overnight-repo-auditor

$npx mdskill add OneWave-AI/claude-skills/overnight-repo-auditor

Autonomously audit an entire codebase overnight and produce a single severity-rated report covering security, performance, accessibility, dependencies, and code quality. Built for Anthropic's Managed Agents runtime (14.5-hour task horizon): run to completion without questions or confirmation, writing structured findings to disk as execution proceeds so partial results survive interruption.

SKILL.md

.github/skills/overnight-repo-auditorView on GitHub ↗
---
name: overnight-repo-auditor
description: Uses Managed Agents' 14.5-hour runtime to audit an entire codebase overnight. Security, performance, accessibility, dependency issues. You wake up to a full report.
tools: Read, Grep, Glob, Bash, Agent, Write
model: inherit
---

# Overnight Repo Auditor

Autonomously audit an entire codebase overnight and produce a single severity-rated report covering security, performance, accessibility, dependencies, and code quality. Built for Anthropic's Managed Agents runtime (14.5-hour task horizon): run to completion without questions or confirmation, writing structured findings to disk as execution proceeds so partial results survive interruption.

## Contents

- `references/reconnaissance.md` -- Phase 1 steps and the reconnaissance report template.
- `references/shared-rubric.md` -- Severity rating rubric and structured finding format. Pass both to every agent.
- `references/agent-security.md` -- Security Auditor brief and output format.
- `references/agent-performance.md` -- Performance Auditor brief and output format.
- `references/agent-accessibility.md` -- Accessibility Auditor brief, skip condition, and output format.
- `references/agent-dependency.md` -- Dependency Auditor brief, skip condition, and output format.
- `references/agent-code-quality.md` -- Code Quality Auditor brief and output format.
- `references/compilation-and-templates.md` -- Phase 3 compilation steps, final report template, and completion message.

## Operating Rules

- Run autonomously. Never ask the user for input. When a decision is ambiguous, choose the more thorough option and document the choice in the report.
- Read-only against source. Create only the `audit-workspace/` directory and `overnight-audit-report.md`. Never modify, build, or execute project code. The sole exception: the Dependency Auditor may run read-only package-audit commands (`npm audit`, `pip audit`, and equivalents).
- Be exhaustive, not sampling-based, while the time window allows.

## Workflow

### Phase 1: Reconnaissance (sequential, ~5-10 min)

1. Scan repository structure, identify languages, frameworks, config files, and estimate lines of code.
2. Determine which audit modules are relevant (Security and Code Quality always; Performance always; Accessibility only with frontend/template files; Dependency only with a manifest/lockfile).
3. Write `audit-workspace/00-reconnaissance.md` as the shared context document for all agents.

Follow `references/reconnaissance.md` for exact commands and the report template.

### Phase 2: Parallel Audit Deployment

4. Deploy every relevant audit agent simultaneously via the Agent tool. Use `run_in_background: true` on every call and send ALL agent calls in a single message.
5. Build each agent's prompt by combining: the full reconnaissance report (paste inline -- agents do not share filesystem context automatically), the severity rubric and finding format from `references/shared-rubric.md`, and the agent-specific brief from its reference file. Each agent writes to its own output file under `audit-workspace/`.
   - Security -> `references/agent-security.md` -> `01-security-audit.md`
   - Performance -> `references/agent-performance.md` -> `02-performance-audit.md`
   - Accessibility -> `references/agent-accessibility.md` -> `03-accessibility-audit.md` (honor skip condition)
   - Dependency -> `references/agent-dependency.md` -> `04-dependency-audit.md` (honor skip condition)
   - Code Quality -> `references/agent-code-quality.md` -> `05-code-quality-audit.md`
6. For a targeted run (e.g., "security and dependencies only"), deploy just those agents and include only their sections in the final report.

### Phase 3: Report Compilation (sequential, ~5-10 min)

7. After all background agents return, read every agent report, deduplicate cross-agent findings, assign final severities, and generate the executive summary with the top-10 priority items.
8. Write the compiled `overnight-audit-report.md` to the repository root, then emit the brief completion message.

Follow `references/compilation-and-templates.md` for the deduplication map, final report template, and completion message.

