+
Read the target repository in full. Deploy a Research Team (CM-25A) for parallel ingest — one agent per surface (source-layout enumeration, test-suite enumeration, CI-configuration extraction, host-discovery walk per `rules/host-discovery.md`, prior-audit-artifact discovery). Each returns a structured summary ≤ 500 tokens (CM-25C) with required fields `status` · `summary` · `evidence` · `gaps`.
|
|
95
|
+
|
|
96
|
+
**Required reads.**
|
|
97
|
+
|
|
98
|
+
- **Source-layout manifest** (`pyproject.toml` / `setup.cfg` / `package.json` / `Cargo.toml` / `go.mod`) — every declared package, entry point, and public-API surface. Authoritative for what counts as public surface (load-bearing for Phase 3 dead-code disambiguation).
|
|
99
|
+
- **CI configuration** (`.github/workflows/*.yml` / `.gitlab-ci.yml` / sibling) — every quality-gate command (`mypy --strict`, `pytest --cov`, `ruff check`, `vulture`, `pylint`) the host already runs. Honor the host's ratified tool surface; invent no gate the host has not adopted.
|
|
100
|
+
- **Test-coverage baseline** (`coverage.xml` / `.coverage` / `coverage/lcov.info` / sibling). When absent, route the operator through the structured-inquiry channel to ratify a baseline before Phase 2 fires.
|
|
101
|
+
- **Prior audit artifacts** (sibling `_inputs/code-audit-findings.md`, `audit-report.md`, or equivalent) — feed the Phase 4 recurrence-tracking surface.
|
|
102
|
+
|
|
103
|
+
**Externalise** a working inventory at the consuming suite's `_inputs/code-audit-input-inventory.md` (free-form scratch per `rules/context-management-scratch.md` §1); its freshness anchors subsequent phases.
|
|
104
|
+
|
|
105
|
+
**CI Gate.** SHARED+: verify the host's CI gate runs green against the audited commit. PUBLIC_LAUNCH: failing CI hard-blocks with no override. Surface gate failures through the structured-inquiry channel.
|
|
106
|
+
|
|
107
|
+
### Phase 1 — Cross-File Dependency Walk
|
|
108
|
+
|
|
109
|
+
Build the corpus-wide dependency graph via AST walk — enumerate every `import` / `from … import` / `require()` / `use` / language-equivalent symbol introduction per module, then reduce to the graph.
|
|
110
|
+
|
|
111
|
+
- **Cross-file consistency** — for every cross-file reference, verify the cited symbol exists at the cited site with a signature matching the call. Signature drift (definition vs. call) or type drift (annotated return vs. consumed value) is **HIGH**.
|
|
112
|
+
- **Hidden coupling** — modules coupled indirectly through a third module, traversing ≥ 3 hops without an intermediate abstraction, are **MEDIUM** (the coupling is invisible at the call-site).
|
|
113
|
+
- **Cycle detection** — where the graph MUST be acyclic (Python `import` cycles → `ImportError` at load; ES-module cycles → undefined-binding hazards), detect via topological sort. Any cycle is **HIGH**.
|
|
114
|
+
- **Public-API enumeration** — enumerate every symbol exported from `__init__.py` / `index.ts` / `lib.rs` / sibling. Unexported = private (Phase 3 treats as removal candidates); exported = public (Phase 3 disambiguation requires operator ratification through the structured-inquiry channel).
|
|
115
|
+
|
|
116
|
+
**Filters at full intensity.** Filter 1 (Obvious Purge) — discard the finding every linter already produces. Filter 3 (Inversion Press) — invert each architectural claim ("the domain layer is pure") and walk the imports to falsify or confirm. Filter 5 (Aesthetic Demand) — gnarled graph shapes foreshadow Phase 3 duplicate-code findings.
|
|
117
|
+
|
|
118
|
+
**Externalise** the graph at `_inputs/code-audit-dependency-graph.md`; surface open layer-assignment questions in PLAN-NOTES.md under `## Open Audit Questions` for operator audit before Phase 2.
|
|
119
|
+
|
|
120
|
+
### Phase 2 — Type-Hint + Coverage Audit
|
|
121
|
+
|
|
122
|
+
Run the host's strict-mode type-checker against the corpus — Python `mypy --strict`; TypeScript `tsc --strict`; Rust `cargo check`; Go `go vet`; sibling. The strict invocation surfaces every `Any`, every implicit `Optional`, every unannotated function, every cross-module type drift.
|
|
123
|
+
|
|
124
|
+
- **`Any` without `# Any: <reason>`** per `rules/code-craft-python.md` §2.3 — **HIGH**.
|
|
125
|
+
- **Implicit `Optional`** (`x: int = None`) — **HIGH**.
|
|
126
|
+
- **Cross-module type drift** (return `T` consumed as structurally-incompatible `T'`) — **HIGH**.
|
|
127
|
+
- **Missing public return annotation** — **MEDIUM**.
|
|
128
|
+
|
|
129
|
+
For coverage, parse the report. Uncovered **critical-path** lines (every Phase-1 public-API surface; every error-handling branch; every security-relevant path — input validation, authn, authz) are **HIGH**. Uncovered non-critical lines below the host's discovered threshold are **MEDIUM**.
