overnight-repo-auditor

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Overnight Repo Auditor

夜间代码库审计工具

A production-grade autonomous codebase auditor designed for Anthropic's Managed Agents runtime (14.5-hour task horizon). You invoke this skill before leaving work. By morning, you have a comprehensive, severity-rated report covering security vulnerabilities, performance bottlenecks, accessibility violations, dependency risks, and code quality issues across your entire repository.

This skill is built for unattended, long-running execution. It does not ask questions. It does not pause for confirmation. It runs to completion autonomously, writing structured findings to disk as it goes, so that even if execution is interrupted, partial results are preserved.

一款面向Anthropic Managed Agents运行时（14.5小时任务时长）的生产级自主代码库审计工具。你可以在下班前调用该工具，次日早上就能拿到一份全面的、按严重程度评级的报告，覆盖整个代码库的安全漏洞、性能瓶颈、可访问性违规、依赖风险以及代码质量问题。

该工具专为无人值守的长时间运行设计。它不会提问，不会暂停等待确认，会自主运行至完成，并在运行过程中将结构化结果写入磁盘，即使执行被中断，也能保留部分结果。

Architecture

架构

Overnight Repo Auditor (Commander)
 |
 |-- Phase 1: Reconnaissance (sequential, ~5-10 minutes)
 |    |  Scan repo structure, identify languages, frameworks, config files
 |    |  Build a complete inventory of what exists
 |    |  Determine which audit modules are relevant
 |
 |-- Phase 2: Parallel Audit Deployment (5 specialist agents, simultaneous)
 |    |
 |    |-- Agent 1: Security Auditor
 |    |    Vulnerabilities, secrets, injection points, auth flaws, OWASP Top 10
 |    |
 |    |-- Agent 2: Performance Auditor
 |    |    N+1 queries, memory leaks, bundle size, render blocking, algorithmic complexity
 |    |
 |    |-- Agent 3: Accessibility Auditor
 |    |    WCAG 2.1 AA/AAA, ARIA, keyboard navigation, color contrast, screen reader
 |    |
 |    |-- Agent 4: Dependency Auditor
 |    |    CVEs, outdated packages, license compliance, supply chain risk, unused deps
 |    |
 |    |-- Agent 5: Code Quality Auditor
 |    |    Dead code, duplication, complexity, naming, error handling, test coverage gaps
 |    |
 |-- Phase 3: Report Compilation (sequential, ~5-10 minutes)
 |    |  Merge all agent reports into a single overnight-audit-report.md
 |    |  Deduplicate cross-agent findings
 |    |  Assign final severity ratings
 |    |  Generate executive summary with top-10 priority items
 |    |  Write the report to the repository root

夜间代码库审计工具（指挥官）
 |
 |-- 第一阶段：侦察（串行执行，约5-10分钟）
 |    |  扫描代码库结构，识别语言、框架、配置文件
 |    |  构建完整的代码库资产清单
 |    |  确定适用的审计模块
 |
 |-- 第二阶段：并行审计部署（5个专业Agent，同时运行）
 |    |
 |    |-- Agent 1：安全审计员
 |    |    漏洞、密钥、注入点、认证缺陷、OWASP Top 10
 |    |
 |    |-- Agent 2：性能审计员
 |    |    N+1查询、内存泄漏、包体积、渲染阻塞、算法复杂度
 |    |
 |    |-- Agent 3：可访问性审计员
 |    |    WCAG 2.1 AA/AAA、ARIA、键盘导航、颜色对比度、屏幕阅读器适配
 |    |
 |    |-- Agent 4：依赖审计员
 |    |    CVE、过时包、许可证合规性、供应链风险、未使用依赖
 |    |
 |    |-- Agent 5：代码质量审计员
 |    |    死代码、重复代码、复杂度、命名规范、错误处理、测试覆盖缺口
 |    |
 |-- 第三阶段：报告编译（串行执行，约5-10分钟）
 |    |  将所有Agent的报告合并为一份overnight-audit-report.md
 |    |  去重跨Agent的重复发现
 |    |  分配最终严重程度评级
 |    |  生成包含十大优先事项的执行摘要
 |    |  将报告写入代码库根目录

Runtime Context

运行时上下文

This skill is designed for Anthropic's Managed Agents infrastructure, which provides:

14.5-hour maximum task duration -- enough to audit codebases of 500K+ lines
Autonomous execution -- no user interaction required after launch
Background agent spawning -- parallel sub-agents run concurrently
Persistent file I/O -- agents write incremental results to disk throughout execution

The 14.5-hour window means this skill can be thorough in ways that interactive sessions cannot. It reads every file, checks every dependency, traces every import chain. It does not sample or skip. For very large repos (1M+ lines), individual audit agents may spawn their own sub-agents to parallelize within their domain.

该工具专为Anthropic的Managed Agents基础设施设计，该基础设施提供：

最长14.5小时任务时长——足以审计50万行以上的代码库
自主执行——启动后无需用户交互
后台Agent生成——并行子Agent可同时运行
持久化文件I/O——Agent在执行过程中会将增量结果写入磁盘

14.5小时的窗口意味着该工具可以做到交互式会话无法实现的全面性。它会读取每个文件、检查每个依赖、追踪每个导入链，不会抽样或跳过任何内容。对于超大型代码库（100万行以上），单个审计Agent可能会生成自己的子Agent，在各自领域内并行处理。

Execution Protocol

执行协议

Follow these steps exactly. Do not deviate. Do not ask the user for input at any point. If a decision is ambiguous, choose the more thorough option and document the choice in the report.

严格遵循以下步骤，不得偏离，全程无需向用户请求输入。若决策存在歧义，选择更全面的方案并在报告中记录该选择。

Phase 1: Reconnaissance

第一阶段：侦察

Before deploying any audit agents, build a complete picture of the repository. This phase runs sequentially in the Commander context.

在部署任何审计Agent之前，先构建代码库的完整画像。此阶段在指挥官上下文中串行运行。

Step 1.1: Repository Structure Scan

步骤1.1：代码库结构扫描

Scan the top-level directory structure and build a manifest.

Actions:
1. Run `ls -la` at the repo root to get top-level contents
2. Run `find . -type f | head -5000` to get a file listing (cap at 5000 for initial scan)
3. Run `find . -type f | wc -l` to get total file count
4. Run `find . -type d | wc -l` to get total directory count
5. Run `wc -l $(find . -type f -name "*.{js,ts,tsx,jsx,py,go,rs,java,rb,php,cs,swift,kt,c,cpp,h}" 2>/dev/null | head -500) 2>/dev/null | tail -1` to estimate total lines of code
6. Use Glob to find all config files: package.json, Cargo.toml, go.mod, pyproject.toml, Gemfile, composer.json, pom.xml, build.gradle, Makefile, Dockerfile, docker-compose.yml, .github/workflows/*, tsconfig.json, webpack.config.*, vite.config.*, next.config.*, .eslintrc*, .prettierrc*, tailwind.config.*

扫描顶级目录结构并构建清单。

操作：
1. 在代码库根目录运行`ls -la`获取顶级内容
2. 运行`find . -type f | head -5000`获取文件列表（初始扫描上限为5000个）
3. 运行`find . -type f | wc -l`获取总文件数
4. 运行`find . -type d | wc -l`获取总目录数
5. 运行`wc -l $(find . -type f -name "*.{js,ts,tsx,jsx,py,go,rs,java,rb,php,cs,swift,kt,c,cpp,h}" 2>/dev/null | head -500) 2>/dev/null | tail -1`估算总行数
6. 使用Glob查找所有配置文件：package.json、Cargo.toml、go.mod、pyproject.toml、Gemfile、composer.json、pom.xml、build.gradle、Makefile、Dockerfile、docker-compose.yml、.github/workflows/*、tsconfig.json、webpack.config.*、vite.config.*、next.config.*、.eslintrc*、.prettierrc*、tailwind.config.*

Step 1.2: Technology Stack Identification

步骤1.2：技术栈识别

From the config files and file extensions found, determine:

Primary languages -- Ranked by line count (e.g., TypeScript 45K lines, Python 12K lines)
Frameworks -- React, Next.js, Django, Rails, Express, FastAPI, Spring, etc.
Package managers -- npm, yarn, pnpm, pip, cargo, go modules, bundler, composer
Build tools -- webpack, vite, esbuild, turbopack, make, gradle, maven
CI/CD -- GitHub Actions, GitLab CI, CircleCI, Jenkins, etc.
Infrastructure -- Docker, Kubernetes, Terraform, CloudFormation, serverless configs
Database -- Prisma schema, migrations folders, SQL files, ORM configs
Testing -- Jest, Pytest, Go test, RSpec, PHPUnit, test directories

Record all findings in a structured inventory object that will be passed to each audit agent.

根据找到的配置文件和文件扩展名，确定：

主要语言——按行数排序（例如：TypeScript 4.5万行，Python 1.2万行）
框架——React、Next.js、Django、Rails、Express、FastAPI、Spring等
包管理器——npm、yarn、pnpm、pip、cargo、Go Modules、bundler、composer
构建工具——webpack、vite、esbuild、turbopack、make、gradle、maven
CI/CD——GitHub Actions、GitLab CI、CircleCI、Jenkins等
基础设施——Docker、Kubernetes、Terraform、CloudFormation、无服务器配置
数据库——Prisma schema、迁移文件夹、SQL文件、ORM配置
测试工具——Jest、Pytest、Go test、RSpec、PHPUnit、测试目录

将所有发现记录在结构化清单对象中，传递给每个审计Agent。

Step 1.3: Audit Module Relevance Check

步骤1.3：审计模块相关性检查

Not every audit applies to every repo. Determine which modules are relevant:

Module	Required When
Security	Always
Performance	Always
Accessibility	Repo contains HTML, JSX, TSX, Vue, Svelte, or template files
Dependency	Repo has any package manager lockfile or dependency manifest
Code Quality	Always

If accessibility is not relevant (e.g., a pure backend API or CLI tool), skip that agent and note it in the final report as "Not Applicable -- no frontend components detected."

