audit

What this skill does

<tool_restrictions>

# MANDATORY Tool Restrictions

## BANNED TOOLS — calling these is a skill violation:

- **`EnterPlanMode`** — BANNED. Do NOT call this tool. This skill has its own structured process. Execute the steps below directly.
- **`ExitPlanMode`** — BANNED. You are never in plan mode.
  </tool_restrictions>

<arc_runtime>
This workflow requires the full Arc bundle, not a prompts-only install.

Paths in this skill use these conventions:

- `agents/...`, `references/...`, `disciplines/...`, `templates/...`, `scripts/...`, `rules/...`, `skills/<name>/...` are Arc-owned files at the plugin root. Resolve the plugin root from this skill's filesystem location — it's the directory containing `agents/` and `skills/`.
- `./...` is local to this skill's directory.
- `.ruler/...`, `docs/...`, `src/...`, or any project-relative path refers to the user's project repository.
  </arc_runtime>

<platform_context>
**Read this reference NOW:**

1. `references/platform-tools.md`

Adapt the workflow to the current harness instead of assuming Claude-specific tool names.

- Use platform-native task tracking only when available; otherwise continue without it.
- Use platform-native structured questions when available; otherwise ask concise plain-text questions.
- Use the platform's subagent/delegation primitives when available; otherwise run the review steps locally.
  </platform_context>

<tasklist_context>
**If the current platform has a native task/todo tool, use it** to check for existing tasks related to this work.

If a related task exists, note its ID and mark it `in_progress` when starting.
If no native task/todo tool exists, skip task tracking and continue with the audit.
</tasklist_context>

<required_reading>
**Read these reference files NOW:**

1. `disciplines/dispatching-parallel-agents.md`
2. `references/audit-stage-calibration.md`
3. `references/audit-scorecard.md`
4. `references/maintainability-review.md`

**Load when relevant:**

- `references/react-audit-signals.md` — React, Next.js, TanStack Query, or React Native projects. Pass the relevant sections into reviewer prompts as audit signals.
  </required_reading>

<rules_context>
**Check for project coding rules:**

**Use Glob tool:** `.ruler/*.md`

**Determine rules source:**

- **If `.ruler/` exists:** Read rules from `.ruler/`
- **If `.ruler/` doesn't exist:** Read rules from `rules/`

**Detect stack and read relevant rules from the rules source:**

| Check                                 | Read                    |
| ------------------------------------- | ----------------------- |
| Always                                | code-style.md, stack.md |
| `next.config.*` exists                | nextjs.md               |
| `react` in package.json               | react.md                |
| `tailwindcss` in package.json         | tailwind.md             |
| `.ts` or `.tsx` files                 | typescript.md           |
| `vitest` or `jest` in package.json    | testing.md              |
| `drizzle` or `prisma` in package.json | api.md                  |
| `.env*` files exist                   | env.md                  |

Pass relevant rules to each reviewer agent.

**For each reviewer, pass domain-specific core rules:**

| Reviewer                | Core Rules to Pass                                                                                  |
| ----------------------- | --------------------------------------------------------------------------------------------------- |
| security-engineer       | api.md, env.md, integrations.md, auth.md (if Clerk/WorkOS), react-correctness.md (security section) |
| architecture-engineer   | stack.md, turborepo.md                                                                              |
| lee-nextjs-engineer     | nextjs.md, api.md, react-correctness.md (Next.js-specific rules)                                    |
| senior-engineer         | code-style.md, typescript.md, react.md, error-handling.md                                           |
| data-engineer           | testing.md, api.md                                                                                  |
| daniel-product-engineer | react.md, typescript.md, react-performance.md, react-correctness.md                                 |
| mastra-agent-engineer   | api.md, integrations.md, typescript.md, error-handling.md                                           |
| performance-engineer    | react-performance.md                                                                                |

**For frontend implementation audits, also load code-level interface rules:**

| Reviewer                | Interface Rules to Pass                                                      |
| ----------------------- | ---------------------------------------------------------------------------- |
| daniel-product-engineer | forms.md, interactions.md, performance.md, tailwind-authoring.md, buttons.md |
| lee-nextjs-engineer     | performance.md                                                               |

Interface rules location: `rules/interface/`

Pass relevant rules to each frontend reviewer in their prompt. These inform implementation and accessibility checks only. Do not score visual taste, invent a visual direction, or create redesign findings; defer visual design direction to the project's design source of truth.

**Frontend implementation checks — include in prompts for daniel-product-engineer and accessibility-engineer:**

In addition to their domain-specific rules, frontend reviewers should verify:

- No layout shift on dynamic content (hardcoded dimensions, `tabular-nums`, no font-weight changes on hover)
- Animations have `prefers-reduced-motion` support
- Touch targets are 44px minimum
- Hover effects gated behind `@media (hover: hover)`
- Keyboard navigation works (tab order, focus trap in modals, arrow keys in lists)
- Icon-only buttons have `aria-label`
- Forms submit with Enter; textareas with ⌘/Ctrl+Enter
- Inputs are `text-base` (16px+) to prevent iOS zoom
- No `transition: all` — specify exact properties
- z-index uses fixed scale or `isolation: isolate`
- No flash on refresh for interactive state (tabs, theme, toggles)
- Destructive actions require confirmation (`AlertDialog`, not `confirm()`)
  </rules_context>

<process>
## Phase 1: Detect Scope & Project Type

**Parse arguments:**

- `$ARGUMENTS` may contain:
  - A path (e.g., `apps/web`, `packages/ui`, `src/`)
  - A plain-language focus (e.g., "security", "performance", "architecture", "accessibility")

Do not advertise audit flags or variants. If the user provides a path or focus, treat it as scope guidance for the same default audit workflow.

**If no scope provided:**

**Use Glob tool to detect structure:**

- `apps/*`, `packages/*` → monorepo (audit both)
- `src/*` → standard (audit src/)
- Neither → audit current directory

**Detect project type with Glob + Grep:**

| Check   | Tool | Pattern                              |
| ------- | ---- | ------------------------------------ |
| Next.js | Grep | `"next"` in `package.json`           |
| React   | Grep | `"react"` in `package.json`          |
| Python  | Glob | `requirements.txt`, `pyproject.toml` |
| Rust    | Glob | `Cargo.toml`                         |
| Go      | Glob | `go.mod`                             |

**Check for database/migrations:**

**Use Glob tool:** `prisma/*`, `drizzle/*`, `migrations/*` → has-db

**Collect React audit signal manifest (React/Next.js/React Native projects only):**

This pass gives reviewers concrete hotspots for React Doctor-style rule families without running React Doctor. These are **signals, not findings**. Reviewers must still inspect code and report only evidence-backed issues.

```bash
# High-signal React/Next/TanStack/security/frontend patterns. Scope to source-like files.
rg -n --glob '*.{ts,tsx,js,jsx}' \
  "useEffect\\(|dangerouslySetInnerHTML|\\beval\\(|new Function\\(|setTimeout\\(|setInterval\\(|useSearchParams\\(|new QueryCl