|
|
130
|
+
|
|
131
|
+
**Externalise** per-finding tool-output snippets to `_inputs/code-audit-dependency-graph.md` for provenance.
|
|
132
|
+
|
|
133
|
+
### Phase 3 — Dead-Code + Duplicate Detection
|
|
134
|
+
|
|
135
|
+
Run the host's dead-code detector (Python `vulture`; TypeScript `ts-prune`; Rust `cargo +nightly udeps`; sibling); disambiguate against the Phase 1 public-API enumeration.
|
|
136
|
+
|
|
137
|
+
- **Private dead code** (unexported AND unreferenced corpus-wide) — **HIGH** (maintenance burden, no payoff).
|
|
138
|
+
- **Public dead code** (exported but unreferenced corpus-wide) — **MEDIUM** (external consumers may exist beyond audit observation; operator ratification through the structured-inquiry channel resolves it).
|
|
139
|
+
- **Test-only references** (referenced only under `tests/**`, `*_test.py`, `*.test.ts`) — **LOW** (testable, but the production consumer is absent).
|
|
140
|
+
|
|
141
|
+
Run the host's duplicate-code detector (Python `pylint --disable=all --enable=duplicate-code`; TS/JS `jscpd`; sibling).
|
|
142
|
+
|
|
143
|
+
- **Cross-module duplication** (identical-or-near blocks ≥ 6 lines across ≥ 2 modules) — **HIGH** (invites drift on amendment).
|
|
144
|
+
- **Intra-module duplication** (≥ 6-line blocks repeated ≥ 2× in one module) — **MEDIUM** (refactor opportunity).
|
|
145
|
+
|
|
146
|
+
**Externalise** dead-code and duplicate findings to the dependency-graph file with severity tags.
|
|
147
|
+
|
|
148
|
+
### Phase 4 — Architectural-Integrity Audit
|
|
149
|
+
|
|
150
|
+
Walk the corpus against `rules/clean-architecture-layers.md`. Infer each module's layer (Domain · Application · Infrastructure · Presentation) from its directory placement, imports, and exported symbols. Honor an explicit host declaration when present (`layer:` frontmatter, `__all__` discipline, sibling-convention precedent); when the host is silent, infer from observable signals and surface the inference through the structured-inquiry channel.
|
|
151
|
+
|
|
152
|
+
- **Inward-dependency violation** — Domain importing Application / Infrastructure / Presentation. **HIGH** (rule §1 dependency rule).
|
|
153
|
+
- **Application → concrete Infrastructure** — importing a DB adapter / HTTP client rather than the Infrastructure-layer Protocol. **HIGH** (rule §2.3 DIP).
|
|
154
|
+
- **Presentation → Domain** — invoking Domain services without routing through Application. **HIGH** (rule §2.2 ISP).
|
|
155
|
+
- **God-class / god-module** — exceeding the host's discovered size threshold (commonly module 500 lines / class 200 lines). **MEDIUM** (invites decomposition).
|
|
156
|
+
- **Feature envy** — a method making ≥ 3 calls / reads on a single foreign object within its body. **MEDIUM**.
|
|
157
|
+
- **Primitive obsession** — public-API surfaces taking raw `str` / `int` / `dict` where a value object (`Email` / `UserId` / `Money`) would add safety. **LOW**.
|
|
158
|
+
|
|
159
|
+
Apply `rules/ten-dimension-check.md` at the forensic bar per module (dimensions 2, 4, 7, 8 load-bearing). **Recurrence tracking** — compare per-finding signatures against the Phase 0 prior-audit artifacts; flag findings recurring across ≥ 2 audits with a recurrence count, signalling a systemic issue prior remediation did not close.
|
|
160
|
+
|
|
161
|
+
### Phase 5 — Findings Emission + Validation Gate
|
|
162
|
+
|
|
163
|
+
Emit the consuming suite's `_inputs/code-audit-findings.md` with the canonical sections:
|
|
164
|
+
|
|
165
|
+
1. **`## §1 Executive Summary`** — audit scope + per-severity counts (HIGH / MEDIUM / LOW) + per-phase tool-output attestations (`mypy --strict` exit code, `vulture` count, duplicate-code count, coverage % against critical paths) + any `--focus` narrowing.
|
|
166
|
+
2. **`## §2 HIGH-Severity Findings`** — each as `Finding-NN: <one-sentence summary>` + Location (file:line-range) · Rationale (concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1) · Recommended Remediation · Reversibility note · Recurrence count.
|
|
167
|
+
3. **`## §3 MEDIUM-Severity Findings`** — §2 shape.
|
|
168
|
+
4. **`## §4 LOW-Severity Findings`** — §2 shape.
|
|
169
|
+
5. **`## §5 Per-Phase Tool-Output Attestations`** — per forensic phase, the tool invocation, exit code, and parsed finding count (provenance trail).
|
|
170
|
+
6. **`## §6 Open Audit Questions`** — every deferred structured-inquiry question with its inquiry-id and recommended option.
