Audit the system from evidence
Read-only pass that verifies architecture, security, platform behavior, ops, and business logic from current evidence, not assumptions.
Use this when
Use this before trusting a project's security, correctness, platform compatibility, privileged surfaces, scheduled work, or operational assumptions and when the first task is audit rather than repair.
How it runs
- Discover the real language, framework, hosting platform, privileged surfaces, scheduled jobs, and deployment configuration from the scoped project itself.
- Inspect each required area, tie conclusions to code or configuration, verify platform and library behavior from current primary sources, and calculate rather than estimate quantitative claims.
- Record an outcome, evidence, and severity for every area, separating confirmed weaknesses from no-issue findings, justified N/A results, and unverified gaps.
- Deliver the plain-language project overview and area-to-evidence table without changing code; stop complete only when every area is accounted for, otherwise return the blocked gaps.
Done when
✓ Every audit area has a current evidence-backed outcome and severity. The area-to-evidence table contains no silent gaps: each area is proved, no issue found, weak, N/A with a reason, or explicitly unverified and blocked.
Why it works
Broad audits fail when they inherit framework defaults, rely on remembered limits, or omit quiet areas. A fixed evidence table forces the reviewer to prove, clear, exclude, or explicitly block every surface.
Implementation note
This loop is read-only. Ask before changing code, configuration, infrastructure, or production state. Use current primary documentation for external behavior, avoid exposing secrets from privileged areas, and do not turn missing access into a clean finding.
More security loops
Burn down CVEs by reachability
Rank dependency CVEs by reachability and exposure, apply one bounded fix, and verify the whole project before moving on.
Weekly dependency vulnerability audit
Every Monday morning, run the dependency vulnerability audit, open one PR fixing what auto-fix can handle safely, and file issues for the rest.
Keep security audits running until clear
Run Claude repeatedly across turns until your security audit condition is met, then stop.