Context
- Current directory: !
pwd
- Project structure: !
ls -la
- TypeScript/JavaScript files: !
find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" \) -not -path "*/node_modules/*" -not -path "*/dist/*" | head -20
- Package dependencies: !
[ -f package.json ] && cat package.json | grep -A 20 '"dependencies"'
Audit Scope
Audit Type: ${1:-full}
Target Path: ${2:-.}
Command Metadata
allowed-tools:
- Bash(find:*)
- Bash(grep:*)
- Bash(rg:*)
- Bash(ls:*)
- Read
- Write
- Edit
- Grep
- Glob
- Task
argument-hint: [audit-type=full|security|duplication|validation|zod] [path]
description: Audits codebase for Zod validation coverage, security gaps, and code quality issues
model: sonnet
Your Task
Perform a comprehensive codebase audit focusing on:
Phase 1: Security Analysis
- Identify ALL missing input validations, especially Zod schemas
- Find unvalidated API endpoints and form handlers
- Detect exposed secrets, API keys, or sensitive data
- Spot authentication/authorization gaps
- Check for common vulnerabilities (XSS, SQL injection, CSRF)
- Verify environment variable validation
Phase 2: Code Quality Assessment
- Find exact duplicates and near-duplicate code (>80% similarity)
- Identify dead code and unused exports
- Locate commented-out code blocks
- Spot orphaned files and abandoned features
- Detect inconsistent naming patterns
- Find magic numbers and hardcoded values
Phase 3: Validation Coverage
- Every user input MUST have Zod validation
- All API responses MUST be validated
- Database query results MUST have schemas
- File uploads MUST be sanitized
- Environment variables MUST use schemas
- Form submissions MUST validate all fields
Phase 4: Modernization Opportunities
- Identify legacy patterns needing updates
- Find opportunities for React/Next.js optimizations
- Detect outdated dependencies
- Spot over-engineered abstractions
- Locate performance bottlenecks
Deliverables
Provide a structured report with:
Critical Security Issues
- File paths and line numbers
- Specific vulnerability details
- Recommended fixes with code examples
- Priority: CRITICAL
Code Duplication Report
- Duplicated code blocks with locations
- Consolidation strategies
- Estimated lines of code reduction
- Priority: HIGH
Missing Validations
- Unvalidated endpoints/inputs
- Required Zod schemas
- Implementation examples
- Priority: CRITICAL
Modernization Recommendations
- Legacy patterns to update
- Modern alternatives
- Migration strategies
- Priority: MEDIUM
Metrics Summary
- Total files audited
- Security gaps identified
- Lines of duplicate code
- Missing validation schemas
- Estimated maintenance reduction %
Open-Source Considerations
This audit assumes an open-source production codebase:
- No security through obscurity
- All code is publicly visible
- Clear, auditable validation logic
- Explicit security boundaries
- Well-documented threat model
Installation
Create command directory:
mkdir -p .claude/commands
Create command file: audit-codebase.md in the commands directory
Copy the command content with YAML frontmatter format
Usage:
/audit-codebase - Execute the full audit
/audit-codebase security - Security-focused audit
/audit-codebase validation - Validation coverage check
Config Format: Markdown file with YAML frontmatter
Config Paths:
- Project:
.claude/commands/audit-codebase.md
- User:
~/.claude/commands/audit-codebase.md
Implementation Notes
When auditing:
- Start with high-risk areas (auth, API, forms)
- Use ripgrep for fast pattern matching
- Check all file extensions, not just .ts/.tsx
- Include configuration files in security scan
- Verify all external data sources have validation
Prioritize findings by:
- CRITICAL: Security vulnerabilities, missing validations
- HIGH: Major duplication, abandoned code
- MEDIUM: Modernization opportunities
- LOW: Style inconsistencies