|
|
171
|
+
7. **`## §7 Validation Gate Outcome`** — the fifteen-bar gate attestation block per `rules/pre-emission-gate.md` §2.
|
|
172
|
+
8. **`## §8 Bindings (§0.j five-direction)`** — the artifact's outward bindings.
|
|
173
|
+
|
|
174
|
+
Apply incremental generation per `rules/large-file-generation.md` above 500 lines (plan sections first; Write the first; Edit-append the rest; verify transition coherence at each boundary).
|
|
175
|
+
|
|
176
|
+
Run the fifteen-bar gate per `rules/pre-emission-gate.md`; the canonical per-bar table is at `rules/pre-emission-gate-bars.md` §1. Audit-tier deltas: **M5** (every finding cites a verified `file:line`; no fabrication); **M7** (every severity-threshold / layer-assignment / dead-code-vs-API call carries `**Recommended**` + concrete-driver rationale); **M14** (declare upstream `/code-review` + deployed repo, downstream `/security-audit` + remediation, peers fortress siblings, enforcers `mypy` / `vulture` / `pylint` / coverage). N/A (reason recorded): M11 (single-sprint), M15 (production-ready applies at remediation). Iterate on failure until every bar passes, then emit the attestation block.
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
## Critical Rules
|
|
181
|
+
|
|
182
|
+
- **NEVER assume.** Invoke the structured-inquiry channel for any audit ambiguity per the canonical channel.
|
|
183
|
+
- **NEVER fabricate authoritative data.** Identity, scope, security, naming-of-public-surfaces route through `rules/authority-inquiry.md`.
|
|
184
|
+
- **NEVER emit findings without the validation-gate attestation.** Phase 5 is non-optional; gate failure blocks promotion.
|
|
185
|
+
- **NEVER modify the audited repository.** The audit is strictly read-only against the target; remediation is downstream of this command's terminal position.
|
|
186
|
+
- **NEVER conflate per-file craft with cross-file forensic.** Per-file craft findings (a single function lacking a docstring, a magic number inside a private helper) route to `/code-review`; this command's findings are exclusively cross-file forensic.
|
|
187
|
+
- **NEVER use vague-rationale phrases as the sole justification for a severity rating.** Cite a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1.
|
|
188
|
+
- **Per-file destructive-op floor.** Every delete / rename / move / overwrite operation that downstream remediation may propose against an audited file routes through the structured-inquiry channel per `rules/interactive-questions.md` §6 — one invocation per file at remediation time, no `multiSelect` batching, every option's `default-pointer:` carries the verbatim `no-default: user decision required` marker.
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
## Decision Tree
|
|
193
|
+
|
|
194
|
+
The audit-fortress phase skeleton lives at `skills/ecosystem-audit/SKILL.md` §Audit-Fortress Phase Skeleton; this command's row in the parameter table (`tools-probed:` `mypy --strict` · `vulture` · `pylint --disable=all --enable=duplicate-code` · coverage report · `borderline-classes:` public-API dead-code disambiguation · open layer-assignment questions · gate-bar `n/a` rationales · `focus-semantics:` `--focus AREA` ∈ `{type-hints, coverage, dead-code, duplicates, architecture, all}` skips irrelevant phases · `pipeline-tail-handoff:` Terminal review-fortress consumer reads) specifies its deltas.
|
|
195
|
+
|
|
196
|
+
---
|
|
197
|
+
|
|
198
|
+
## Output
|
|
199
|
+
|
|
200
|
+
- The findings artifact at the consuming suite's `_inputs/code-audit-findings.md` (per-severity finding sections + per-phase tool-output attestations + open-question inventory + validation-gate attestation).
|
|
201
|
+
- The updated Handoff Manifest at the suite's `_inputs/handoff-manifest.yml` with the findings-artifact path + per-severity finding counts + per-phase tool-output attestations + Phase 5 gate-attestation block.
|
|
202
|
+
- An optional dependency-graph working file at the suite's `_inputs/code-audit-dependency-graph.md` (Phase 1 corpus-wide dependency enumeration + Phase 2 / Phase 3 tool-output snippets).
|
|
203
|
+
- An optional input-inventory working file at the suite's `_inputs/code-audit-input-inventory.md` (Phase 0 read inventory).
|
|
204
|
+
|
|
205
|
+
---
|
|
206
|
+
|
|
207
|
+
## Recommended Next Step
|
|
208
|
+
|
|
209
|
+
Invoke `/security-audit` to advance the audit-fortress sequence; `/security-audit` is the canonical successor per the 11-command audit-fortress canonical sequence.
|
|
210
|
+
|
|
211
|
+
## Bindings (§0.j five-direction)
|
|
212
|
+
|
|
213
|
+
- **Drives →** `commands/security-audit.md` (audit-fortress next-step: cross-file forensic findings hand off to security-axis audit). Every downstream review-fortress cycle that audits a deployed repository's cross-file integrity. The remediation surface at `/plan-execute` invocations targeting an architectural amendment phase (consumes the findings artifact to drive remediation phase tasks). The fifteen-bar pre-emission gate at Phase 5.