并非所有审计模块都适用于所有代码库，确定适用的模块：

模块	适用场景
安全	始终适用
性能	始终适用
可访问性	代码库包含HTML、JSX、TSX、Vue、Svelte或模板文件
依赖	代码库包含任何包管理器锁文件或依赖清单
代码质量	始终适用

如果可访问性不适用（例如纯后端API或CLI工具），则跳过该Agent，并在最终报告中注明“不适用——未检测到前端组件”。

Step 1.4: Write Reconnaissance Report

步骤1.4：编写侦察报告

Write a file

audit-workspace/00-reconnaissance.md

in the repo root with:

markdown

undefined

在代码库根目录写入文件

audit-workspace/00-reconnaissance.md

，内容如下：

markdown

undefined

Reconnaissance Report

侦察报告

Generated: {timestamp}

生成时间：{时间戳}

Repository Overview

代码库概览

Total files: {count}
Total directories: {count}
Estimated lines of code: {count}
Primary languages: {list with line counts}
Frameworks: {list}
Package managers: {list}

总文件数：{数量}
总目录数：{数量}
估算总行数：{数量}
主要语言：{带行数的列表}
框架：{列表}
包管理器：{列表}

Technology Stack

技术栈

{detailed breakdown}

{详细分解}

Audit Plan

审计计划

Security: ACTIVE
Performance: ACTIVE
Accessibility: ACTIVE / NOT APPLICABLE (reason)
Dependency: ACTIVE / NOT APPLICABLE (reason)
Code Quality: ACTIVE

安全：已激活
性能：已激活
可访问性：已激活 / 不适用（原因）
依赖：已激活 / 不适用（原因）
代码质量：已激活

File Inventory

文件清单

{top-level directory tree}


This file serves as the shared context document for all audit agents.

---

{顶级目录树}


该文件作为所有审计Agent的共享上下文文档。

---

Phase 2: Parallel Audit Deployment

第二阶段：并行审计部署

Deploy all relevant audit agents simultaneously using the Agent tool. Every agent call MUST use

run_in_background: true

to enable parallel execution. Send ALL agent calls in a single message.

Each agent receives:

The full reconnaissance report (copy the content inline -- agents do not share filesystem context automatically)
Their specific audit instructions (below)
The output file path where they must write their findings
The severity rating rubric

使用Agent工具同时部署所有适用的审计Agent。每个Agent调用必须使用

run_in_background: true

以启用并行执行，在单个消息中发送所有Agent调用。

每个Agent会收到：

完整的侦察报告（内容直接内联——Agent不会自动共享文件系统上下文）
其特定的审计指令（如下）
必须写入发现结果的输出文件路径
严重程度评级标准

Severity Rating Rubric (shared across all agents)

严重程度评级标准（所有Agent共享）

Every finding must be rated using this rubric. Agents must use these exact labels.

CRITICAL  -- Exploitable security vulnerability, data loss risk, production crash risk,
             or compliance violation that could result in legal/financial consequences.
             Requires immediate remediation before next deploy.
             Examples: SQL injection, exposed secrets, missing auth on sensitive endpoints,
             unpatched CVE with known exploit, GDPR violation.

HIGH      -- Significant issue that degrades security, performance, or user experience
             materially, but is not immediately exploitable or catastrophic.
             Should be addressed within the current sprint.
             Examples: Missing rate limiting, N+1 queries on high-traffic endpoints,
             missing alt text on primary content images, outdated dependency with
             high-severity CVE (no known exploit), functions over 200 lines.

MEDIUM    -- Issue that represents technical debt or best-practice violation.
             Does not cause immediate harm but will compound over time.
             Should be addressed within the current quarter.
             Examples: Missing error boundaries, console.log in production code,
             missing ARIA labels on decorative elements, minor version behind on
             dependencies, moderate cyclomatic complexity.

LOW       -- Minor improvement opportunity. Code smell, style inconsistency,
             or optimization that would improve maintainability.
             Address when touching the relevant code.
             Examples: Unused imports, inconsistent naming conventions, missing
             JSDoc on internal utilities, dependencies that could be lighter alternatives.

每个发现必须使用该标准评级，Agent必须使用这些确切标签。

CRITICAL（严重）-- 可被利用的安全漏洞、数据丢失风险、生产环境崩溃风险，
             或可能导致法律/财务后果的合规违规。
             需要在下次部署前立即修复。
             示例：SQL注入、暴露的密钥、敏感端点缺失认证、
             存在已知利用方式的未修补CVE、GDPR违规。

HIGH（高）-- 显著影响安全、性能或用户体验的问题，
             但并非可立即利用或灾难性的。
             应在当前迭代内解决。
             示例：缺失速率限制、高流量端点存在N+1查询、
             主要内容图片缺失alt文本、存在高严重程度CVE但无已知利用方式的过时依赖、
             超过200行的函数。

MEDIUM（中）-- 代表技术债务或最佳实践违规的问题。
             不会立即造成危害，但会随时间恶化。
             应在当前季度内解决。
             示例：缺失错误边界、生产代码中存在console.log、
             装饰元素缺失ARIA标签、依赖版本落后小版本、
             中等圈复杂度。

LOW（低）-- 微小的改进机会。代码异味、风格不一致，
             或可提高可维护性的优化。
             在修改相关代码时处理即可。
             示例：未使用的导入、不一致的命名规范、
             内部工具缺失JSDoc、可替换为更轻量替代方案的依赖。

Structured Finding Format (shared across all agents)

结构化发现格式（所有Agent共享）

Every individual finding must follow this format:

markdown

undefined

每个独立发现必须遵循以下格式：

markdown

undefined

[SEVERITY] Finding Title

[严重程度] 发现标题

File: path/to/file.ts (lines 45-67)
Category: {agent-specific category, e.g., "Injection", "Memory Leak", "Missing Alt Text"}
Description: Clear explanation of what the issue is and why it matters.
Evidence: The specific code, configuration, or pattern that constitutes the issue. Include relevant code snippets (keep under 10 lines; reference line numbers for longer blocks).
Impact: What happens if this is not fixed. Be specific -- "could allow unauthorized access to user PII" not "security risk."
Recommendation: Specific, actionable fix. Include code examples when helpful.
References: Links to relevant documentation, CVE numbers, WCAG criteria, etc.

---

文件：path/to/file.ts（第45-67行）
类别：{Agent特定类别，例如“注入”、“内存泄漏”、“缺失Alt文本”}
描述：清晰说明问题是什么以及为什么重要。
证据：构成问题的特定代码、配置或模式。包含相关代码片段（控制在10行以内；较长代码块引用行号）。
影响：如果不修复会发生什么。需具体——例如“可能导致未经授权访问用户PII”而非“安全风险”。
建议：具体、可操作的修复方案。必要时包含代码示例。
参考：相关文档链接、CVE编号、WCAG标准等。

---

Agent 1: Security Auditor

Agent 1：安全审计员

Output file:

audit-workspace/01-security-audit.md

Brief to pass to the agent:

You are the Security Auditor for an overnight codebase audit. You have up to 14.5 hours to complete a thorough security review. Be exhaustive, not superficial. Read every file that could contain a vulnerability. Do not sample -- inspect everything.

输出文件：

audit-workspace/01-security-audit.md

传递给Agent的指令：

你是夜间代码库审计的安全审计员。你有最多14.5小时完成全面的安全审查。要详尽而非表面化，读取所有可能包含漏洞的文件，不要抽样——检查每一处内容。

Repository Context

代码库上下文

{paste full reconnaissance report here}

{在此粘贴完整侦察报告}

Your Mission

任务

Conduct a comprehensive security audit of this codebase. Write all findings to: audit-workspace/01-security-audit.md

对该代码库进行全面安全审计，将所有发现写入：audit-workspace/01-security-audit.md

Audit Checklist

审计清单

Work through EVERY item on this checklist. For each item, document what you checked, what you found, and your assessment. If a category is not applicable, say so explicitly.

逐一完成清单中的每一项。对于每一项，记录你检查了什么、发现了什么以及你的评估。如果某个类别不适用，请明确说明。

1. Secrets and Credentials (CRITICAL if found)

1. 密钥与凭证（发现则为CRITICAL）

Hardcoded API keys, tokens, passwords, or secrets in source code
Secrets in configuration files that are not gitignored
.env files committed to the repository
Private keys, certificates, or keystores in the repo
Secrets in CI/CD configuration files
Check: .gitignore adequately covers secret files
Check: No secrets in git history (check recent commits for patterns like password=, apiKey=, token=, secret=, AWS_SECRET, PRIVATE_KEY)
Search patterns: grep for "password", "secret", "api_key", "apiKey", "token", "bearer", "Authorization", "AWS_ACCESS", "PRIVATE_KEY", base64-encoded strings that decode to sensitive values

源代码中硬编码的API密钥、令牌、密码或密钥
未被git忽略的配置文件中的密钥
提交到代码库的.env文件
代码库中的私钥、证书或密钥库
CI/CD配置文件中的密钥
检查：.gitignore是否充分覆盖密钥文件
检查：git历史中是否存在密钥（检查近期提交中类似password=、apiKey=、token=、secret=、AWS_SECRET、PRIVATE_KEY的模式）
搜索模式：grep查找“password”、“secret”、“api_key”、“apiKey”、“token”、“bearer”、“Authorization”、“AWS_ACCESS”、“PRIVATE_KEY”、可解码为敏感值的base64编码字符串

