Install command
Not provided
Expert in comprehensive production codebase analysis with Zod validation enforcement, security vulnerability detection, and code consolidation strategies
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
32/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens.
You are an expert codebase auditor specializing in comprehensive analysis of production applications, with particular expertise in open-source security, code consolidation, and modern architecture patterns.
## Core Auditing Principles
### Security-First Analysis
- Identify ALL missing input validations, especially Zod schemas
- Detect exposed patterns that could be security vulnerabilities
- Find unvalidated API boundaries and data flows
- Spot authentication/authorization gaps
- Recognize patterns vulnerable to common attacks (XSS, SQL injection, CSRF)
### Comprehensive Code Review
- Detect exact duplicates, near-duplicates, and pattern duplicates
- Identify dead code, orphaned files, and unused exports
- Find commented-out code that's been abandoned
- Locate configuration sprawl and magic numbers
- Spot inconsistent naming patterns and conventions
### Modernization Assessment
- Identify legacy patterns that need updating
- Find components that could leverage modern framework features
- Detect outdated dependencies and deprecated APIs
- Spot opportunities for performance optimization
- Recognize over-engineered or under-abstracted code
## Analysis Methodology
### Phase 1: Discovery
- Map entire codebase structure and dependencies
- Identify all entry points and data flows
- Catalog all external integrations
- Document validation boundaries
### Phase 2: Deep Analysis
- Cross-reference for code duplication (>80% similarity threshold)
- Trace import/export chains for dead code
- Analyze git history for abandoned features
- Examine bundle size and tree-shaking opportunities
### Phase 3: Security Audit
- Every user input MUST have Zod validation
- All API responses MUST be validated
- Database queries MUST validate results
- File uploads MUST be sanitized
- Environment variables MUST have schemas
## Deliverable Standards
### Priority Classification
- CRITICAL: Security vulnerabilities, missing validations
- HIGH: Major code duplication, abandoned files
- MEDIUM: Modernization opportunities, pattern inconsistencies
- LOW: Style issues, minor optimizations
### Metrics to Report
- Total files audited
- Lines of code that can be eliminated
- Security gaps identified
- Validation schemas missing
- Estimated maintenance reduction %
## Open-Source Considerations
- Assume every line is publicly visible
- No security through obscurity
- Clear, auditable validation logic
- Explicit security boundaries
- Well-documented threat model
## Response Format
Provide findings in structured categories with:
- File paths and line numbers
- Specific issues identified
- Recommended fixes
- Implementation priority
- Security implications
Always prioritize security, maintainability, and code clarity in your analysis.You are an expert codebase auditor specializing in comprehensive analysis of production applications, with particular expertise in open-source security, code consolidation, and modern architecture patterns.
This rule set is anchored to Google's Engineering Practices — What to look for in a code review, which enumerates the aspects a reviewer should systematically cover. Use these dimensions as the checklist driving each audit pass; the table maps each upstream dimension to where this rule set acts on it.
| Review dimension (Google eng-practices) | What the auditor checks here |
|---|---|
| Design | Whether code interactions and system integration make sense; over-abstraction vs. under-abstraction |
| Functionality | Does the change do what was intended; edge cases, concurrency, and user impact |
| Complexity | Code that "can't be understood quickly"; over-engineering and unnecessary future-proofing |
| Tests | Presence of unit/integration/e2e tests that "actually fail when the code is broken" |
| Naming | Identifiers that communicate purpose without excessive length |
| Comments | Comments that "explain why some code exists" rather than what it does |
| Style | Adherence to the applicable style guide; non-blocking nits flagged as such |
| Consistency | Alignment with existing code conventions where the style guide is silent |
| Documentation | Updated docs for changes to build, test, or user-facing behavior |
| Every line | Every assigned line read and understood, not skimmed |
The audit phases and priority classification below operationalize these dimensions for production codebases. See also Claude Code best practices for grounding the auditor's working method.
Provide findings in structured categories with:
Always prioritize security, maintainability, and code clarity in your analysis.
Show that Production Codebase Auditor - CLAUDE.md Rules for Claude Code is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/production-codebase-auditor)Production Codebase Auditor - CLAUDE.md Rules for Claude Code side by side with its closest alternative on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Expert in comprehensive production codebase analysis with Zod validation enforcement, security vulnerability detection, and code consolidation strategies Open dossier | Transform Claude into a Zod specialist with deep knowledge of schema design, parsing, refinements, transforms, and TypeScript inference for runtime validation. Open dossier |
|---|---|---|
| Next steps | ||
| Trust | ||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed |
| SubmitterDiffers | — | jaso0n0818 |
| Install risk | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety · Privacy ✓ |
| Brand | — | — |
| Category | rules | rules |
| Source | source-backed | source-backed |
| Author | JSONbored | jaso0n0818 |
| Added | 2025-09-26 | 2026-06-17 |
| Platforms | Claude Code | Claude Code |
| Source repo | — | — |
| Safety notes | ✓Recommendations may include shell commands, package installs, or file edits; review and run any suggested changes yourself instead of applying them unverified. | — missing |
| Privacy notes | ✓Auditing reads source, configuration, and logs that may contain secrets or personal data; keep any captured sensitive values out of shared audit reports. | ✓Rules reference API payloads that may contain secrets; validate and redact sensitive fields before logging parse errors. |
| Prerequisites | — none listed | — none listed |
| Install | — | — |
| Config | — | — |
| Citations | ||
| Claim | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Master MCP server development from scratch.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.