|
| 1 | +--- |
| 2 | +name: codebase-audit |
| 3 | +description: "Use when reviewing a codebase's structural organization, not a PR or branch. Triggers on: codebase audit, structural review, architecture audit, code organization review, audit this codebase, how is this repo organized, code health check, audit the code. Produces a findings report against a standard checklist plus project-specific conventions." |
| 4 | +--- |
| 5 | + |
| 6 | +# Codebase Audit |
| 7 | + |
| 8 | +Comprehensive structural review of how a codebase is organized. Evaluates architectural boundaries, code smells, error handling patterns, and documentation alignment against a standard checklist plus the project's own documented conventions. |
| 9 | + |
| 10 | +This is not a bug hunt, security audit, or PR review. It examines organization and structure. |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## Workflow |
| 15 | + |
| 16 | +### 1. Read project docs |
| 17 | + |
| 18 | +Read whatever exists: AGENTS.md, ARCHITECTURE.md, CLAUDE.md, CONTRIBUTING.md, README.md. AGENTS.md is a good starting place — it often documents conventions in agent-friendly form. |
| 19 | + |
| 20 | +Extract two things: |
| 21 | +- **Documented boundaries** — layer rules, import restrictions, module responsibilities |
| 22 | +- **Documented conventions** — naming, patterns, error handling, testing requirements |
| 23 | + |
| 24 | +These become the project-specific checklist items in step 4. |
| 25 | + |
| 26 | +### 2. Map the codebase |
| 27 | + |
| 28 | +Get the shape before reading individual files: |
| 29 | + |
| 30 | +Use language-appropriate tools: |
| 31 | +- File tree and line counts (`find`, `wc -l`, or language-specific tools) |
| 32 | +- Import/dependency graph (grep for import statements, or use `cargo tree`, `go mod graph`, etc.) |
| 33 | + |
| 34 | +Identify: |
| 35 | +- Largest files (cohesion risk) |
| 36 | +- Most-imported modules (coupling hotspots, fan-in) |
| 37 | +- Modules with the most imports (fan-out hotspots) |
| 38 | +- Overall layering and directory structure |
| 39 | + |
| 40 | +### 3. Read source files |
| 41 | + |
| 42 | +**Under ~10K lines:** Read all source files. |
| 43 | + |
| 44 | +**Over ~10K lines:** Sample strategically: |
| 45 | +- Public API surfaces (exports, package-level files, index/init modules) |
| 46 | +- Module boundaries (top-level of each package/directory) |
| 47 | +- Largest files (most likely to have cohesion problems) |
| 48 | +- Files with the most imports or the most importers |
| 49 | + |
| 50 | +### 4. Evaluate against checklist |
| 51 | + |
| 52 | +Apply the default checklist below, plus project-specific criteria from step 1. |
| 53 | + |
| 54 | +For each potential finding: |
| 55 | +- Verify it against the actual code (cite file and line) |
| 56 | +- Assign severity |
| 57 | +- Write a concrete recommendation |
| 58 | + |
| 59 | +Skip anything that is technically true but does not matter in practice. |
| 60 | + |
| 61 | +### 5. Produce report |
| 62 | + |
| 63 | +Write the report using the output format below. Organize findings by file, not by criterion. |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +## Default Checklist |
| 68 | + |
| 69 | +### Boundaries & Dependencies |
| 70 | + |
| 71 | +| Smell | What to look for | |
| 72 | +|-------|-----------------| |
| 73 | +| Dependency direction | Lower layers importing from higher layers, violating documented or implied architecture | |
| 74 | +| Circular dependencies | Deferred/lazy imports to break cycles, mutual function-level coupling between modules | |
| 75 | +| Private API access | Modules reaching into another module's internals (language-specific visibility rules) | |
| 76 | +| Leaky abstractions | Implementation details visible in public interfaces | |
| 77 | +| Feature envy | Code that uses another module's data/functions more than its own | |
| 78 | +| Fan-out hotspots | Modules with too many dependencies | |
| 79 | +| Hidden dependencies | Dependencies not visible from the interface — global state, implicit ordering, side-effect coupling | |
| 80 | + |
| 81 | +### Cohesion & Responsibility |
| 82 | + |
| 83 | +| Smell | What to look for | |
| 84 | +|-------|-----------------| |
| 85 | +| God files | Too large, too many responsibilities, too many reasons to change | |
| 86 | +| Divergent change | One module that changes for many unrelated reasons | |
| 87 | +| Shotgun surgery | One logical change requires edits scattered across many files | |
| 88 | +| Speculative generality | Unused abstractions, interfaces nobody implements, parameters nobody passes | |
| 89 | +| Data clumps | Groups of values that always travel together but aren't a named type | |