2. Injection Vulnerabilities

2. 注入漏洞

SQL Injection: Raw SQL queries with string concatenation or template literals. Check every database query.
NoSQL Injection: Unsanitized user input in MongoDB/DynamoDB queries
Command Injection: User input passed to exec(), spawn(), system(), os.system(), subprocess without sanitization
Path Traversal: User input used in file paths without sanitization (../../ attacks)
LDAP Injection: User input in LDAP queries
Template Injection: User input rendered in server-side templates without escaping (SSTI)
XSS (Cross-Site Scripting):
- Reflected: User input echoed in HTML responses without encoding
- Stored: User input saved and later rendered without encoding
- DOM-based: document.write, innerHTML, outerHTML with user-controlled data
- React: dangerouslySetInnerHTML with unsanitized content
SSRF (Server-Side Request Forgery): User-controlled URLs in server-side HTTP requests

SQL注入：使用字符串拼接或模板字面量的原始SQL查询，检查每个数据库查询。
NoSQL注入：MongoDB/DynamoDB查询中未经过滤的用户输入
命令注入：用户输入传递给exec()、spawn()、system()、os.system()、subprocess而未过滤
路径遍历：用户输入用于文件路径而未过滤（../../攻击）
LDAP注入：LDAP查询中的用户输入
模板注入：服务器端模板渲染中未转义的用户输入（SSTI）
XSS（跨站脚本）：
- 反射型：HTML响应中回显未编码的用户输入
- 存储型：用户输入被保存后渲染未编码
- DOM型：使用document.write、innerHTML、outerHTML处理用户可控数据
- React：dangerouslySetInnerHTML使用未过滤内容
SSRF（服务器端请求伪造）：服务器端HTTP请求中使用用户可控URL

3. Authentication and Authorization

3. 认证与授权

Authentication bypass possibilities
Missing authentication on sensitive endpoints/routes
Weak password policies (if password validation exists)
Missing or weak session management
JWT issues: weak signing algorithm (none/HS256 with weak secret), missing expiration, sensitive data in payload
OAuth/OIDC misconfigurations: missing state parameter, open redirects in callback URLs
Missing CSRF protection on state-changing operations
Broken access control: horizontal privilege escalation (user A accessing user B's data), vertical privilege escalation (regular user accessing admin functions)
Missing authorization checks on API endpoints
IDOR (Insecure Direct Object References): sequential IDs without ownership verification

认证绕过可能性
敏感端点/路由缺失认证
弱密码策略（如果存在密码验证）
缺失或弱会话管理
JWT问题：弱签名算法（none/HS256搭配弱密钥）、缺失过期时间、载荷中包含敏感数据
OAuth/OIDC配置错误：缺失state参数、回调URL存在开放重定向
状态变更操作缺失CSRF保护
访问控制失效：水平权限提升（用户A访问用户B的数据）、垂直权限提升（普通用户访问管理员功能）
API端点缺失授权检查
IDOR（不安全直接对象引用）：无所有权验证的连续ID

4. Data Exposure

4. 数据暴露

Sensitive data in logs (PII, credentials, tokens)
Verbose error messages exposing internals (stack traces, database schemas, file paths in production)
API responses returning more data than needed (over-fetching)
Missing data encryption at rest for sensitive fields
Missing TLS/HTTPS enforcement
Sensitive data in URL query parameters (visible in logs, browser history)
Debug endpoints or admin panels accessible in production
GraphQL introspection enabled in production
Source maps deployed to production

日志中的敏感数据（PII、凭证、令牌）
暴露内部信息的详细错误消息（生产环境中的堆栈跟踪、数据库 schema、文件路径）
API响应返回超出需求的数据（过度获取）
敏感字段缺失静态数据加密
缺失TLS/HTTPS强制要求
URL查询参数中的敏感数据（可见于日志、浏览器历史）
生产环境中可访问的调试端点或管理面板
生产环境中启用GraphQL自省
生产环境部署Source maps

5. Dependency Security

5. 依赖安全

Known CVE in direct dependencies (cross-reference with Agent 4 but flag CRITICAL ones independently)
Dependencies pulled from non-standard registries
Lockfile integrity (lockfile exists and is consistent with manifest)
Prototype pollution vulnerable packages

直接依赖中的已知CVE（与Agent 4交叉引用，但独立标记CRITICAL级别的漏洞）
从非标准仓库拉取的依赖
锁文件完整性（锁文件存在且与清单一致）
存在原型污染漏洞的包

6. Infrastructure and Configuration Security

6. 基础设施与配置安全

Docker images running as root
Docker images using :latest tag instead of pinned versions
Exposed ports that should be internal
Missing security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
CORS misconfiguration (wildcard origins, credentials with wildcard)
Missing rate limiting on authentication endpoints
Missing rate limiting on public APIs
Insecure cookie settings (missing HttpOnly, Secure, SameSite)
Permissive Content Security Policy
Missing Subresource Integrity (SRI) on CDN scripts

以root身份运行的Docker镜像
Docker镜像使用:latest标签而非固定版本
暴露了应内部访问的端口
缺失安全头（CSP、HSTS、X-Frame-Options、X-Content-Type-Options）
CORS配置错误（通配符源、通配符搭配凭证）
认证端点缺失速率限制
公共API缺失速率限制
不安全的Cookie设置（缺失HttpOnly、Secure、SameSite）
宽松的内容安全策略
CDN脚本缺失子资源完整性（SRI）

7. Cryptography

7. 加密

Use of deprecated algorithms (MD5, SHA1 for security purposes, DES, RC4)
Weak random number generation (Math.random() for security-sensitive operations)
Missing or weak encryption for sensitive data
Hardcoded encryption keys or IVs
ECB mode usage

使用已弃用的算法（MD5、用于安全场景的SHA1、DES、RC4）
弱随机数生成（Math.random()用于安全敏感操作）
敏感数据缺失或弱加密
硬编码的加密密钥或IV
使用ECB模式

8. Business Logic

8. 业务逻辑

Race conditions in financial operations or inventory management
Missing input validation on business-critical operations
Inconsistent validation between client and server
Missing transaction boundaries around multi-step operations
Time-of-check to time-of-use (TOCTOU) vulnerabilities

财务操作或库存管理中的竞争条件
业务关键操作缺失输入验证
客户端与服务器之间的验证不一致
多步操作缺失事务边界
检查时间到使用时间（TOCTOU）漏洞

9. File Upload Security (if applicable)

9. 文件上传安全（如适用）

Missing file type validation
Missing file size limits
Uploaded files accessible without authentication
Uploaded files served from the same origin (XSS risk)
Missing virus/malware scanning

缺失文件类型验证
缺失文件大小限制
上传文件无需认证即可访问
上传文件从同一源提供（存在XSS风险）
缺失病毒/恶意软件扫描

10. API Security

10. API安全

Missing input validation on API parameters
Missing output encoding
Mass assignment vulnerabilities (accepting all user-provided fields into database models)
Missing pagination on list endpoints (denial of service via large requests)
Verbose API error responses in production
Missing API versioning strategy
GraphQL: missing query depth/complexity limits, missing field-level authorization

API参数缺失输入验证
缺失输出编码
大量赋值漏洞（接受所有用户提供的字段存入数据库模型）
列表端点缺失分页（通过大型请求导致拒绝服务）
生产环境中详细的API错误响应
缺失API版本策略
GraphQL：缺失查询深度/复杂度限制、缺失字段级授权

Output Format

输出格式

Write your report as a markdown file with this structure:

将报告编写为Markdown文件，结构如下：

Security Audit Report

安全审计报告

Generated: {timestamp} Auditor: Security Agent (Overnight Repo Auditor)

生成时间：{时间戳} 审计员：安全Agent（夜间代码库审计工具）

Executive Summary

执行摘要

Total findings: {count}
Critical: {count}
High: {count}
Medium: {count}
Low: {count}
{1-2 sentence overall assessment}

总发现数：{数量}
严重：{数量}
高：{数量}
中：{数量}
低：{数量}
{1-2句话的总体评估}

Critical Findings

严重发现

{findings in the structured format, ordered by impact}

{按影响排序的结构化格式发现}

High Findings

高优先级发现

{findings}

{发现内容}

Medium Findings

中优先级发现

{findings}

{发现内容}

Low Findings

低优先级发现

{findings}

{发现内容}

Checklist Coverage

清单覆盖情况

{for each of the 10 categories above, note: CHECKED - {number of findings or "Clean"}}

{针对上述10个类别，注明：已检查 - {发现数量或“无问题”}}

Files Reviewed

已审查文件

{list of all files you read during this audit}

{本次审计中读取的所有文件列表}

Methodology Notes

方法说明

{any assumptions, limitations, or areas that could not be fully assessed}


**End of Security Auditor brief.**

---

{任何假设、限制或无法全面评估的领域}


**安全审计员指令结束。**

---

Agent 2: Performance Auditor

Agent 2：性能审计员

Output file:

audit-workspace/02-performance-audit.md

Brief to pass to the agent:

You are the Performance Auditor for an overnight codebase audit. You have up to 14.5 hours to complete a thorough performance review. Read source code directly -- do not rely on runtime profiling. Identify performance issues from static analysis of the code patterns, algorithms, database queries, and asset configurations.

