/audit Workflow

Inputs

• Scope: $ARGUMENTS (optional: "plan", "code", "full")
  • plan: Audit a plan file before implementation
  • code: Audit recent uncommitted changes (default)
  • full: Full codebase scan

Role

You are the audit coordinator. You dispatch security, performance, and QA scans, then synthesize results into actionable reports. You do NOT fix issues yourself — you identify and report them with severity ratings.

Step 1 — Determine scope

Tool: Bash (direct — coordinator does this)

Run: git status --porcelain

Scope resolution:

• If $ARGUMENTS is empty:
  • If git status shows uncommitted changes: scope = "code"
  • Else: scope = "full"
• Else: scope = $ARGUMENTS

Validate scope is one of: plan, code, full. If not, stop with: "Invalid scope. Use: /audit [plan|code|full]"

Derive timestamp: [timestamp] = current ISO datetime (e.g., 2026-02-07T12-30-00)

Initialize audit logging:

Tool: Bash

# --- Audit Logging Setup ---
RUN_ID=$(date +%Y%m%d-%H%M%S)-$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z0-9' | head -c 6)
AUDIT_LOG_DIR="./plans/audit-logs"
mkdir -p "$AUDIT_LOG_DIR"
AUDIT_LOG="$AUDIT_LOG_DIR/audit-${RUN_ID}.jsonl"
STATE_FILE=".audit-audit-state-${RUN_ID}.json"

python3 -c "
import json
state = {
    'run_id': '${RUN_ID}',
    'audit_log': '${AUDIT_LOG}',
    'skill': 'audit',
    'skill_version': '3.2.0',
    'security_maturity': 'advisory',
    'hmac_key': ''
}
with open('${STATE_FILE}', 'w') as f:
    json.dump(state, f)
print('Audit skill state file created: ${STATE_FILE}')
"

bash scripts/emit-audit-event.sh "$STATE_FILE" \
  "{\"event_type\":\"run_start\",\"scope\":\"${AUDIT_SCOPE:-unknown}\"}"

bash scripts/emit-audit-event.sh "$STATE_FILE" \
  '{"event_type":"step_start","step":"step_1_determine_scope","step_name":"Determine scope","agent_type":"coordinator"}'

echo "Audit skill log: $AUDIT_LOG"

Emit step_end for Step 1:

Tool: Bash

bash scripts/emit-audit-event.sh ".audit-audit-state-${RUN_ID}.json" \
  '{"event_type":"step_end","step":"step_1_determine_scope","step_name":"Determine scope","agent_type":"coordinator"}'

Step 2 — Security scan

Emit step_start for Step 2:

Tool: Bash

bash scripts/emit-audit-event.sh ".audit-audit-state-${RUN_ID}.json" \
  '{"event_type":"step_start","step":"step_2_security_scan","step_name":"Security scan","agent_type":"coordinator"}'

Secure-review composability check:

Tool: Glob

Glob for ~/.claude/skills/secure-review/SKILL.md

If found AND scope is NOT "plan":

• Output: "Using /secure-review for deep security analysis (composability mode)."
• Dispatch /secure-review instead of the built-in security scan.

Tool: Task, subagent_type=general-purpose, model=claude-opus-4-6

Prompt: "You are running a deep security review as part of the /audit workflow.

Read the secure-review skill definition at ~/.claude/skills/secure-review/SKILL.md. Execute its full scanning workflow (vulnerability, data flow, auth/authz scans).

Scope: [map audit scope to secure-review scope: 'code' -> 'changes', 'full' -> 'full']

Write your findings to ./plans/audit-[timestamp].security.md (use the audit naming convention, not the secure-review convention, so the synthesis step can find it).

Include the standard secure-review output: verdict, severity-rated findings, redacted secrets.

CRITICAL: Never include actual secret values. Redact to first 4 / last 4 characters."

Skip the existing built-in security scan below. Proceed to Step 3 (Performance scan).

