audit-full

仓库: yonatangross/orchestkit
安装量: 68
排名: #11287

安装

npx skills add https://github.com/yonatangross/orchestkit --skill audit-full

Full-Codebase Audit Single-pass whole-project analysis leveraging Opus 4.6's extended context window. Loads entire codebases (~50K LOC) into context for cross-file vulnerability detection, architecture review, and dependency analysis. Quick Start /ork:audit-full

Full audit (all modes)

/ork:audit-full security

Security-focused audit

/ork:audit-full architecture

Architecture review

/ork:audit-full dependencies

Dependency audit

Opus 4.6
Uses
complexity: max
for extended thinking across entire codebases. 1M context (beta, Tier 4+) enables cross-file reasoning that chunked approaches miss.
1M Context Required:
If
CLAUDE_CODE_DISABLE_1M_CONTEXT
is set, audit-full cannot perform full-codebase analysis. Check:
echo $CLAUDE_CODE_DISABLE_1M_CONTEXT
— if non-empty, either unset it (
unset CLAUDE_CODE_DISABLE_1M_CONTEXT
) or use
/ork:verify
for chunked analysis instead.
STEP 0: Verify User Intent with AskUserQuestion
BEFORE creating tasks
, clarify audit scope:
AskUserQuestion
(
questions
=
[
{
"question"
:
"What type of audit do you want to run?"
,
"header"
:
"Audit mode"
,
"options"
:
[
{
"label"
:
"Full audit (Recommended)"
,
"description"
:
"Security + architecture + dependencies in one pass"
,
"markdown"
:
"\nFull Audit (1M context)\n───────────────────────\n Load entire codebase ──▶\n ┌────────────────────────┐\n │ Security OWASP Top10│\n │ Architecture patterns │\n │ Dependencies CVEs │\n │ Cross-file data flow │\n └────────────────────────┘\n Single pass: Opus 4.6 sees\n ALL files simultaneously\n Output: Prioritized findings\n"
}
,
{
"label"
:
"Security audit"
,
"description"
:
"Cross-file vulnerability analysis, data flow tracing, OWASP mapping"
,
"markdown"
:
"\nSecurity Audit\n──────────────\n ┌──────────────────────┐\n │ OWASP mapping │\n │ Data flow tracing │\n │ input ──▶ DB ──▶ output\n │ Cross-file vulns │\n │ Auth/AuthZ review │\n │ Secret detection │\n └──────────────────────┘\n Finds vulns that chunked\n analysis misses\n"
}
,
{
"label"
:
"Architecture review"
,
"description"
:
"Pattern consistency, coupling analysis, dependency violations"
,
"markdown"
:
"\nArchitecture Review\n───────────────────\n ┌──────────────────────┐\n │ Pattern consistency │\n │ Coupling metrics │\n │ A ←→ B (tight) │\n │ C ──▶ D (clean) │\n │ Dependency violations│\n │ Layer enforcement │\n └──────────────────────┘\n Cross-file analysis of\n architectural integrity\n"
}
,
{
"label"
:
"Dependency audit"
,
"description"
:
"License compliance, CVE checking, version currency"
,
"markdown"
:
"\nDependency Audit\n────────────────\n ┌──────────────────────┐\n │ CVE scan N vuls│\n │ License check ✓/✗ │\n │ Version drift N old │\n │ Unused deps N │\n │ Transitive risk │\n └──────────────────────┘\n npm audit + pip-audit +\n license compatibility\n"
}
]
,
"multiSelect"
:
true
}
,
{
"question"
:
"What should be audited?"
,
"header"
:
"Scope"
,
"options"
:
[
{
"label"
:
"Entire codebase"
,
"description"
:
"Load all source files into context"
,
"markdown"
:
"\nEntire Codebase\n───────────────\n Load ALL source files\n into 1M context window\n\n Best for: first audit,\n full security review,\n architecture assessment\n ⚠ Requires Tier 4+ API\n"
}
,
{
"label"
:
"Specific directory"
,
"description"
:
"Focus on a subdirectory (e.g., src/api/)"
,
"markdown"
:
"\nSpecific Directory\n──────────────────\n Load one subtree:\n src/api/ or src/auth/\n\n Best for: targeted review,\n post-change validation,\n smaller context budget\n"
}
,
{
"label"
:
"Changed files only"
,
"description"
:
"Audit only files changed vs main branch"
,
"markdown"
:
"\nChanged Files Only\n──────────────────\n git diff main...HEAD\n Load only modified files\n\n Best for: pre-merge check,\n PR-scoped audit,\n incremental review\n"
}
]
,
"multiSelect"
:
false
}
]
)
Based on answers, adjust workflow:
Full audit
All 3 domains, maximum context usage
Security only
Focus token budget on source + config files
Architecture only
Focus on module boundaries, imports, interfaces
Dependency only
Focus on lock files, manifests, import maps
Changed files only
Use git diff --name-only main...HEAD to scope CRITICAL: Task Management is MANDATORY TaskCreate ( subject = "Full-codebase audit" , description = "Single-pass audit using extended context" , activeForm = "Running full-codebase audit" )

Phase subtasks

TaskCreate ( subject = "Estimate token budget and plan loading" , activeForm = "Estimating token budget" ) TaskCreate ( subject = "Load codebase into context" , activeForm = "Loading codebase" ) TaskCreate ( subject = "Run audit analysis" , activeForm = "Analyzing codebase" ) TaskCreate ( subject = "Generate audit report" , activeForm = "Generating report" ) STEP 1: Estimate Token Budget Before loading files, estimate whether the codebase fits in context. Run Token Estimation