输出文件：

audit-workspace/02-performance-audit.md

传递给Agent的指令：

你是夜间代码库审计的性能审计员。你有最多14.5小时完成全面的性能审查。直接读取源代码——不要依赖运行时分析。通过静态分析代码模式、算法、数据库查询和资产配置来识别性能问题。

Repository Context

代码库上下文

{paste full reconnaissance report here}

{在此粘贴完整侦察报告}

Your Mission

任务

Conduct a comprehensive performance audit of this codebase. Write all findings to: audit-workspace/02-performance-audit.md

对该代码库进行全面性能审计，将所有发现写入：audit-workspace/02-performance-audit.md

Severity Rating Rubric

严重程度评级标准

{paste the shared severity rubric here}

{在此粘贴共享的严重程度评级标准}

Structured Finding Format

结构化发现格式

{paste the shared finding format here}

{在此粘贴共享的发现格式}

Audit Checklist

审计清单

1. Database and Query Performance

1. 数据库与查询性能

N+1 Queries: ORM calls inside loops. For each model/entity, trace how related data is loaded. Check for missing eager loading / includes / joins / prefetch_related.
Missing Indexes: Identify columns used in WHERE clauses, JOIN conditions, ORDER BY, and GROUP BY that likely lack indexes. Check migration files and schema definitions.
Unbounded Queries: SELECT * without LIMIT, or queries that could return arbitrarily large result sets.
Missing Pagination: List endpoints that return all records without pagination support.
Expensive Aggregations: COUNT, SUM, AVG on large tables without caching or materialized views.
Connection Pool Configuration: Check database connection pool settings. Look for connection leaks (connections opened but not released in error paths).
Transaction Scope: Overly broad transactions that hold locks longer than necessary. Transactions wrapping external API calls.
Query in Hot Paths: Database queries inside request handlers that could be cached or precomputed.

N+1查询：循环内的ORM调用。对于每个模型/实体，追踪关联数据的加载方式。检查是否缺失预加载/includes/joins/prefetch_related。
缺失索引：识别WHERE子句、JOIN条件、ORDER BY和GROUP BY中使用的、可能缺少索引的列。检查迁移文件和schema定义。
无界查询：无LIMIT的SELECT *，或可能返回任意大结果集的查询。
缺失分页：返回所有记录而无分页支持的列表端点。
昂贵的聚合操作：大型表上的COUNT、SUM、AVG操作，无缓存或物化视图。
连接池配置：检查数据库连接池设置。查找连接泄漏（错误路径中打开但未释放的连接）。
事务范围：过宽的事务，持有锁的时间超过必要时长。包含外部API调用的事务。
热点路径中的查询：请求处理程序中的数据库查询，可被缓存或预计算。

2. Memory and Resource Management

2. 内存与资源管理

Memory Leaks:
- Event listeners added but never removed (addEventListener without removeEventListener)
- Subscriptions not unsubscribed (RxJS, EventEmitter, WebSocket)
- Growing arrays/maps/sets that are never cleared (caches without eviction)
- Closures capturing large objects unnecessarily
- React: missing cleanup in useEffect, stale closure references
Large Object Allocation: Creating large arrays, buffers, or strings in hot paths
Stream Processing: Reading entire files into memory instead of streaming (readFile vs createReadStream)
Worker/Thread Management: Unbounded thread/worker pools, missing cleanup on process exit
Circular References: Objects referencing each other preventing garbage collection

内存泄漏：
- 添加但从未移除的事件监听器（addEventListener未搭配removeEventListener）
- 未取消订阅的订阅（RxJS、EventEmitter、WebSocket）
- 从未清空的增长数组/映射/集合（无驱逐策略的缓存）
- 不必要捕获大型对象的闭包
- React：useEffect中缺失清理逻辑、过时闭包引用
大型对象分配：在热点路径中创建大型数组、缓冲区或字符串
流处理：将整个文件读入内存而非流式处理（readFile vs createReadStream）
Worker/线程管理：无界线程/Worker池、进程退出时缺失清理
循环引用：相互引用的对象，阻止垃圾回收

3. Frontend Performance (if applicable)

3. 前端性能（如适用）

Bundle Size:
- Importing entire libraries when only specific functions are needed (import _ from 'lodash' vs import debounce from 'lodash/debounce')
- Missing tree-shaking configuration
- Large dependencies that have lighter alternatives
- Missing code splitting / lazy loading for routes
- Dynamic imports not used for heavy components
Rendering Performance:
- React: Missing React.memo on expensive components, missing useMemo/useCallback where re-renders are costly, inline object/array creation in JSX props, missing key props or using index as key in dynamic lists
- Forced synchronous layouts (reading layout properties after DOM writes)
- Layout thrashing (repeated read-write-read-write cycles)
- Large component trees without virtualization (rendering 1000+ items without react-window/react-virtualized)
Asset Optimization:
- Unoptimized images (missing srcset, no lazy loading, no next-gen formats)
- Missing font-display: swap or optional
- Render-blocking CSS/JS in the critical path
- Missing preload/prefetch for critical resources
- Uncompressed assets (missing gzip/brotli configuration)
Core Web Vitals Risks:
- CLS (Cumulative Layout Shift): Images without dimensions, dynamically injected content above the fold, font loading causing layout shifts
- LCP (Largest Contentful Paint): Large hero images not optimized, blocking resources in head, server response time dependencies
- INP (Interaction to Next Paint): Long-running event handlers, heavy computation on main thread, missing debounce/throttle on input handlers

包体积：
- 导入整个库但仅使用特定函数（import _ from 'lodash' vs import debounce from 'lodash/debounce'）
- 缺失摇树优化配置
- 存在更轻量替代方案的大型依赖
- 路由缺失代码分割/懒加载
- 重型组件未使用动态导入
渲染性能：
- React：昂贵组件缺失React.memo、重渲染成本高的场景缺失useMemo/useCallback、JSX props中内联对象/数组创建、动态列表缺失key属性或使用索引作为key
- 强制同步布局（DOM写入后读取布局属性）
- 布局抖动（重复的读写-读写循环）
- 大型组件树未使用虚拟化（渲染1000+项但未使用react-window/react-virtualized）
资产优化：
- 未优化的图片（缺失srcset、无懒加载、无下一代格式）
- 缺失font-display: swap或optional
- 关键路径中的渲染阻塞CSS/JS
- 关键资源缺失预加载/预获取
- 未压缩的资产（缺失gzip/brotli配置）
核心Web指标风险：
- CLS（累积布局偏移）：无尺寸的图片、首屏上方动态注入内容、字体加载导致布局偏移
- LCP（最大内容绘制）：未优化的大型首屏图片、头部阻塞资源、服务器响应时间依赖
- INP（交互到下一次绘制）：长时间运行的事件处理程序、主线程上的重型计算、输入处理程序缺失防抖/节流

4. API and Network Performance

4. API与网络性能

Waterfall Requests: Sequential API calls that could be parallelized (await one, then await another, when they are independent)
Over-fetching: API responses returning significantly more data than the client uses
Under-fetching: Multiple small API calls that could be batched into one
Missing Caching:
- API responses without Cache-Control headers
- Repeated identical API calls without client-side caching
- Static content served without CDN or caching headers
- Missing ETag/Last-Modified for conditional requests
Missing Compression: API responses without gzip/brotli compression
Missing Connection Pooling: HTTP client creating new connections per request instead of reusing
Retry Logic: Missing retry with backoff on transient failures, or retry without backoff (thundering herd)

瀑布式请求：可并行化的串行API调用（先await一个，再await另一个，但两者相互独立）
过度获取：API响应返回远多于客户端所需的数据
获取不足：可合并为一次的多个小型API调用
缺失缓存：
- 无Cache-Control头的API响应
- 重复的相同API调用无客户端缓存
- 静态内容无CDN或缓存头
- 条件请求缺失ETag/Last-Modified
缺失压缩：API响应无gzip/brotli压缩
缺失连接池：HTTP客户端每次请求创建新连接而非复用
重试逻辑：瞬时故障缺失带退避的重试，或无退避的重试（惊群效应）

5. Algorithmic Complexity

5. 算法复杂度

O(n^2) or worse in hot paths: Nested loops over collections that grow with data. Searching unsorted arrays repeatedly.
String concatenation in loops: Building strings with += in loops instead of using join or StringBuilder
Redundant computation: Same expensive calculation performed multiple times when it could be cached
Missing memoization: Pure functions called repeatedly with the same arguments
Inefficient data structures: Using arrays for lookups instead of Sets/Maps, linear search where binary search or hash lookup is appropriate

热点路径中O(n^2)或更差的复杂度：随数据增长的集合嵌套循环。重复搜索未排序数组。
循环中的字符串拼接：在循环中使用+=构建字符串而非使用join或StringBuilder
冗余计算：相同的昂贵计算被多次执行，可被缓存
缺失记忆化：纯函数使用相同参数被重复调用
低效数据结构：使用数组进行查找而非Sets/Maps、线性搜索可替换为二分查找或哈希查找的场景

6. Concurrency and Parallelism

6. 并发与并行

Sequential async operations: await in loops where Promise.all/Promise.allSettled would work
Missing concurrency limits: Spawning unbounded parallel operations (e.g., Promise.all on 10,000 items without batching)
Blocking the event loop: Synchronous file I/O, CPU-heavy computation on the main thread without worker threads
Missing connection pooling: Database/HTTP connections created per-request
Deadlock risks: Nested locks, circular resource dependencies

顺序异步操作：循环中使用await，而Promise.all/Promise.allSettled更合适
缺失并发限制：生成无界并行操作（例如对10000项使用Promise.all而无分批）
阻塞事件循环：主线程上的同步文件I/O、CPU密集型计算，未使用Worker线程
缺失连接池：数据库/HTTP连接每次请求创建
死锁风险：嵌套锁、循环资源依赖

7. Build and Deploy Performance

7. 构建与部署性能

Build configuration: Missing production optimizations (minification, dead code elimination, source map handling)
Docker image size: Multi-stage builds not used, unnecessary files in image, large base images
CI/CD pipeline: Cacheable steps not cached, sequential steps that could be parallel
Cold start: Serverless functions with heavy initialization, large deployment packages

构建配置：缺失生产环境优化（压缩、死代码消除、Source map处理）
Docker镜像体积：未使用多阶段构建、镜像中包含不必要文件、大型基础镜像
CI/CD流水线：可缓存步骤未缓存、可并行的串行步骤
冷启动：初始化重型的无服务器函数、大型部署包

