/loopsecurityhigh riskadvancedsafety D · 50 · open-endedForward Futurepre-dates current gate · under review

Audit the system from evidence

Read-only pass that verifies architecture, security, platform behavior, ops, and business logic from current evidence, not assumptions.

prompt
→ Claude
Audit [project] from its actual code and configuration, not framework assumptions. For architecture, platform compatibility, security, privileged areas, performance, deployment, jobs, business logic, and code quality, record proved, no issue, weak, or N/A with direct evidence; verify external limits from current primary sources and calculate numbers. Ask before changing code. Stop when every area is logged with severity, or return unverified areas as blocked. Finish with a plain-language overview and area-to-evidence table.
claude-code · codex

Use this when

Use this before trusting a project's security, correctness, platform compatibility, privileged surfaces, scheduled work, or operational assumptions and when the first task is audit rather than repair.

How it runs

  1. Discover the real language, framework, hosting platform, privileged surfaces, scheduled jobs, and deployment configuration from the scoped project itself.
  2. Inspect each required area, tie conclusions to code or configuration, verify platform and library behavior from current primary sources, and calculate rather than estimate quantitative claims.
  3. Record an outcome, evidence, and severity for every area, separating confirmed weaknesses from no-issue findings, justified N/A results, and unverified gaps.
  4. Deliver the plain-language project overview and area-to-evidence table without changing code; stop complete only when every area is accounted for, otherwise return the blocked gaps.

Done when

Every audit area has a current evidence-backed outcome and severity. The area-to-evidence table contains no silent gaps: each area is proved, no issue found, weak, N/A with a reason, or explicitly unverified and blocked.

Why it works

Broad audits fail when they inherit framework defaults, rely on remembered limits, or omit quiet areas. A fixed evidence table forces the reviewer to prove, clear, exclude, or explicitly block every surface.

Implementation note

This loop is read-only. Ask before changing code, configuration, infrastructure, or production state. Use current primary documentation for external behavior, avoid exposing secrets from privileged areas, and do not turn missing access into a clean finding.

Source: Forward Future

More security loops

Burn down CVEs by reachability

Rank dependency CVEs by reachability and exposure, apply one bounded fix, and verify the whole project before moving on.

prompt
→ Claude
Scan the dependencies of [authorized project or current repository] for known CVEs using current advisory sources. If you cannot access the dependency graph, repository, or current advisories, report the blocker and stop. For each high or critical finding, identify the affected direct or transitive dependency, determine whether the vulnerable code is reachable, and check whether the exploit conditions exist in this project. Rank findings by severity, reachability, exposure, and available remediation. Patch or upgrade the highest-risk reachable dependency using the smallest credible change. Run the build, tests, and security scan again. Keep the change only if verification passes and no unacceptable regression appears. Repeat until no exploitable high or critical CVE remains, or every remaining finding has an evidence-backed reachability assessment and an approved risk decision. Ask before major or breaking upgrades, production changes, or accepting risk. Finish with the CVE inventory, reachability evidence, fixes, verification results, and remaining risks.
securityhigh risk

Weekly dependency vulnerability audit

/scheduleloopreponew

Every Monday morning, run the dependency vulnerability audit, open one PR fixing what auto-fix can handle safely, and file issues for the rest.

prompt
→ Claude
/schedule every Monday at 8am, run `npm audit`, open a single PR applying only non-breaking fixes with tests passing, and file one issue per remaining high or critical advisory with its CVE link and affected paths
securitymedium risk

Keep security audits running until clear

/goalnew

Run Claude repeatedly across turns until your security audit condition is met, then stop.

prompt
→ Claude
/goal [condition|clear] keeps Claude working across turns until the condition is met
securitylow risk