Use the estimation script

bash
${CLAUDE_PLUGIN_ROOT}
/skills/audit-full/scripts/estimate-tokens.sh /path/to/project
Manual Estimation Rules
File Type
Tokens per Line (approx)
TypeScript/JavaScript
~8 tokens/line
Python
~7 tokens/line
JSON/YAML config
~5 tokens/line
Markdown docs
~6 tokens/line
CSS/SCSS
~6 tokens/line
Budget Allocation
Context Size
Available for Code
Fits LOC (approx)
200K (standard)
~150K tokens
~20K LOC
1M (beta)
~800K tokens
~100K LOC
Auto-Exclusion List
Always exclude from loading:
node_modules/
,
vendor/
,
.venv/
,
pycache/
dist/
,
build/
,
.next/
,
out/
*.min.js
,
*.map
,
*.lock
(read lock files separately for deps audit)
Binary files, images, fonts
Test fixtures and snapshots (unless auditing tests)
Generated files (protobuf, graphql codegen)
If Codebase Exceeds Budget
Priority loading
Entry points first, then imported modules
Directory scoping
Ask user to narrow to specific directories
Fallback
Recommend /ork:verify for chunked multi-agent approach

Fallback suggestion

AskUserQuestion
(
questions
=
[
{
"question"
:
"Codebase exceeds context window. How to proceed?"
,
"header"
:
"Too large"
,
"options"
:
[
{
"label"
:
"Narrow scope"
,
"description"
:
"Audit specific directories only"
}
,
{
"label"
:
"Use /ork:verify instead"
,
"description"
:
"Chunked multi-agent approach (works with any context size)"
}
,
{
"label"
:
"Priority loading"
,
"description"
:
"Load entry points + critical paths only"
}
]
,
"multiSelect"
:
false
}
]
)
STEP 2: Load Codebase into Context
Loading Strategy
Glob all source files
matching inclusion patterns
Sort by priority
entry points → core modules → utilities → config Read files in parallel using multiple Read tool calls per message Track loaded tokens to stay within budget Inclusion Patterns (by language)

TypeScript/JavaScript

/*.ts /.tsx /.js /*.jsx /package.json **/tsconfig.json

Python

/*.py /pyproject.toml /setup.cfg /requirements*.txt

Config

/.env.example /docker-compose.yml /Dockerfile /.yaml */.yml ( non-lock ) Reading Pattern Read files in batches of 10-15 per message for efficiency:

Batch 1: Entry points and config

Read ( "src/index.ts" ) Read ( "src/app.ts" ) Read ( "package.json" ) Read ( "tsconfig.json" )

... up to 15 files

Batch 2: Core modules

Read ( "src/api/routes.ts" ) Read ( "src/db/connection.ts" )

... next batch

STEP 3: Audit Analysis
With codebase loaded, perform the selected audit mode(s).
Security Audit
Load:
Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/references/security-audit-guide.md")
for the full checklist.
Key cross-file analysis patterns:
Data flow tracing
Track user input from entry point → processing → storage
Auth boundary verification
Ensure all protected routes check auth
Secret detection
Scan for hardcoded credentials, API keys, tokens
Injection surfaces
SQL, command, template injection across file boundaries
OWASP Top 10 mapping
Classify findings by OWASP category
Architecture Review
Load:
Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/references/architecture-review-guide.md")
for the full guide.
Key analysis patterns:
Dependency direction
Verify imports flow inward (clean architecture)
Circular dependencies
Detect import cycles across modules
Layer violations
Business logic in controllers, DB in routes, etc.
Pattern consistency
Same problem solved differently across codebase
Coupling analysis
Count cross-module imports, identify tight coupling
Dependency Audit
Load:
Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/references/dependency-audit-guide.md")
for the full guide.
Key analysis patterns:
Known CVEs
Check versions against known vulnerabilities
License compliance
Identify copyleft licenses in proprietary code
Version currency
Flag significantly outdated dependencies
Transitive risk
Identify deep dependency chains
Unused dependencies
Detect installed but never imported packages STEP 4: Generate Report Load the report template: Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/assets/audit-report-template.md") . Report Structure

Audit Report: {project-name} ** Date: ** {date} | ** Mode: ** {mode} | ** Files loaded: ** {count} | ** LOC: **

Executive Summary

Findings |

| Severity | Category | File(s) | Finding | Remediation | |

|

|

|

|

|

| | 1 | CRITICAL | Security | src/auth.ts:42 | ... | ... |

Severity Breakdown

CRITICAL: {n} (must fix before deploy)

HIGH: {n} (fix within sprint)

MEDIUM: {n} (fix within quarter)

LOW: {n} (track and address)

Architecture Diagram

Recommendations {Prioritized action items} Severity Classification Load: Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/assets/severity-matrix.md") for classification criteria. Completion Checklist Before finalizing the report, verify with Read("${CLAUDE_PLUGIN_ROOT}/skills/audit-full/checklists/audit-completion.md") . When NOT to Use Situation Use Instead Small targeted check (1-5 files) Direct Read + analysis CI/CD automated scanning security-scanning skill Multi-agent graded verification /ork:verify Exploring unfamiliar codebase /ork:explore Context window < 200K tokens /ork:verify (chunked approach)

返回排行榜