8. Caching Strategy

8. 缓存策略

Missing application-level caching: Expensive computations or queries repeated without caching
Cache invalidation risks: Caches without TTL, stale data risks
Missing HTTP caching: Static assets without long cache times, API responses without appropriate caching headers
Missing CDN: Static assets served from origin instead of CDN
Cache stampede risk: Multiple requests triggering the same expensive cache rebuild simultaneously

缺失应用级缓存：昂贵的计算或查询重复执行无缓存
缓存失效风险：无TTL的缓存、 stale数据风险
缺失HTTP缓存：静态资产无长缓存时间、API响应无适当缓存头
缺失CDN：静态资产从源站提供而非CDN
缓存雪崩风险：多个请求同时触发相同的昂贵缓存重建

Output Format

输出格式

Performance Audit Report

性能审计报告

Generated: {timestamp} Auditor: Performance Agent (Overnight Repo Auditor)

生成时间：{时间戳} 审计员：性能Agent（夜间代码库审计工具）

Executive Summary

执行摘要

Total findings: {count}
Critical: {count}
High: {count}
Medium: {count}
Low: {count}
Estimated overall performance health: GOOD / FAIR / POOR / CRITICAL
{1-2 sentence overall assessment}

总发现数：{数量}
严重：{数量}
高：{数量}
中：{数量}
低：{数量}
总体性能健康状况：良好 / 一般 / 较差 / 严重
{1-2句话的总体评估}

Critical Findings

严重发现

{findings in structured format}

{结构化格式的发现}

High Findings

高优先级发现

{findings}

{发现内容}

Medium Findings

中优先级发现

{findings}

{发现内容}

Low Findings

低优先级发现

{findings}

{发现内容}

Performance Quick Wins

性能快速优化项

{top 5 changes that would have the biggest impact with the least effort}

{影响最大、实施成本最低的前5项变更}

Checklist Coverage

清单覆盖情况

{for each of the 8 categories above, note: CHECKED - {number of findings or "Clean"}}

{针对上述8个类别，注明：已检查 - {发现数量或“无问题”}}

Files Reviewed

已审查文件

{list}

{列表}

Methodology Notes

方法说明

{assumptions, limitations}


**End of Performance Auditor brief.**

---

{假设、限制}


**性能审计员指令结束。**

---

Agent 3: Accessibility Auditor

Agent 3：可访问性审计员

Output file:

audit-workspace/03-accessibility-audit.md

Skip condition: Only deploy this agent if the reconnaissance phase identified frontend files (HTML, JSX, TSX, Vue, Svelte, EJS, Handlebars, Pug, or similar template files). If skipped, write a placeholder file noting "Not Applicable."

Brief to pass to the agent:

You are the Accessibility Auditor for an overnight codebase audit. You have up to 14.5 hours to complete a thorough accessibility review against WCAG 2.1 Level AA (with Level AAA recommendations where practical). Review every component, page, and template in the codebase. Do not sample.

输出文件：

audit-workspace/03-accessibility-audit.md

跳过条件：仅当侦察阶段识别到前端文件（HTML、JSX、TSX、Vue、Svelte、EJS、Handlebars、Pug或类似模板文件）时部署该Agent。如果跳过，写入占位文件注明“不适用”。

传递给Agent的指令：

你是夜间代码库审计的可访问性审计员。你有最多14.5小时完成全面的可访问性审查，符合WCAG 2.1 AA级标准（实际可行时提供AAA级建议）。审查代码库中的每个组件、页面和模板，不要抽样。

Repository Context

代码库上下文

{paste full reconnaissance report here}

{在此粘贴完整侦察报告}

Your Mission

任务

Conduct a comprehensive accessibility audit of this codebase. Write all findings to: audit-workspace/03-accessibility-audit.md

对该代码库进行全面可访问性审计，将所有发现写入：audit-workspace/03-accessibility-audit.md

Severity Rating Rubric

严重程度评级标准

{paste the shared severity rubric here}

{在此粘贴共享的严重程度评级标准}

Structured Finding Format

结构化发现格式

{paste the shared finding format here}

{在此粘贴共享的发现格式}

Audit Checklist

审计清单

1. Perceivable (WCAG Principle 1)

1. 可感知性（WCAG原则1）

1.1 Text Alternatives (WCAG 1.1)

1.1 文本替代（WCAG 1.1）

All
```
<img>
```
elements have meaningful alt text (not "image", "photo", "icon", or empty alt on informational images)
Decorative images have alt="" (empty alt) or are CSS backgrounds
Complex images (charts, diagrams) have long descriptions
Icon-only buttons/links have accessible labels (aria-label or visually hidden text)
SVG elements have appropriate roles and labels
```
<canvas>
```
elements have fallback content
Image maps have alt text on each area
CSS background images that convey meaning have text alternatives

所有
```
<img>
```
元素有有意义的alt文本（不是“image”、“photo”、“icon”，信息性图片的alt不能为空）
装饰性图片使用alt=""（空alt）或作为CSS背景
复杂图片（图表、图示）有长描述
仅含图标的按钮/链接有可访问标签（aria-label或视觉隐藏文本）
SVG元素有适当的角色和标签
```
<canvas>
```
元素有回退内容
图片映射的每个区域有alt文本
传达含义的CSS背景图片有文本替代

1.2 Time-based Media (WCAG 1.2)

1.2 基于时间的媒体（WCAG 1.2）

Video elements have captions track
Audio elements have transcripts
Auto-playing media has controls to pause/stop

视频元素有字幕轨道
音频元素有文字记录
自动播放的媒体有暂停/停止控件

1.3 Adaptable (WCAG 1.3)

1.3 适应性（WCAG 1.3）

Semantic HTML used correctly (headings h1-h6 in order, lists for lists, tables for tabular data)
Heading hierarchy is logical (no skipped levels)
Form inputs have associated labels (htmlFor/id or wrapping label)
Fieldsets and legends for related form groups
Tables have proper headers (th), scope attributes, and captions
Landmark regions present and correct (header, nav, main, footer, aside)
Only one
```
<main>
```
element per page
Content reading order matches visual order
Information not conveyed by color alone
Required form fields indicated by more than just color

正确使用语义化HTML（标题h1-h6顺序正确、列表用于列表、表格用于表格数据）
标题层级逻辑合理（无跳过层级）
表单输入有关联标签（htmlFor/id或包裹label）
相关表单组使用fieldsets和legends
表格有适当的表头（th）、scope属性和标题
地标区域存在且正确（header、nav、main、footer、aside）
每页仅有一个
```
<main>
```
元素
内容阅读顺序与视觉顺序一致
信息不单独通过颜色传达
必填表单字段不仅通过颜色标识

1.4 Distinguishable (WCAG 1.4)

1.4 可区分性（WCAG 1.4）

Color Contrast:
- Text (normal): minimum 4.5:1 contrast ratio against background
- Text (large, 18px+ or 14px+ bold): minimum 3:1
- UI components and graphical objects: minimum 3:1
- Check: text colors defined in the codebase against background colors they appear on
- Flag: any gray-on-white or light-on-light color combinations
- Flag: any text with opacity that reduces effective contrast
Text is resizable to 200% without loss of content or functionality
No images of text (use actual text with CSS styling)
Content reflows at 320px viewport width without horizontal scrolling
Spacing adjustable (line height, letter spacing, word spacing, paragraph spacing)
No content that flashes more than 3 times per second

颜色对比度：
- 普通文本：与背景的最小对比度为4.5:1
- 大文本（18px+或14px+加粗）：最小对比度为3:1
- UI组件和图形对象：最小对比度为3:1
- 检查：代码库中定义的文本颜色与其所在背景颜色的对比度
- 标记：任何灰底白字或浅色配浅色的颜色组合
- 标记：任何降低有效对比度的半透明文本
文本可调整至200%大小而不丢失内容或功能
无图片形式的文本（使用实际文本搭配CSS样式）
内容在320px视口宽度下可重排，无水平滚动
间距可调整（行高、字母间距、单词间距、段落间距）
无每秒闪烁超过3次的内容

2. Operable (WCAG Principle 2)

2. 可操作性（WCAG原则2）

2.1 Keyboard Accessible (WCAG 2.1)

2.1 键盘可访问（WCAG 2.1）

All interactive elements reachable and operable by keyboard
No keyboard traps (user can always tab away)
Custom keyboard shortcuts documented and can be turned off
```
tabIndex
```
values: flag any tabIndex > 0 (disrupts natural tab order)
```
onClick
```
on non-interactive elements (div, span) without keyboard equivalent (onKeyDown/onKeyPress with Enter/Space handling)
Custom components (dropdowns, modals, tabs, accordions) have proper keyboard interaction patterns per WAI-ARIA Authoring Practices
Focus visible on all interactive elements (no outline:none without alternative focus indicator)
Skip-to-content link present

所有交互元素可通过键盘访问和操作
无键盘陷阱（用户始终可通过Tab键离开）
自定义键盘快捷键有文档说明且可关闭
```
tabIndex
```
值：标记任何tabIndex > 0的情况（破坏自然Tab顺序）
非交互元素（div、span）上的
```
onClick
```
无键盘等效操作（无Enter/Space处理的onKeyDown/onKeyPress）
自定义组件（下拉菜单、模态框、标签页、手风琴）符合WAI-ARIA创作实践的键盘交互模式
所有交互元素有可见焦点（无outline:none而无替代焦点指示器）
存在跳转到内容的链接

2.2 Enough Time (WCAG 2.2)

2.2 足够时间（WCAG 2.2）

Timeouts can be extended or disabled
Session timeouts warn users before expiration
Auto-updating content can be paused

超时可延长或禁用
会话超时前向用户发出警告
自动更新的内容可暂停

2.3 Seizures and Physical Reactions (WCAG 2.3)

2.3 癫痫与身体反应（WCAG 2.3）

No content flashes more than 3 times per second
Motion animation can be disabled (prefers-reduced-motion media query respected)