## Scaling

| Codebase Size | Estimated Duration | Agent Strategy |
|---------------|-------------------|----------------|
| < 10K lines | 15-30 minutes | All agents, single pass each |
| 10K - 50K lines | 30-90 minutes | All agents, thorough pass |
| 50K - 200K lines | 1-4 hours | All agents, may need sub-agents for Security and Code Quality |
| 200K - 500K lines | 4-8 hours | All agents spawn 2-3 sub-agents each to parallelize file review |
| 500K+ lines | 8-14 hours | Full sub-agent deployment with file-batch assignments per sub-agent |

For codebases over 200K lines, each audit agent should spawn sub-agents to parallelize within its domain (for example, Security splits into Auth & Sessions, Data Handling, API Surface, and Infrastructure). Each brief instructs agents to self-organize sub-agent deployment based on the size discovered during their audit.

## Error Handling

- **Agent failure**: retry the agent once with the same brief. If it fails again, write a partial report noting the failure, continue with the other agents, and document the lost coverage in the final report. Never let one agent block the others.
- **File access errors**: skip the file, log it in that agent's Methodology Notes, and continue.
- **Timeout management**: prioritize high-risk files first (auth, payments, data handling, public endpoints). If an agent reviews more than 2000 files, note that a sampling strategy was used for lower-risk files. The Commander compiles partial results if the window is closing.
- **Re-runs**: a new audit overwrites the previous `audit-workspace/` directory and `overnight-audit-report.md`. Suggest the user commit or copy prior results first.

## Notes

- Reports describe source code, so treat them with the same sensitivity as the code itself.
- If `.gitignore` exists but does not list `audit-workspace/`, suggest adding it to prevent committing audit output.

More from OneWave-AI/claude-skills

SkillDescription
accessibility-auditorAudit websites for accessibility issues and WCAG compliance. Use when checking accessibility, fixing a11y issues, or ensuring WCAG compliance.
agent-armyDeploy a 2-layer parallel agent hierarchy for large, parallelizable work — big refactors, multi-file migrations, codebase-wide audits, bulk generation. Layer 1 is 3-50+ specialist agents, each with its own full context window; Layer 2 is 2+ sub-agents per member. Includes git safety, tiered sizing, a pre-deploy gate, phantom-completion checks, and multi-wave follow-up.
agent-swarm-deployerDeploys swarms of sub-agents for massive parallel data processing tasks. Unlike agent-army (which is for code changes), this is for DATA tasks -- processing 1000 documents, analyzing datasets, bulk content generation. Configurable swarm size, task distribution, result aggregation, progress tracking, and error recovery.
agent-team-builderDesigns and deploys custom agent teams for specific business workflows. Interactive discovery of business processes, then generates complete team configurations with specialized agent roles, tool access, communication protocols, and handoff rules.
agent-to-agentAgent-to-Agent (A2A) communication protocol. Connect two or more Claude agents that pass messages, share context, delegate tasks, and collaborate. Implements structured handoffs, shared memory, and multi-agent conversations.
ai-readiness-assessmentAssesses how ready a business is for AI adoption across six dimensions. Evaluates data maturity, tech stack, team skills, process documentation, budget, and culture. Generates a comprehensive ai-readiness-report.md with scores, gap analysis, and recommended starting points. Aligned with OneWave AI's audit methodology.
animateGenerate animated videos and motion graphics from natural language descriptions. Creates a standalone Vite + React project with Framer Motion scenes that auto-play in the browser. Use when the user wants to create animations, motion graphics, video intros, animated presentations, or product demos.
api-documentation-writerGenerate comprehensive API documentation including endpoint descriptions, request/response examples, authentication guides, error codes, and SDKs. Creates OpenAPI/Swagger specs, REST API docs, and developer-friendly reference materials. Use when users need to document APIs, create technical references, or write developer documentation.
api-endpoint-scaffolderGenerate REST API endpoints with proper structure, validation, error handling, and types. Use when creating new API routes, endpoints, or backend services.
api-load-testerLoad tests API endpoints with progressive concurrency. Measures response times, error rates, throughput, and identifies breaking points. Generates a detailed report with latency percentiles, throughput curves, bottleneck analysis, and optimization recommendations.