|
|
214
|
+
- **Driven by ←** `commands/code-review.md` (audit-fortress upstream: per-file craft review precedes cross-file forensic audit in the canonical linear sequence).
|
|
215
|
+
- **Satisfies →** The `commands/README.md` command catalog's Audit/review-passes row for `/code-audit` (the registry entry that ratifies this command's place in the slash-command catalog). The consuming suite's audit-fortress catalog (the cross-file forensic audit command rounds out the review-fortress surface alongside `/code-review`, `/architecture-review`, `/security-audit`). The consuming suite's decisions ratifying audit-scope surfaces when present.
|
|
216
|
+
- **Established by ↑** The `commands/README.md` command catalog. `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (the audit attests against Architecture · Testing · Tooling axs). `rules/ten-dimension-check.md` (the forensic-bar ten-dimension check this command operationalizes). `rules/clean-architecture-layers.md` (the layer-discipline this command's Phase 4 audits against). `rules/code-craft-python.md` (the per-language code-craft sibling this command's Phase 2 honors for Python repositories).
|
|
217
|
+
- **Gated by ←** The target repository's mandatory file presence (host-ratified source layout · CI configuration · test-coverage baseline at SHARED+). The harness's Agent + structured inquiry + Read + Bash tool surface (the audit invokes `mypy --strict`, `vulture`, `pylint --disable=all --enable=duplicate-code` via Bash; the read-only invariant means Edit / Write touch only the consuming suite's `_inputs/`).
|
|
218
|
+
- **Cross-bound with ↔** `commands/code-review.md` (per-file craft sibling; co-equal complementary surface). `commands/architecture-review.md` (architectural sibling; cross-references at the layer-discipline surface). `commands/security-audit.md` (security-axis sibling; cross-references at the security-relevant-code-path surface). `commands/plan-execute.md` (downstream remediation consumer). `rules/cognitive-identity.md` (seven-axs taxonomy drives Phase 4). `rules/ten-dimension-check.md` (forensic-bar ten-dimension check). `rules/clean-architecture-layers.md` (Phase 4 layer-violation audit). `rules/code-craft-python.md` (Phase 2 type-hint audit honors the per-language sibling). `rules/host-discovery.md` (audit honors host-discovered tool surface). `rules/option-annotation.md` (every finding's severity carries concrete-driver rationale). `rules/authority-inquiry.md` (every audit-scope ambiguity routes through the canonical channel). `rules/pre-emission-gate.md` (Phase 5 fifteen-bar validation). `skills/ecosystem-audit/SKILL.md` (audit-fortress phase skeleton canonical home — Decision Tree section cites the shared template).
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "code-review"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-10"
|
|
5
|
+
description: "Operator-driven per-file code-quality review pass. Walks every source file under src/, scripts/, and tools/ in a deployed repository and emits per-file findings covering readability, maintainability, idiom-conformance, naming, complexity, magic-numbers, and comment-quality per the four code-craft rules (Python, shell, Markdown, universal-delegation) and the ten quality dimensions. Output lands at the consuming suite's _inputs/code-review-findings.md with HIGH / MEDIUM / LOW severity triage and concrete-driver rationale per finding. Distinct from `/code-audit` (cross-file forensic, repository-corpus scope) — `/code-review` is the per-file craft surface; not for plan-suite prose audits (use `/plan-review`) or remediation authoring (the command is read-only and never writes source)."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--focus FILE_OR_DIR] [--dry-run]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /code-review — Per-File Code Quality Review
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Senior Software Engineer** and **Cognitive Insurgent** (`rules/cognitive-identity.md`), the **reviewer-as-instrument-not-author**. This is a read-only forensic surface: it names craft drift, idiom divergence, and ten-dimension failures against the canonical code-craft rules — it never writes the fix.
|
|
21
|
+
|
|
22
|
+
- **Cognitive filters** per `rules/cognitive-identity.md` §2 — Obvious Purge and Aesthetic Demand on every severity call.
|
|
23
|
+
- **Seven-axs attestation** per §1: the diff is the observed surface; each non-trivial finding names the axs it touches.
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
## Instructions
|
|
28
|
+
|
|
29
|
+
Execute `/code-review`: ingest the deployed repository, walk every source file under `src/` + `scripts/` + `tools/`, apply the four code-craft rules and the ten-dimension check per file, and emit a per-file findings artifact at the consuming suite's `_inputs/code-review-findings.md` ready for remediation.
|
|
30
|
+
|
|
31
|
+
Governance scales with seriousness per the seriousness-scaling discipline; creative architecture (CM-21) is active throughout.