无每秒闪烁超过3次的内容
动画可禁用（遵循prefers-reduced-motion媒体查询）

2.4 Navigable (WCAG 2.4)

2.4 可导航性（WCAG 2.4）

Page titles are descriptive and unique
Focus order is logical and follows visual layout
Link text is descriptive (no "click here", "read more", "learn more" without context)
Multiple navigation mechanisms (nav, search, sitemap)
Headings and labels describe topic or purpose
Focus is visible at all times

页面标题描述性强且唯一
焦点顺序符合逻辑且遵循视觉布局
链接文本描述性强（无“点击这里”、“阅读更多”、“了解更多”等无上下文的文本）
多种导航机制（nav、搜索、站点地图）
标题和标签描述主题或用途
焦点始终可见

2.5 Input Modalities (WCAG 2.5)

2.5 输入方式（WCAG 2.5）

Touch targets are at least 24x24 CSS pixels (44x44 recommended)
Multipoint gestures have single-pointer alternatives
Drag operations have alternative input methods

触摸目标至少为24x24 CSS像素（推荐44x44）
多点手势有单点替代方式
拖拽操作有替代输入方法

3. Understandable (WCAG Principle 3)

3. 可理解性（WCAG原则3）

3.1 Readable (WCAG 3.1)

3.1 可读性（WCAG 3.1）

```
<html>
```
element has lang attribute
Language changes in content are marked with lang attribute
Abbreviations are expanded on first use or have
```
<abbr>
```
with title

```
<html>
```
元素有lang属性
内容中的语言变化使用lang属性标记
缩写首次使用时展开或使用
```
<abbr>
```
搭配title

3.2 Predictable (WCAG 3.2)

3.2 可预测性（WCAG 3.2）

No unexpected context changes on focus
No unexpected context changes on input (without advance warning)
Navigation is consistent across pages
Components with same functionality are identified consistently

聚焦时无意外上下文变化
输入时无意外上下文变化（无提前警告）
页面间导航一致
功能相同的组件标识一致

3.3 Input Assistance (WCAG 3.3)

3.3 输入辅助（WCAG 3.3）

Error messages are descriptive and suggest corrections
Labels or instructions provided for user input
Error prevention on legal/financial/data-deletion actions (confirm, review, undo)
Form validation errors associated with their fields (aria-describedby or aria-errormessage)
Required fields indicated in labels (not just with asterisk alone)
Autocomplete attributes on common form fields (name, email, address, etc.)

错误消息描述性强并建议修正
用户输入提供标签或说明
法律/财务/数据删除操作有错误预防（确认、审核、撤销）
表单验证错误关联到对应字段（aria-describedby或aria-errormessage）
必填字段在标签中标识（不仅使用星号）
常见表单字段有自动完成属性（姓名、邮箱、地址等）

4. Robust (WCAG Principle 4)

4. 健壮性（WCAG原则4）

4.1 Compatible (WCAG 4.1)

4.1 兼容性（WCAG 4.1）

Valid HTML (no duplicate IDs, proper nesting, correct ARIA usage)
ARIA roles, states, and properties used correctly
No ARIA that conflicts with native HTML semantics
Custom components have required ARIA attributes per their role
Status messages use aria-live regions appropriately
Dynamic content updates communicated to assistive technology

有效的HTML（无重复ID、正确嵌套、正确使用ARIA）
正确使用ARIA角色、状态和属性
无与原生HTML语义冲突的ARIA
自定义组件根据其角色有必要的ARIA属性
状态消息适当使用aria-live区域
动态内容更新传达给辅助技术

5. ARIA Usage Audit

5. ARIA使用审计

aria-label not used on elements that already have visible text (use aria-labelledby instead or remove)
aria-hidden="true" not used on focusable elements
role="presentation" or role="none" not used on elements with focusable children
aria-expanded, aria-selected, aria-checked states correctly toggled
aria-live regions used appropriately (polite vs assertive)
No redundant ARIA (e.g., role="button" on a
```
<button>
```
)

已有可见文本的元素不使用aria-label（改用aria-labelledby或移除）
可聚焦元素不使用aria-hidden="true"
包含可聚焦子元素的元素不使用role="presentation"或role="none"
aria-expanded、aria-selected、aria-checked状态正确切换
适当使用aria-live区域（polite vs assertive）
无冗余ARIA（例如
```
<button>
```
上的role="button"）

6. Component-Specific Patterns

6. 组件特定模式

For each of these component types found in the codebase, verify the WAI-ARIA Authoring Practices pattern is implemented:

Modal Dialogs: focus trap, Escape to close, focus returns to trigger, aria-modal, role="dialog"
Tabs: arrow key navigation, proper role="tablist"/"tab"/"tabpanel", aria-selected
Dropdown Menus: arrow key navigation, Escape to close, proper role="menu"/"menuitem"
Accordions: Enter/Space to toggle, proper aria-expanded, aria-controls
Carousels: pause controls, proper role and navigation
Toast Notifications: aria-live region, not auto-dismissing too quickly
Forms: error summary with links to fields, inline validation announcements

对于代码库中发现的以下每种组件类型，验证是否实现了WAI-ARIA创作实践模式：

模态对话框：焦点陷阱、按Escape关闭、焦点返回触发元素、aria-modal、role="dialog"
标签页：箭头键导航、正确的role="tablist"/"tab"/"tabpanel"、aria-selected
下拉菜单：箭头键导航、按Escape关闭、正确的role="menu"/"menuitem"
手风琴：按Enter/Space切换、正确的aria-expanded、aria-controls
轮播：暂停控件、正确的角色和导航
Toast通知：aria-live区域、不会过快自动消失
表单：错误摘要带字段链接、内联验证通知

Output Format

输出格式

Accessibility Audit Report

可访问性审计报告

Generated: {timestamp} Auditor: Accessibility Agent (Overnight Repo Auditor) Standard: WCAG 2.1 Level AA (with Level AAA recommendations)

生成时间：{时间戳} 审计员：可访问性Agent（夜间代码库审计工具）标准：WCAG 2.1 AA级（含AAA级建议）

Executive Summary

执行摘要

Total findings: {count}
Critical: {count}
High: {count}
Medium: {count}
Low: {count}
WCAG Conformance Level: DOES NOT CONFORM / PARTIALLY CONFORMS / CONFORMS (Level AA)
{1-2 sentence overall assessment}

总发现数：{数量}
严重：{数量}
高：{数量}
中：{数量}
低：{数量}
WCAG合规级别：不合规 / 部分合规 / 合规（AA级）
{1-2句话的总体评估}

Critical Findings

严重发现

{findings}

{发现内容}

High Findings

高优先级发现

{findings}

{发现内容}

Medium Findings

中优先级发现

{findings}

{发现内容}

Low Findings

低优先级发现

{findings}

{发现内容}

WCAG Criterion Coverage

WCAG标准覆盖情况

{for each WCAG criterion checked, note: PASS / FAIL (n issues) / NOT APPLICABLE}

{针对每个检查的WCAG标准，注明：通过 / 未通过（n个问题） / 不适用}

Accessibility Quick Wins

可访问性快速优化项

{top 5 changes that would have the biggest impact for users with disabilities}

{对残障用户影响最大的前5项变更}

Component Audit Results

组件审计结果

{for each component type found, note the ARIA pattern compliance status}

{针对每个发现的组件类型，注明ARIA模式合规状态}

Files Reviewed

已审查文件

{list}

{列表}

Methodology Notes

方法说明

{assumptions, limitations}


**End of Accessibility Auditor brief.**

---

{假设、限制}


**可访问性审计员指令结束。**

---

Agent 4: Dependency Auditor

Agent 4：依赖审计员

Output file:

audit-workspace/04-dependency-audit.md

Skip condition: Only deploy if the reconnaissance phase identified package manager manifests (package.json, Cargo.toml, go.mod, requirements.txt, pyproject.toml, Gemfile, composer.json, pom.xml, build.gradle). If no dependencies exist, write a placeholder noting "Not Applicable."

Brief to pass to the agent:

You are the Dependency Auditor for an overnight codebase audit. You have up to 14.5 hours to conduct a thorough analysis of all project dependencies. Review every dependency manifest, lockfile, and assess the health and risk profile of the entire dependency tree.

输出文件：

audit-workspace/04-dependency-audit.md

跳过条件：仅当侦察阶段识别到包管理器清单（package.json、Cargo.toml、go.mod、requirements.txt、pyproject.toml、Gemfile、composer.json、pom.xml、build.gradle）时部署。如果无依赖，写入占位文件注明“不适用”。

传递给Agent的指令：

你是夜间代码库审计的依赖审计员。你有最多14.5小时对所有项目依赖进行全面分析。审查每个依赖清单、锁文件，评估整个依赖树的健康状况和风险概况。

Repository Context

代码库上下文

{paste full reconnaissance report here}

{在此粘贴完整侦察报告}

Your Mission

任务

Conduct a comprehensive dependency audit of this codebase. Write all findings to: audit-workspace/04-dependency-audit.md

对该代码库进行全面依赖审计，将所有发现写入：audit-workspace/04-dependency-audit.md

Severity Rating Rubric

严重程度评级标准

{paste the shared severity rubric here}

{在此粘贴共享的严重程度评级标准}

Structured Finding Format

结构化发现格式

{paste the shared finding format here}

{在此粘贴共享的发现格式}

Audit Checklist

审计清单

1. Security Vulnerabilities (CVEs)

1. 安全漏洞（CVE）

Run
```
npm audit
```
/
```
yarn audit
```
/
```
pnpm audit
```
if Node.js project
Run
```
pip audit
```
or
```
safety check
```
if Python project (install if needed, or analyze requirements manually)
Run
```
cargo audit
```
if Rust project
Run
```
go vuln
```
or
```
govulncheck
```
if Go project
Run
```
bundle audit
```
if Ruby project
If automated tools are not available, manually check dependency versions against known CVE databases
For each vulnerability found:
- CVE ID and description
- Affected package and version
- Fixed version (if available)
- Is the vulnerable code path actually used in this project? (reduces false positives)
- CVSS score if available
- Is there a known exploit in the wild?

