quantumbitcz/forge-codebase-health
skills/forge-codebase-health/SKILL.md
[read-only] Analyze full codebase against quality rules (read-only, no fixes). Runs check engine on all source files. Use when you want a quality baseline before starting work, after merging multiple PRs, or to audit convention compliance without making changes.
development
Updated Apr 20, 2026
$ install --global
skillsauthnpx skillsauth add quantumbitcz/dev-pipeline forge-codebase-healthInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 5:16 AM5.8s1 file scanned
SKILL.md
- name:
- forge-codebase-health
- description:
- [read-only] Analyze full codebase against quality rules (read-only, no fixes). Runs check engine on all source files. Use when you want a quality baseline before starting work, after merging multiple PRs, or to audit convention compliance without making changes.
- allowed-tools:
- ['Read', 'Bash', 'Glob', 'Grep']
- disable-model-invocation:
- false
/forge-codebase-health -- Codebase Health Check
Flags
- --help: print usage and exit 0
- --json: structured JSON output
Exit codes
See shared/skill-contract.md for the standard exit-code table.
Prerequisites
Before any action, verify:
- Git repository: Run
git rev-parse --show-toplevel 2>/dev/null. If fails: report "Not a git repository. Navigate to a project directory." and STOP. - Forge initialized: Check
.claude/forge.local.mdexists. If not: report "Forge not initialized. Run /forge-init first." and STOP.
Run the pipeline's check engine in full review mode across the entire project to assess codebase health against the plugin's convention rules.
Instructions
-
Discover source files: Find all tracked source files:
PROJECT_ROOT=$(git rev-parse --show-toplevel) SOURCE_FILES=$(git -C "$PROJECT_ROOT" ls-files --cached --others --exclude-standard | grep -E '\.(kt|kts|java|ts|tsx|js|jsx|py|go|rs|c|h|cs|csx|cpp|cc|cxx|hpp|swift|rb|php|dart|ex|exs|scala|sc)$')Count the files and report: "Found {count} source files to scan."
-
Run the check engine: Execute Layer 1 + Layer 2 checks on all discovered files:
echo "$SOURCE_FILES" | while read -r f; do "${CLAUDE_PLUGIN_ROOT}/shared/checks/engine.sh" --review --project-root "$PROJECT_ROOT" --files-changed "$PROJECT_ROOT/$f" doneIf the engine script is not executable or not found: report "Check engine not available. Verify the forge plugin is installed." and stop.
-
Parse findings: The engine outputs pipe-delimited findings:
file:line | CATEGORY | SEVERITY | message | fix_hintCollect all output lines. Count findings by severity (CRITICAL, WARNING, INFO) and by category prefix (ARCH-, SEC-, PERF-, TEST-, CONV-, DOC-, QUAL-, FE-PERF-, APPROACH-, A11Y-, DEP-, COMPAT-).
-
Calculate quality score: Use the scoring formula:
max(0, 100 - 20*CRITICAL - 5*WARNING - 2*INFO). Determine verdict: PASS (>= 80), CONCERNS (60-79), FAIL (< 60 or any CRITICAL). -
Present the report:
## Codebase Health Report **Project:** {project name from directory} **Files scanned:** {count} **Languages:** {language breakdown, e.g. "kotlin (98), typescript (44)"} ### Findings by Severity - CRITICAL: {count} - WARNING: {count} - INFO: {count} ### Findings by Category | Category | CRITICAL | WARNING | INFO | |--------------------|----------|---------|------| | Architecture | {n} | {n} | {n} | | Security | {n} | {n} | {n} | | Performance | {n} | {n} | {n} | | Test Quality | {n} | {n} | {n} | | Conventions | {n} | {n} | {n} | | Documentation | {n} | {n} | {n} | | Code Quality | {n} | {n} | {n} | | Frontend Perf | {n} | {n} | {n} | | Approach | {n} | {n} | {n} | | Accessibility | {n} | {n} | {n} | | Dependencies | {n} | {n} | {n} | | Compatibility | {n} | {n} | {n} | ### Quality Score Score: {score}/100 ({verdict}) ### Top Issues {list top 10 findings by severity, highest first}Map category prefixes to human-readable names:
ARCH-*-> ArchitectureSEC-*-> SecurityPERF-*-> PerformanceTEST-*-> Test QualityCONV-*-> ConventionsDOC-*-> DocumentationQUAL-*-> Code QualityFE-PERF-*-> Frontend PerfAPPROACH-*-> ApproachA11Y-*-> AccessibilityDEP-*-> DependenciesCOMPAT-*-> CompatibilitySCOUT-*-> omit from table (no deduction, tracked separately)
Error Handling
| Condition | Action | |-----------|--------| | Prerequisites fail | Report specific error message and STOP | | Check engine not found or not executable | Report "Check engine not available. Verify the forge plugin is installed." and STOP | | Check engine times out on a file | Skip the file, log WARNING, continue scanning remaining files | | No source files found | Report "No source files found in the repository." and STOP | | Engine produces unparseable output | Skip malformed lines, log WARNING, continue with valid findings | | State corruption | This skill does not depend on state.json -- it runs independently |
Important
- Do NOT fix issues -- only report them
- This runs Layer 1 (patterns) + Layer 2 (linters) across ALL files, which may take longer than hook-mode
- If you want to fix issues, run
/forge-deep-healthor offer remediation options - Save the full report to
.forge/health-report.mdfor reference
See Also
/forge-deep-health-- Iteratively fix all codebase quality issues (use when you want fixes, not just a report)/forge-review-- Review and fix only recently changed files/forge-verify-- Quick build + lint + test check without convention scanning/forge-security-audit-- Focused security vulnerability scanning
Related Skills
quantumbitcz/forge
development
VerifiedTrustedCommunity
[writes] Build, fix, deploy, review, or modify code in this project. Universal entry for the forge pipeline. Auto-bootstraps on first run; brainstorms before planning when given a feature description. Use when you want to take any productive action: implementing features, fixing bugs, reviewing branches, deploying, committing, running migrations.
SKILL.mdUpdated Apr 30, 2026
quantumbitcz/forge-admin
tools
VerifiedTrustedCommunity
[writes] Manage forge state and configuration: recovery, abort, config edits, session handoff, automations, playbooks, output compression, knowledge graph maintenance. Use when you need to recover from broken pipeline state, edit settings, or manage long-lived state.
SKILL.mdUpdated Apr 30, 2026
quantumbitcz/forge-handoff
development
VerifiedTrustedCommunity
[writes] Create, list, show, resume, or search forge session handoffs. Use when context is getting heavy and you want to transfer a forge run or conversation into a fresh Claude Code session, or to resume from a prior handoff artefact. Subcommands - no args (write), list, show, resume, search.
SKILL.mdUpdated Apr 23, 2026
quantumbitcz/forge-graph
development
VerifiedTrustedCommunity
[writes] Manage the Neo4j knowledge graph. Subcommands: init, rebuild (writes); status, query <cypher>, debug (read-only). Requires Docker. No default — an explicit subcommand is required. Use when setting up the graph for the first time, rebuilding after major refactors, checking graph health, or running ad-hoc Cypher diagnostics.
SKILL.mdUpdated Apr 21, 2026