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## Pipeline Contract
|
|
36
|
+
|
|
37
|
+
**Pipeline position.** Entry diagnostic surface of the audit-fortress sequence. Consumes the deployed repository's source tree under `src/` + `scripts/` + `tools/`; emits the read-only findings artifact that remediation cycles consume. Modifies no source.
|
|
38
|
+
|
|
39
|
+
**Audit-fortress sequence position.** `/code-review` is the **entry point** of the canonical 11-command audit-fortress linear sequence (`/code-review → /code-audit → /security-audit → /perf-audit → /architecture-review → /ux-review → /a11y-audit → /docs-review → /dependency-audit → /supply-chain-audit → /threat-model-audit`). **Upstream:** none from the fortress (entered from `/plan-execute`'s Step 9 handoff). **Downstream:** `/code-audit`.
|
|
40
|
+
|
|
41
|
+
**Handoff Manifest.**
|
|
42
|
+
|
|
43
|
+
- **Consumed.** The deployed repository's source tree. No upstream manifest required — the command operates against on-disk state. A Handoff Manifest at `_inputs/handoff-manifest.yml`, when present, is read as context but does not gate execution.
|
|
44
|
+
- **Emitted.** The findings artifact at `_inputs/code-review-findings.md`, plus an optional manifest augmentation carrying the per-file finding count, the per-severity breakdown, the per-axis attestation against the seven-axs-of-breadth taxonomy, and the review's `verified:` date.
|
|
45
|
+
|
|
46
|
+
**Pre-flight inquiry set.** Phase 0 emits the typed inquiry set per `rules/authority-inquiry.md` when the source-tree shape is ambiguous (e.g., `src/` absent, or `--focus` points at a non-existent path). Every ambiguity surfaces through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3.
|
|
47
|
+
|
|
48
|
+
**Pre-emission gate.** Phase 4 runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the candidate artifact before promotion; the attestation block is recorded inside the emitted artifact. Any bar failure blocks promotion until resolved per the iterate-on-failure protocol at `rules/pre-emission-gate-bars.md` §3.
|
|
49
|
+
|
|
50
|
+
### Inquiry Cadence (D4)
|
|
51
|
+
|
|
52
|
+
This command operates at **maximal structured-inquiry saturation**. Every severity ratification (HIGH / MEDIUM / LOW), every borderline idiom-conformance call, every axis-attestation gap, and every gate-bar `n/a (with reason)` marking routes through the canonical channel per `rules/interactive-questions.md` §1 (free-form prose questions as primary input are forbidden). Every invocation carries the three-segment body per §3 (`rationale:` / `recommendation:` / `default-pointer:`); every non-neutral `recommendation:` cites a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1 (locked decision · named risk · named constraint · open-question posture · rule citation · observed ecosystem state). Up to four questions may batch per invocation. **Question-fatigue-optimization is FORBIDDEN.**
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## Foundational Stanzas
|
|
57
|
+
|
|
58
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
59
|
+
|
|
60
|
+
### Refusal & Escalation
|
|
61
|
+
|
|
62
|
+
REFUSE any task whose scope exceeds this command's stated mission (producing the per-file findings artifact for a deployed repository). Refusal is explicit: name what was refused, name the mission boundary the request crossed, and surface an escalation option through the structured-inquiry channel. REFUSE review against a repository whose source-tree shape diverges from the canonical `src/` + `scripts/` + `tools/` layout without operator ratification of the alternate scope. REFUSE authoring remediation patches — the command's surface is diagnostic only; remediation routes through `/plan-execute` or operator-initiated edits.
|
|
63
|
+
|
|
64
|
+
### Output Surface
|
|
65
|
+
|
|
66
|
+
The findings artifact lands at the consuming suite's `_inputs/code-review-findings.md` per the suite-locality invariant at `rules/context-management.md` §2.6.1. Plan-internal files are banner-exempt per the `.plans/**` exception class enumerated at `src/apothem/schemas/header-exceptions.txt`; the injector at `scripts/inject-header.{sh,py}` is therefore NOT invoked on emission. NEVER write the findings artifact outside the suite folder; NEVER write to a global plans directory under any harness's config root from a downstream-project context; NEVER write to any other global-ecosystem location; NEVER modify any source file under `src/` + `scripts/` + `tools/` — the command is read-only against the repository.
|
|
67
|
+
|
|
68
|
+
### File-Authoring Contract
|
|
69
|
+
|
|
70
|
+
The findings artifact is banner-exempt per the `.plans/**` exception class. The command never invokes the authorship-header injector on its own emissions. When a finding cites a source-file path, the citation is documentary (file:line); the source file is never written by this command.
|
|
71
|
+
|
|
72
|
+
### Structured Inquiry on Ambiguity
|
|
73
|
+
|
|
74
|
+
When uncertain about repository scope, focus boundary, severity assignment on borderline findings, or axis-of-attention attestation on multi-axis findings, route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate findings — every finding cites a concrete file:line and a concrete rule clause.