如果是Node.js项目，运行
```
npm audit
```
/
```
yarn audit
```
/
```
pnpm audit
```
如果是Python项目，运行
```
pip audit
```
或
```
safety check
```
（必要时安装，或手动分析requirements）
如果是Rust项目，运行
```
cargo audit
```
如果是Go项目，运行
```
go vuln
```
或
```
govulncheck
```
如果是Ruby项目，运行
```
bundle audit
```
如果自动化工具不可用，手动对照已知CVE数据库检查依赖版本
对于每个发现的漏洞：
- CVE ID和描述
- 受影响的包和版本
- 修复版本（如果可用）
- 该漏洞代码路径是否在本项目中实际使用？（减少误报）
- 可用的CVSS评分
- 是否存在已知的在野利用方式？

2. Outdated Dependencies

2. 过时依赖

Compare current versions against latest available versions
Flag: major version behind (potentially breaking changes needed)
Flag: more than 6 months behind latest release
Flag: dependencies that are no longer maintained (last commit > 2 years ago, archived repo)
Prioritize: dependencies with security implications (auth libraries, crypto, HTTP clients)
For each outdated dependency:
- Current version vs latest version
- Changelog summary of what changed (major items)
- Breaking changes that would affect this project
- Estimated upgrade effort (trivial/moderate/significant)

对比当前版本与最新可用版本
标记：落后主版本（可能需要破坏性变更）
标记：落后最新版本超过6个月
标记：不再维护的依赖（最后一次提交超过2年、仓库已归档）
优先处理：有安全影响的依赖（认证库、加密库、HTTP客户端）
对于每个过时依赖：
- 当前版本 vs 最新版本
- 变更日志摘要（主要变更）
- 会影响本项目的破坏性变更
- 估算升级成本（低/中/高）

3. License Compliance

3. 许可证合规性

Identify license for every direct dependency
Flag: copyleft licenses (GPL, AGPL, LGPL) in projects that appear to be proprietary/commercial
Flag: no license specified (legally risky -- default copyright applies)
Flag: license incompatibilities (e.g., mixing GPL and MIT in ways that could cause issues)
Flag: SSPL, Commons Clause, or other non-OSI-approved licenses
Generate a license summary table: | Package | Version | License | Risk Level |

识别每个直接依赖的许可证
标记：项目为专有/商业性质但使用Copyleft许可证（GPL、AGPL、LGPL）
标记：未指定许可证（法律风险——默认版权适用）
标记：许可证不兼容（例如混合GPL和MIT可能导致问题）
标记：SSPL、Commons Clause或其他非OSI批准的许可证
生成许可证摘要表： | 包 | 版本 | 许可证 | 风险级别 |

4. Supply Chain Risk

4. 供应链风险

Flag: packages with very few weekly downloads (< 100/week) that are not internal
Flag: packages maintained by a single individual with no organizational backing
Flag: packages that were recently transferred to new owners (name squatting risk)
Flag: packages with install scripts (preinstall/postinstall) that execute arbitrary code
Flag: packages pulling from non-standard registries
Check: lockfile exists and is committed (prevents supply chain attacks via version ranges)
Check: lockfile integrity (sha hashes present where supported)
Flag: dependencies using git URLs instead of registry packages (no integrity verification)

标记：每周下载量极少（<100次）且非内部包
标记：仅由单个个人维护且无组织支持的包
标记：最近转移给新所有者的包（抢注风险）
标记：包含安装脚本（preinstall/postinstall）执行任意代码的包
标记：从非标准仓库拉取的包
检查：锁文件存在且已提交（防止通过版本范围进行供应链攻击）
检查：锁文件完整性（支持的情况下存在sha哈希）
标记：使用git URL而非仓库包的依赖（无完整性验证）

5. Unused Dependencies

5. 未使用依赖

Scan the codebase for import/require statements and cross-reference with declared dependencies
Flag: dependencies declared in manifest but never imported (increase attack surface unnecessarily)
Flag: devDependencies that appear in production bundles
Flag: peerDependencies with incorrect version ranges
Note: some dependencies are used in config files, scripts, or CLI tools rather than source imports -- check those paths before flagging as unused

扫描代码库中的import/require语句，与声明的依赖交叉引用
标记：清单中声明但从未导入的依赖（不必要增加攻击面）
标记：出现在生产包中的devDependencies
标记：版本范围不正确的peerDependencies
注意：某些依赖用于配置文件、脚本或CLI工具而非源导入——标记前检查这些路径

6. Dependency Weight and Alternatives

6. 依赖体积与替代方案

Identify the heaviest dependencies (by install size / bundle impact)
For each heavy dependency, assess: is the full library needed, or is only a small feature used?
Suggest lighter alternatives where available (e.g., date-fns instead of moment, got instead of axios+interceptors for simple use)
Check for dependencies that overlap in functionality (e.g., both lodash and underscore, both axios and node-fetch)

识别最重的依赖（按安装体积/包影响）
对于每个重型依赖，评估：是否需要完整库，还是仅使用小部分功能？
建议可用的轻量替代方案（例如date-fns替代moment、got替代axios+interceptors用于简单场景）
检查功能重叠的依赖（例如同时使用lodash和underscore、同时使用axios和node-fetch）

7. Dependency Configuration

7. 依赖配置

Check lockfile version and consistency with the package manager version
Check for resolution overrides / forced versions (may mask real version conflicts)
Check node_modules / vendor directory is gitignored
Check for peer dependency warnings
Check engine constraints (e.g., node version specified in package.json)
Check for workspace/monorepo configuration issues (if applicable)

检查锁文件版本与包管理器版本的一致性
检查解析覆盖/强制版本（可能掩盖真实版本冲突）
检查node_modules / vendor目录是否被git忽略
检查peer依赖警告
检查引擎约束（例如package.json中指定的node版本）
检查工作区/单仓库配置问题（如适用）

8. Transitive Dependency Risks

8. 传递依赖风险

Identify transitive dependencies (deps of deps) with known CVEs
Identify deeply nested transitive deps that are very outdated
Calculate total dependency count (direct + transitive)
Flag unusually deep dependency trees (potential bloat)

识别存在已知CVE的传递依赖（依赖的依赖）
识别非常过时的深层传递依赖
计算总依赖数（直接+传递）
标记异常深的依赖树（潜在臃肿）

Output Format

输出格式

Dependency Audit Report

依赖审计报告

Generated: {timestamp} Auditor: Dependency Agent (Overnight Repo Auditor)

生成时间：{时间戳} 审计员：依赖Agent（夜间代码库审计工具）

Executive Summary

执行摘要

Direct dependencies: {count}
Transitive dependencies: {count}
Total dependency count: {count}
Known vulnerabilities (CVEs): {count by severity}
Outdated dependencies: {count}
License issues: {count}
Unused dependencies: {count}
{1-2 sentence overall assessment}

直接依赖数：{数量}
传递依赖数：{数量}
总依赖数：{数量}
已知漏洞（CVE）：{按严重程度统计的数量}
过时依赖数：{数量}
许可证问题数：{数量}
未使用依赖数：{数量}
{1-2句话的总体评估}

Critical Findings (CVEs with known exploits, license violations)

严重发现（存在已知利用方式的CVE、许可证违规）

{findings}

{发现内容}

High Findings (High-severity CVEs, severely outdated deps)

高优先级发现（高严重程度CVE、严重过时依赖）

{findings}

{发现内容}

Medium Findings (Medium CVEs, moderately outdated, license concerns)

中优先级发现（中等CVE、中度过时、许可证问题）

{findings}

{发现内容}

Low Findings (Low CVEs, minor updates, weight optimization)

低优先级发现（低严重程度CVE、小版本更新、体积优化）

{findings}

{发现内容}

License Summary

许可证摘要

Package	Version	License	Risk
{for every direct dependency}

包	版本	许可证	风险
{每个直接依赖的信息}

Outdated Dependencies

过时依赖

Package	Current	Latest	Behind By	Breaking Changes	Priority
{for each outdated dependency}

包	当前版本	最新版本	落后版本数	破坏性变更	优先级
{每个过时依赖的信息}

Unused Dependencies

未使用依赖

{list with evidence}

{带证据的列表}

Upgrade Roadmap

升级路线图

{prioritized list of dependency upgrades, grouped by effort level}

Immediate (security fixes, drop-in replacements)
This sprint (minor version bumps, small API changes)
This quarter (major version bumps, significant migration)
Evaluate (consider replacing with alternatives)

{按成本分组的优先依赖升级列表}

立即处理（安全修复、直接替换）
当前迭代（小版本升级、小API变更）
当前季度（主版本升级、重大迁移）
评估（考虑替换为替代方案）

Checklist Coverage

清单覆盖情况

{for each of the 8 categories, note: CHECKED - {count of findings or "Clean"}}

{针对上述8个类别，注明：已检查 - {发现数量或“无问题”}}

Files Reviewed

已审查文件

{list of manifest and lockfiles reviewed}

{已审查的清单和锁文件列表}

Methodology Notes

方法说明

{tools used, limitations, packages that could not be assessed}


**End of Dependency Auditor brief.**

---

{使用的工具、限制、无法评估的包}


**依赖审计员指令结束。**

---

Agent 5: Code Quality Auditor

Agent 5：代码质量审计员

Output file:

audit-workspace/05-code-quality-audit.md

Brief to pass to the agent:

You are the Code Quality Auditor for an overnight codebase audit. You have up to 14.5 hours to conduct a thorough code quality review. Focus on maintainability, readability, correctness, and engineering best practices. This is not a style guide review -- focus on substantive quality issues that affect the team's ability to maintain and extend this codebase.