| 90 | + |
| 91 | +### Error Handling |
| 92 | + |
| 93 | +| Smell | What to look for | |
| 94 | +|-------|-----------------| |
| 95 | +| Overly broad handling | Catching all errors instead of specific types | |
| 96 | +| Inconsistent strategies | Similar modules handling errors in fundamentally different ways | |
| 97 | +| Wrong-layer handling | Errors swallowed before the caller can act, or propagated without context | |
| 98 | +| Unused error types | Custom error types defined but never raised or returned | |
| 99 | + |
| 100 | +### Code Hygiene |
| 101 | + |
| 102 | +| Smell | What to look for | |
| 103 | +|-------|-----------------| |
| 104 | +| Duplicated logic | Repeated code across modules that should be extracted | |
| 105 | +| Dead code | Unused functions, unreachable branches, commented-out code | |
| 106 | +| Magic values | Hardcoded strings or numbers that should be named constants | |
| 107 | +| Inconsistent patterns | Similar operations done differently in different places for no reason | |
| 108 | + |
| 109 | +### Documentation Alignment |
| 110 | + |
| 111 | +| Smell | What to look for | |
| 112 | +|-------|-----------------| |
| 113 | +| Stale docs | Architecture documentation that doesn't match the actual code | |
| 114 | +| Unenforced conventions | Rules written down that the code violates | |
| 115 | +| Undocumented conventions | Implicit rules the code follows that aren't written anywhere | |
| 116 | + |
| 117 | +### Project-Specific |
| 118 | + |
| 119 | +Derived from step 1. Whatever conventions the project documents as its own rules. |
| 120 | + |
| 121 | +Examples: "core/ must not import from commands/", "all handlers return a Result type", "every module has a corresponding test file" |
| 122 | + |
| 123 | +--- |
| 124 | + |
| 125 | +## Output Format |
| 126 | + |
| 127 | +```markdown |
| 128 | +# Codebase Audit: [project name] |
| 129 | + |
| 130 | +**Date:** YYYY-MM-DD |
| 131 | +**Scope:** [files reviewed, total line count] |
| 132 | + |
| 133 | +## Summary |
| 134 | + |
| 135 | +[2-3 sentences: finding count by severity, biggest themes] |
| 136 | + |
| 137 | +## Findings |
| 138 | + |
| 139 | +### src/path/to/file.ext:42 |
| 140 | + |
| 141 | +**Criterion:** [checklist item name] |
| 142 | +**Severity:** HIGH | MEDIUM | LOW |
| 143 | +**Description:** [what's wrong, with code snippet] |
| 144 | +**Recommendation:** [how to fix] |
| 145 | + |
| 146 | +### src/path/to/other.ext:17 |
| 147 | + |
| 148 | +... |
| 149 | + |
| 150 | +## Themes |
| 151 | + |
| 152 | +[Recurring patterns across findings — what systemic issues do they point to?] |
| 153 | + |
| 154 | +## What's Working Well |
| 155 | + |
| 156 | +[Positive observations — validated conventions, clean boundaries, good patterns worth preserving] |
| 157 | +``` |
| 158 | + |
| 159 | +**Severity definitions:** |
| 160 | +- **HIGH** — architectural violation, likely bug source, or data loss risk |
| 161 | +- **MEDIUM** — code smell that meaningfully hurts maintainability |
| 162 | +- **LOW** — style or convention nit |
| 163 | + |
| 164 | +--- |
| 165 | + |
| 166 | +## Common Mistakes |
| 167 | + |
| 168 | +| Mistake | Fix | |
| 169 | +|---------|-----| |
| 170 | +| Reporting every code smell regardless of impact | Skip findings that are technically true but don't matter in practice | |
| 171 | +| Auditing PR diff instead of full codebase | This skill evaluates structure, not changes. Use `review-and-fix` for diffs | |
| 172 | +| Omitting project-specific conventions from AGENTS.md/CLAUDE.md | Always read project docs first — project-specific criteria often surface the most actionable findings | |
| 173 | +| Organizing findings by criterion instead of by file | Findings grouped by file are actionable; by criterion is academic | |
| 174 | +| Treating HIGH severity as "fix immediately" | HIGH means architectural risk or likely bug source, not urgency. Let the user prioritize | |
| 175 | + |
| 176 | +## Scope Boundaries |
| 177 | + |
| 178 | +This skill produces a report. It does not fix anything. |
| 179 | + |
| 180 | +| Need | Use instead | |
| 181 | +|------|-------------| |
| 182 | +| Review a PR or branch diff | `review-and-fix` | |
| 183 | +| Repeated review-fix cycles | `iterative-review-fix` | |
| 184 | +| Validate whether an approach is sound | `review-with-research` | |
| 185 | +| Audit visual/frontend design | `design-audit` | |
| 186 | +| Multi-perspective review | Wrap this skill with `diverge-critique-converge` | |
| 187 | +| Automated remediation | Follow up findings with `review-and-fix` or `iterative-review-fix` | |
| 188 | +| Track findings as tickets | Use `gh issue create` on each finding | |
0 commit comments