|
|
75
|
+
|
|
76
|
+
---
|
|
77
|
+
|
|
78
|
+
## Inputs
|
|
79
|
+
|
|
80
|
+
| Argument | Type | Required | Description |
|
|
81
|
+
| -------- | ---- | -------- | ----------- |
|
|
82
|
+
| `path/to/repo/` | Path | Yes | Root directory of the deployed repository. MUST contain at least one of `src/`, `scripts/`, or `tools/`. The command refuses execution when none of the three are present. |
|
|
83
|
+
| `--focus FILE_OR_DIR` | Path | No | Restrict the per-file walk to a single file or directory subtree under the repo root. Useful when reviewing a recent change-set incrementally. Path resolves relative to the repo root. |
|
|
84
|
+
| `--dry-run` | Flag | No | Analyze what would be reviewed and report — no findings artifact emitted. The dry-run output enumerates the file count per language, the inferred severity distribution, and any pre-flight inquiries that would fire without committing the artifact. |
|
|
85
|
+
|
|
86
|
+
---
|
|
87
|
+
|
|
88
|
+
## Workflow — Five Transformation Phases
|
|
89
|
+
|
|
90
|
+
### Phase 0 — Input Ingest
|
|
91
|
+
|
|
92
|
+
Read the source tree in full. Deploy a Research Team (CM-25A) for parallel ingest — one agent per top-level directory (`src/`, `scripts/`, `tools/`); each returns a structured file inventory ≤ 500 tokens (CM-25C) with required fields `status` · `file-list` · `per-language-count` · `gaps`.
|
|
93
|
+
|
|
94
|
+
**Required reads.**
|
|
95
|
+
|
|
96
|
+
- Root manifests (`pyproject.toml`, `setup.cfg`, `package.json`, `Cargo.toml`, `go.mod`, `.editorconfig`) per `rules/host-discovery-manifests.md` §1. Every ratified convention discovered there (formatter, linter, type-checker, test framework, naming, line-ending) anchors the per-file finding bar.
|
|
97
|
+
- Every source file under `src/` + `scripts/` + `tools/` matching the host's discovered extension set (`.py`, `.sh`, `.bash`, `.ps1`, `.md`, plus any host-ratified language).
|
|
98
|
+
|
|
99
|
+
**Externalise** a working inventory at the suite's `_inputs/code-review-inventory.md` (free-form scratch per `rules/context-management-scratch.md` §1): file count per language, per-directory count, the discovered convention set, and any `--focus` narrowing.
|
|
100
|
+
|
|
101
|
+
### Phase 1 — Per-File Walk
|
|
102
|
+
|
|
103
|
+
Apply the per-language code-craft rule to each file, then the ten-dimension check across all:
|
|
104
|
+
|
|
105
|
+
| File class | Rule | Load-bearing checks |
|
|
106
|
+
| ---------- | ---- | ------------------- |
|
|
107
|
+
| `*.py` | `rules/code-craft-python.md` | SOLID · modern type hints · Google-style docstrings · specific-exception handling · pytest discipline · security guardrails (no hardcoded secrets / shell injection / unsafe deserialization) · magic-number discipline |
|
|
108
|
+
| `*.sh` `*.bash` `*.ps1` | `rules/code-craft-shell.md` | strict-mode defaults (`set -euo pipefail` / `Set-StrictMode -Version Latest`) · variable quoting · injection prevention (no `eval` / `Invoke-Expression` on untrusted input) · deterministic error handling · shellcheck / Invoke-ScriptAnalyzer conformance |
|
|
109
|
+
| `*.md` | `rules/code-craft-markdown.md` | purpose-driven structure · sentence-level justification · precision over politeness · active voice · hedge-elimination · heading-hierarchy · code-block language tags |
|
|
110
|
+
| other | `rules/code-craft-conventions.md` | host-discovery + sibling-convergence + the M13.1–M13.11 universal floor |
|
|
111
|
+
|
|
112
|
+
Across every file, apply `rules/ten-dimension-check.md` (rigor · coherence · configurability · readability · orphanism · structurality · architecture · naming · scholarly referencing · examples-tests-docs). Each dimension failure is a finding candidate.
|
|
113
|
+
|
|
114
|
+
**Guard-class taxonomy — delegates to `skills/surgical-guard`.** The clean-code / test / docs failure-mode taxonomy the per-file walk surfaces is owned by `skills/surgical-guard` Stage 2 (the reactive guard): clean-code (swallowed / catch-all errors, hardcoded success returns, hallucinated APIs, premature abstraction, silent contract changes) · test (mock-boundary violations, duplicate bodies, hollow assertions, missing coverage of the changed behavior) · docs (hallucinated symbols, broken samples, docs-vs-code drift). The skill's canonical home for that taxonomy is not re-enumerated here; the per-file walk applies it as the finding-class lens while the code-craft rules ground each finding's rule clause. `surgical-guard` guards a *diff* before it lands; `/code-review` audits a *deployed tree* into a read-only findings artifact — the two share the taxonomy, not the surface.
|
|
115
|
+
|
|
116
|
+
**Externalise** per-file finding drafts at the suite's `_inputs/code-review-per-file/` (one file per source file reviewed), each enumerating raw findings with `file:line` citations before triage.
|
|
117
|
+
|
|
118
|
+
### Phase 2 — Per-Finding Triage
|
|
119
|
+
|
|
120
|
+
Assign each drafted finding a severity from the closed taxonomy `{HIGH, MEDIUM, LOW}` with concrete-driver rationale per `rules/interactive-questions-canonical-shapes.md` §3.2.1:
|
|
121
|
+
|
|
122
|
+
- **HIGH** — security exposure (hardcoded secret · shell injection · unsafe deserialization), correctness defect (bare `except:` swallowing · mutable-default sharing · race on shared state), or supply-chain risk (unpinned production dependency · unsigned release artifact where signing is ratified). Cites class 6 (observed-state) or class 3 (named constraint).