If not found OR scope is "plan":

• If not found: Output: "secure-review skill not deployed. Using built-in security scan."
• If scope is "plan": Output: "Scope is 'plan' — using built-in plan security analysis (secure-review scans code, not plans)."
• Continue with the existing built-in security scan (unchanged behavior below).

Pre-check: Glob for .claude/agents/security-analyst*.md

Tool: Glob (direct — coordinator does this)

Pattern: .claude/agents/security-analyst*.md

If found: "Using project-specific security-analyst for security scan" If not found: "No project-specific security-analyst found. Using generic Task subagent for security scan. For project-tailored scanning, generate one: gen-agent . --type security-analyst"

Tool: Task, subagent_type=general-purpose, model=claude-opus-4-6

If scope is "plan":

• If security-analyst agent found: Prompt: "Read .claude/agents/security-analyst*.md for your role context and scanning frameworks (STRIDE, OWASP Top 10, DREAD, compliance checklists). Then read the plan file at $ARGUMENTS (after 'plan' keyword). Analyze for security risks:

  • Authentication/authorization gaps
  • Data exposure risks
  • Input validation requirements
  • Cryptographic requirements
  • Secrets management

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

• If security-analyst agent not found: Prompt: "Read the plan file at $ARGUMENTS (after 'plan' keyword). Analyze for security risks:

  • Authentication/authorization gaps
  • Data exposure risks
  • Input validation requirements
  • Cryptographic requirements
  • Secrets management

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

If scope is "code":

• If security-analyst agent found: Prompt: "Read .claude/agents/security-analyst*.md for your role context and scanning frameworks (STRIDE, OWASP Top 10, DREAD, compliance checklists). Then scan uncommitted changes for:

  • SQL injection vulnerabilities
  • XSS vulnerabilities
  • Exposed secrets (API keys, passwords, tokens)
  • Authentication bypasses
  • Authorization gaps
  • OWASP Top 10 vulnerabilities
  • Dependency vulnerabilities

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

• If security-analyst agent not found: Prompt: "Scan uncommitted changes for:

  • SQL injection vulnerabilities
  • XSS vulnerabilities
  • Exposed secrets (API keys, passwords, tokens)
  • Authentication bypasses
  • Authorization gaps
  • OWASP Top 10 vulnerabilities
  • Dependency vulnerabilities

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

If scope is "full":

• If security-analyst agent found: Prompt: "Read .claude/agents/security-analyst*.md for your role context and scanning frameworks (STRIDE, OWASP Top 10, DREAD, compliance checklists). Then perform a full codebase security audit:

  • SQL injection, XSS, CSRF vulnerabilities
  • Exposed secrets in code and config files
  • Authentication and authorization implementation
  • Dependency vulnerabilities (check package manifests)
  • Insecure cryptography
  • OWASP Top 10 compliance

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

• If security-analyst agent not found: Prompt: "Full codebase security audit:

  • SQL injection, XSS, CSRF vulnerabilities
  • Exposed secrets in code and config files
  • Authentication and authorization implementation
  • Dependency vulnerabilities (check package manifests)
  • Insecure cryptography
  • OWASP Top 10 compliance

  Rate findings: Critical / High / Medium / Low. Write to ./plans/audit-[timestamp].security.md"

Emit step_end for Step 2:

Tool: Bash

bash scripts/emit-audit-event.sh ".audit-audit-state-${RUN_ID}.json" \
  '{"event_type":"step_end","step":"step_2_security_scan","step_name":"Security scan","agent_type":"coordinator"}'

Step 3 — Performance scan

Emit step_start for Step 3:

Tool: Bash

bash scripts/emit-audit-event.sh ".audit-audit-state-${RUN_ID}.json" \
  '{"event_type":"step_start","step":"step_3_performance_scan","step_name":"Performance scan","agent_type":"coordinator"}'

Tool: Task, subagent_type=general-purpose, `model=claude-sonnet-4