obsidian-owl/sw-audit
core/skills/sw-audit/SKILL.md
Periodic codebase health check. Analyzes architecture, complexity, consistency, and debt across the full codebase. Produces persistent findings in AUDIT.md.
$ install --global
skillsauthnpx skillsauth add obsidian-owl/specwright sw-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 3:57 PM66.4s1 file scanned
SKILL.md
- name:
- sw-audit
- description:
- >-
- argument-hint:
- [path | --full]
Specwright Audit
Goal
Find systemic codebase issues that per-change quality gates miss. Architecture debt, complexity growth, convention drift, and accumulated workarounds compound silently. Surface them, let the user prioritize, and persist findings for future design cycles.
Inputs
- The codebase itself
{projectArtifactsRoot}/CONSTITUTION.md-- practices to check against{projectArtifactsRoot}/AUDIT.md-- prior findings (if exists, for ID matching){projectArtifactsRoot}/LANDSCAPE.md-- module structure (if exists, for triage){projectArtifactsRoot}/config.json-- audit config (optionalauditsection)
Outputs
{projectArtifactsRoot}/AUDIT.md-- findings perprotocols/audit.mdformat- Findings presented to user grouped by dimension before saving
Constraints
Scope (LOW freedom):
- This skill reads and analyzes. It NEVER modifies source code, creates branches, runs builds, or starts work units.
- Does NOT create
currentWorkin workflow.json. Does NOT require a lock. Can run while a work unit is in progress. - It is not a core workflow stage and never claims top-level work ownership.
- On compaction: re-run from scratch (no state to recover).
Triage (MEDIUM freedom):
- Determine audit depth from argument and codebase size:
- Path argument → Focused: analyze specified directory/module only
--fullargument → Full: parallel agents, all dimensions- No argument → auto-triage: Standard (<50 files) or Full (50+ files)
- If LANDSCAPE.md exists, use module count to inform triage.
Analysis (HIGH freedom):
- Four dimensions: architecture, complexity, consistency, debt.
- Delegate per
protocols/delegation.md:specwright-architect: architecture + complexity (structural analysis)specwright-reviewer: consistency + debt (convention and quality analysis)
- Standard depth: 2 agent calls (sequential or parallel).
- Full depth: up to 4 parallel calls (one per dimension).
- Include constitution practices as the baseline for consistency checks.
Synthesis (LOW freedom):
- Agents return raw findings. The skill itself aggregates results.
- If prior AUDIT.md exists: match findings per
protocols/audit.md(dimension + location). Reuse matched IDs, assign new IDs for unmatched. Mark unmatched prior findings as stale. - Purge resolved findings older than 90 days.
- Enforce size cap per protocol. Write AUDIT.md.
Presentation (MEDIUM freedom):
- Show findings grouped by dimension. For each: severity, location, description, impact.
- Apply
protocols/decision.mdCURATION for severity and export decisions:- Cascading impact → BLOCKER. Auto-export to backlog as BL-{n} with
findingtag. - Isolated impact → WARN. Stays in AUDIT.md only.
- The finding remains in AUDIT.md regardless; backlog items are for action tracking.
- Cascading impact → BLOCKER. Auto-export to backlog as BL-{n} with
- Maximum 20 findings per run. If more, keep highest-severity.
Protocol References
protocols/audit.md-- finding format, IDs, matching, lifecycleprotocols/delegation.md-- agent delegationprotocols/decision.md-- autonomous decision framework (CURATION for severity)protocols/context.md-- config and anchor doc loadingprotocols/backlog.md-- backlog item format and write targets
Failure Modes
| Condition | Action | |-----------|--------| | No codebase files found | STOP: "No source files to audit." | | Agents unavailable | Fall back to inline analysis (less thorough) | | Prior AUDIT.md parse error | WARN, start fresh (no ID continuity) | | Compaction during audit | Re-run from scratch |
Related Skills
obsidian-owl/sw-adopt
testing
VerifiedTrustedCommunity
Explicitly adopt an existing work into the current worktree after validating live ownership, stale sessions, and branch consistency.
7SKILL.mdUpdated Apr 22, 2026
obsidian-owl/sw-verify
testing
VerifiedTrustedCommunity
Orchestrates quality gates for the current work unit. Runs enabled gates in dependency order, produces an aggregate evidence report with gate handoff.
7SKILL.mdUpdated Apr 9, 2026
obsidian-owl/sw-sync
tools
VerifiedTrustedCommunity
Syncs the local repository by fetching all remotes, updating the base branch, and removing stale local branches that are not protected by live sessions or helper worktrees.
7SKILL.mdUpdated Apr 9, 2026
obsidian-owl/sw-status
data-ai
VerifiedTrustedCommunity
Shows current Specwright state for this worktree, the attached work, repo-wide active works, gate results, and lock status. Supports --reset, --cleanup, and --repair {unitId}.
7SKILL.mdUpdated Apr 9, 2026