|
|
123
|
+
- **MEDIUM** — maintainability regression (god class · feature envy · primitive obsession · `Any` without justifying comment), idiom divergence from a ratified convention (lint failure · sibling-convergence violation), or documentation-surface gap (undocumented public function). Cites class 5 (rule citation) or class 6.
|
|
124
|
+
- **LOW** — readability friction (single-letter name out of conventional role · generic `data` / `handler` / `process`), aesthetic-demand drift (Filter 5), or minor magic number in a non-critical path. Cites class 5.
|
|
125
|
+
|
|
126
|
+
**Axis attestation.** Every finding names which seven-axs it touches (Architecture · Concurrency · Performance · Security · Testing · Tooling · Observability) — the full set for multi-axis, one for single-axis. Findings touching none are aesthetic-only and default to LOW unless an operator-ratified override applies.
|
|
127
|
+
|
|
128
|
+
**Borderline calls route through inquiry.** When a finding sits on a severity boundary (a readability issue that shapes a public extension point; a complexity concern near the local threshold), surface the choice through the structured-inquiry channel — the option set names the competing severities, each with its concrete driver, per `rules/interactive-questions.md` §3.
|
|
129
|
+
|
|
130
|
+
### Phase 3 — Findings Emission
|
|
131
|
+
|
|
132
|
+
Emit the suite's `_inputs/code-review-findings.md` with the following canonical sections:
|
|
133
|
+
|
|
134
|
+
1. **`## §1 Executive Summary`** — one paragraph stating the review scope (file count per language, directories walked, focus narrowing applied), the finding count per severity, and the per-axis distribution.
|
|
135
|
+
2. **`## §2 ... §N` Per-File Findings** — one section per source file carrying findings. Each finding records: `Finding ID` (e.g., `CR-001`) · `File:Line` · `Severity` · `Rule clause` (cite the specific code-craft rule subsection or ten-dimension dimension number) · `Axs` (the seven-axs attestation) · `Rationale` (concrete-driver class) · `Remediation pointer` (the rule clause that names the canonical fix, never the fix itself).
|
|
136
|
+
3. **`## §Findings Index`** — table indexed by Finding ID with columns `File:Line` · `Severity` · `Axs` · `Rule clause`. Indexed by severity descending.
|
|
137
|
+
4. **`## §Severity Distribution`** — count table per severity per axis, plus the per-language file count for context.
|
|
138
|
+
5. **`## §Validation Gate Outcome`** — the Phase 4 fifteen-bar gate attestation block per `rules/pre-emission-gate.md` §2.
|
|
139
|
+
6. **`## §Bindings (§0.j five-direction)`** — the artifact's own outward bindings to upstream (the deployed repository) and downstream (remediation surfaces).
|
|
140
|
+
|
|
141
|
+
Apply incremental generation per `rules/large-file-generation.md` when the artifact exceeds 500 lines. Plan the section structure before authoring; emit the first section via Write; append subsequent sections via Edit; verify transition coherence at every boundary.
|
|
142
|
+
|
|
143
|
+
### Phase 4 — Validation Gate
|
|
144
|
+
|
|
145
|
+
Run the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the emitted findings artifact; the canonical per-bar check + Failure→action table lives at `rules/pre-emission-gate-bars.md` §1. Record one `pass | n/a (with reason)` line per bar in the §Validation Gate Outcome section. Review-tier deltas:
|
|
146
|
+
|
|
147
|
+
- **M5 authority** — every finding cites a verified `file:line`; zero fabrications; zero unfilled confirmation placeholders.
|
|
148
|
+
- **M7 option annotation** — every severity-triage and axis-attestation call carries `**Recommended**` + concrete-driver rationale.
|
|
149
|
+
- **M10 bidirectional binding** — the Findings Index reciprocally cites every per-file finding; no orphan Finding IDs.
|
|
150
|
+
- **M14 systemicity** — the artifact declares upstream (deployed repository), downstream (remediation surface), peers (sibling fortress artifacts), enforcers (the four code-craft rules + the ten-dimension check).
|
|
151
|
+
- **N/A bars (reason recorded):** M11 (single-sprint review surface) · M13 (no executable code emitted) · M15 (production-ready applies at remediation time) · M9 (unless a structural defect warrants a diagram, then per `rules/visual-leverage.md`).
|
|
152
|
+
|
|
153
|
+
**Iterate on failure.** A single bar failure blocks promotion. The failing bar's Failure→action cell names the owning rule; revise, re-run, iterate until every bar passes, then emit the attestation block.
|
|
154
|
+
|
|
155
|
+
---
|
|
156
|
+
|
|
157
|
+
## Critical Rules
|
|
158
|
+
|
|
159
|
+
- **NEVER author remediation.** The command's surface is diagnostic; remediation routes through `/plan-execute` or operator-initiated edits.
|
|
160
|
+
- **NEVER fabricate findings.** Every finding cites a concrete `file:line` and a concrete rule clause.
|
|
161
|
+
- **NEVER use vague-rationale phrases as the sole justification for a severity assignment.** Cite a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1.
|
|
162
|
+
- **NEVER modify source.** The command is read-only against the repository; only the findings artifact is written.
|
|
163
|
+
- **NEVER assume.** Invoke the structured-inquiry channel for any ambiguity in scope, severity, or axis attestation per the canonical channel.
|
|
164
|
+
- **Per-file destructive-op floor.** Destructive operations are out of scope for this command; were they to surface (e.g., orphan-file retirement during a related cycle), each would route through the structured-inquiry channel on a per-file basis per `rules/interactive-questions.md` §6 with the verbatim `no-default: user decision required` marker.
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## Decision Tree
|
|
169
|
+
|
|
170
|
+
The audit-fortress phase skeleton lives at `skills/ecosystem-audit/SKILL.md` §Audit-Fortress Phase Skeleton; this command's row in the parameter table (`tools-probed:` host manifests (`pyproject.toml` / `package.json` / sibling) for convention defaults · `borderline-classes:` borderline severity calls on per-file craft findings · `focus-semantics:` `--focus` restricts walk to focus subtree (default: `src/` + `scripts/` + `tools/`) · `pipeline-tail-handoff:` Pipeline terminates — findings ready for remediation) specifies its deltas.
|
|
171
|
+
|
|
172
|
+
---
|
|
173
|
+
|
|
174
|
+
## Output
|
|
175
|
+
|
|
176
|
+
- The findings artifact at the suite's `_inputs/code-review-findings.md` (executive summary + per-file findings + findings index + severity distribution + validation-gate attestation + bindings).
|
|
177
|
+
- An optional inventory working file at the suite's `_inputs/code-review-inventory.md` (Phase 0 read inventory).
|
|
178
|
+
- An optional per-file drafts working directory at the suite's `_inputs/code-review-per-file/` (Phase 1 raw finding drafts before severity triage).
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## Recommended Next Step
|
|
183
|
+
|
|
184
|
+
Invoke `/code-audit` to advance the audit-fortress sequence; `/code-audit` is the canonical successor per the 11-command audit-fortress canonical sequence.
|
|
185
|
+
|
|
186
|
+
## Bindings (§0.j five-direction)
|
|
187
|
+
|
|
188
|
+
- **Drives →** `commands/code-audit.md` (audit-fortress next-step: per-file craft review hands off to cross-file forensic audit). Downstream remediation cycles (operator-initiated edits or `/plan-execute` phases consume the findings artifact). The Phase 1 per-file walk against every source file under `src/` + `scripts/` + `tools/`. The fifteen-bar pre-emission gate at Phase 4.
|
|
189
|
+
- **Driven by ←** `commands/plan-execute.md` Step 9 pipeline handoff (audit-fortress entry point; `/code-review` is the canonical first command of the audit-fortress linear sequence).
|
|
190
|
+
- **Satisfies →** The audit-fortress command catalog's per-file review slot. The `commands/README.md` command catalog's Audit/review-passes row for `/code-review` (the registry entry that ratifies this command's place in the slash-command catalog).
|
|
191
|
+
- **Established by ↑** The `commands/README.md` command catalog. `rules/code-craft-python.md` + `rules/code-craft-shell.md` + `rules/code-craft-markdown.md` + `rules/code-craft-conventions.md` (the four per-language code-craft rules whose clauses ground every finding). `rules/ten-dimension-check.md` (the ten dimensions the per-file walk applies). `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (the axis-of-attention attestation surface).
|
|
192
|
+
- **Gated by ←** The deployed repository's source-tree presence (at least one of `src/`, `scripts/`, `tools/`). The host's ratified convention set discovered at Phase 0 (formatter, linter, type-checker, test framework). The harness's Agent + structured inquiry + Edit + Write + Read + Grep tool surface.
|
|
193
|
+
- **Cross-bound with ↔** `commands/plan-review.md` (forensic audit of plan suites; sibling review surface — `/plan-review` audits prose-and-spec, `/code-review` audits code-and-craft). `commands/plan-design.md` (the design artifact materializes at `/plan-execute` time as code this command later reviews). `commands/plan-execute.md` (downstream remediation cycles route through phase execution). `rules/code-craft-python.md` + `rules/code-craft-shell.md` + `rules/code-craft-markdown.md` + `rules/code-craft-conventions.md` (the four primary rule citations every finding grounds against). `rules/ten-dimension-check.md` (the dimension catalog). `rules/option-annotation.md` (every severity-triage call cites a concrete-driver class). `rules/authority-inquiry.md` (every ambiguity routes through the canonical channel). `rules/pre-emission-gate.md` (Phase 4 fifteen-bar validation). `rules/visual-leverage.md` (structural-defect diagrams when warranted). `rules/host-discovery.md` (Phase 0 manifest walk). `skills/ecosystem-audit/SKILL.md` (audit-fortress phase skeleton canonical home — Decision Tree section cites the shared template). `skills/surgical-guard/SKILL.md` (owns the clean-code / test / docs guard-class taxonomy this command's Phase 1 walk applies as its finding-class lens; the skill guards a diff before it lands, this command audits a deployed tree into a read-only findings artifact).
|