输出文件：

audit-workspace/05-code-quality-audit.md

传递给Agent的指令：

你是夜间代码库审计的代码质量审计员。你有最多14.5小时完成全面的代码质量审查。重点关注可维护性、可读性、正确性和工程最佳实践。这不是风格指南审查——重点关注影响团队维护和扩展代码库能力的实质性质量问题。

Repository Context

代码库上下文

{paste full reconnaissance report here}

{在此粘贴完整侦察报告}

Your Mission

任务

Conduct a comprehensive code quality audit of this codebase. Write all findings to: audit-workspace/05-code-quality-audit.md

对该代码库进行全面代码质量审计，将所有发现写入：audit-workspace/05-code-quality-audit.md

Severity Rating Rubric

严重程度评级标准

{paste the shared severity rubric here}

{在此粘贴共享的严重程度评级标准}

Structured Finding Format

结构化发现格式

{paste the shared finding format here}

{在此粘贴共享的发现格式}

Audit Checklist

审计清单

1. Dead Code and Unused Exports

1. 死代码与未使用导出

Exported functions/classes/constants that are never imported anywhere in the codebase
Unreachable code after return/throw/break/continue statements
Commented-out code blocks (more than 5 lines)
Unused variables and parameters (especially in function signatures)
Feature flags or conditional blocks that are permanently enabled/disabled
Entire files that are not imported or referenced anywhere
Unused CSS classes/styles (if stylesheets exist)
Unused test utilities or fixtures
TODO/FIXME/HACK/XXX comments older than 6 months (check git blame for age)

代码库中从未导入的导出函数/类/常量
return/throw/break/continue语句后的不可达代码
注释掉的代码块（超过5行）
未使用的变量和参数（尤其是函数签名中的）
永久启用/禁用的功能标志或条件块
从未导入或引用的整个文件
未使用的CSS类/样式（如果存在样式表）
未使用的测试工具或 fixtures
超过6个月的TODO/FIXME/HACK/XXX注释（检查git blame查看时长）

2. Code Duplication

2. 代码重复

Functions or methods that are substantially identical (>80% similar) across different files
Copy-pasted logic that should be extracted into a shared utility
Similar data transformation logic repeated in multiple places
Duplicate type definitions or interfaces
Repeated validation logic that could be centralized
Similar error handling patterns that could be abstracted
Note: some duplication is acceptable (test setup, simple patterns). Focus on non-trivial duplicated logic (10+ lines).

不同文件中基本相同（相似度>80%）的函数或方法
应提取到共享工具中的复制粘贴逻辑
多个地方重复的相似数据转换逻辑
重复的类型定义或接口
可集中化的重复验证逻辑
可抽象的相似错误处理模式
注意：某些重复是可接受的（测试设置、简单模式）。重点关注非 trivial 的重复逻辑（10行以上）。

3. Complexity and Readability

3. 复杂度与可读性

Cyclomatic Complexity: Functions with more than 10 branches (if/else/switch/ternary/&&/||)
Cognitive Complexity: Deeply nested code (3+ levels of nesting), especially nested conditionals
Function Length: Functions over 50 lines (flag at 50, strongly flag at 100+)
File Length: Files over 500 lines (flag at 500, strongly flag at 1000+)
Parameter Count: Functions with more than 4 parameters (suggest object parameter pattern)
Return Complexity: Functions with more than 3 return statements, or unclear return types
Boolean Parameter Anti-pattern: Functions that take boolean flags to switch behavior (should be split into separate functions)
Nested Callbacks/Promises: Callback hell or deeply nested .then() chains that should use async/await
Magic Numbers/Strings: Hardcoded values that should be named constants

圈复杂度：分支数超过10的函数（if/else/switch/三元运算符/&&/||）
认知复杂度：深度嵌套代码（3层以上嵌套），尤其是嵌套条件
函数长度：超过50行的函数（50行标记，100行以上强烈标记）
文件长度：超过500行的文件（500行标记，1000行以上强烈标记）
参数数量：超过4个参数的函数（建议使用对象参数模式）
返回复杂度：超过3个返回语句的函数，或返回类型不明确
布尔参数反模式：接受布尔标志切换行为的函数（应拆分为单独函数）
嵌套回调/Promise：回调地狱或深度嵌套的.then()链，应使用async/await
魔术数字/字符串：应命名为常量的硬编码值

4. Error Handling

4. 错误处理

Empty catch blocks: catch(e) {} with no logging or re-throwing
Generic catch-all: Catching all exceptions without differentiation (catch Exception, catch(e))
Missing error handling: async operations without try/catch or .catch()
Swallowed errors: Errors caught and logged but not propagated when they should be
Missing error boundaries: React components without error boundaries around complex subtrees
Inconsistent error formats: Different error response shapes across API endpoints
Missing validation: Function inputs not validated (especially public API boundaries)
Silent failures: Operations that fail without any indication to the caller
Missing finally blocks: Resource cleanup that could be skipped on error paths (file handles, connections, locks)

空catch块：catch(e) {}无日志或重新抛出
通用捕获所有：无区分地捕获所有异常（catch Exception、catch(e)）
缺失错误处理：async操作无try/catch或.catch()
吞掉错误：捕获并记录错误但未在应传播时传播
缺失错误边界：React组件在复杂子树周围缺失错误边界
不一致的错误格式：API端点间不同的错误响应格式
缺失验证：函数输入未验证（尤其是公共API边界）
静默失败：失败但未向调用者发出任何指示的操作
缺失finally块：错误路径中可能跳过的资源清理（文件句柄、连接、锁）

5. Type Safety (for typed languages)

5. 类型安全（针对类型化语言）

Any/unknown overuse: TypeScript
```
any
```
types that could be properly typed
Type assertions: as SomeType casts that bypass type checking (especially
```
as any
```
)
Missing null checks: Nullable values accessed without guards
Inconsistent types: Same data represented by different types in different parts of the codebase
Missing generics: Functions that lose type information by using broad types where generics would preserve it
Enum misuse: String enums where union types would be better, or vice versa
Missing discriminated unions: Complex conditional logic that could be replaced with discriminated union types

Any/unknown过度使用：可正确类型化的TypeScript
```
any
```
类型
类型断言：绕过类型检查的as SomeType转换（尤其是
```
as any
```
）
缺失空检查：未加保护地访问可空值
不一致的类型：同一数据在代码库不同部分用不同类型表示
缺失泛型：使用宽泛类型而非泛型保留类型信息的函数
Enum误用：应使用联合类型的字符串枚举，或反之
缺失区分联合：可替换为区分联合类型的复杂条件逻辑

6. Architecture and Design Patterns

6. 架构与设计模式

Circular dependencies: Modules that import from each other (directly or transitively)
God objects/files: Files that are imported by >20 other files (high coupling)
Violation of separation of concerns: Business logic in UI components, database queries in route handlers, etc.
Missing abstraction layers: Direct database calls from route handlers without a service/repository layer
Inconsistent patterns: Some endpoints use controllers, others use inline handlers. Some use DTOs, others pass raw objects.
Missing dependency injection: Hard-coded dependencies that make testing difficult
Global mutable state: Singletons, global variables, or module-level mutable state that could cause issues in concurrent/test environments
Missing interfaces/contracts: Public APIs without clear type contracts

循环依赖：相互导入的模块（直接或传递）
上帝对象/文件：被>20个其他文件导入的文件（高耦合）
违反关注点分离：UI组件中的业务逻辑、路由处理程序中的数据库查询等
缺失抽象层：路由处理程序直接调用数据库而无服务/仓库层
不一致的模式：部分端点使用控制器，其他使用内联处理程序；部分使用DTO，其他传递原始对象
缺失依赖注入：硬编码依赖导致测试困难
全局可变状态：单例、全局变量或模块级可变状态，可能在并发/测试环境中引发问题
缺失接口/契约：公共API无清晰类型契约

7. Testing Gaps

7. 测试缺口

Missing test files: Source files with no corresponding test file
Test coverage distribution: Which parts of the codebase have tests and which do not?
Test quality issues: Tests that only test happy paths, missing edge cases
Tests without assertions: Test functions that call code but never assert on the result
Flaky test indicators: Tests depending on timing, network, or external state
Missing integration tests: Only unit tests exist, or only E2E tests exist, with no middle ground
Test data management: Hardcoded test data that drifts from reality, missing factories/fixtures
Missing mocks: Tests making real network/database calls when they should be mocked

缺失测试文件：无对应测试文件的源文件
测试覆盖分布：代码库哪些部分有测试，哪些没有？
测试质量问题：仅测试正常路径、缺失边缘情况的测试
无断言测试：调用代码但从不断言结果的测试函数
不稳定测试指标：依赖时间、网络或外部状态的测试
缺失集成测试：仅存在单元测试或仅存在E2E测试，无中间层
测试数据管理：与实际情况脱节的硬编码测试数据、缺失工厂/fixtures
缺失Mock：测试时进行真实网络/数据库调用而非Mock

8. Documentation and Developer Experience

8. 文档与开发者体验

Missing README or outdated README: No setup instructions, or instructions that no longer work
Missing or misleading comments: Comments that describe what code does rather than why, or comments that contradict the code
Missing JSDoc/docstrings on public APIs: Exported functions without documentation
Missing environment variable documentation: .env.example missing, or not documenting all required variables
Missing contribution guidelines: No CONTRIBUTING.md or equivalent for multi-developer projects
Missing or broken scripts: package.json scripts that don't work, Makefile targets that are stale

缺失README或README过时：无设置说明，或说明不再有效
缺失或误导性注释：描述代码做什么而非为什么的注释，或与代码矛盾的注释
公共API缺失JSDoc/docstrings：导出函数无文档
缺失环境变量文档：缺失.env.example，或未记录所有必需变量
缺失贡献指南：多开发者项目无CONTRIBUTING.md或等效文件
缺失或损坏的脚本：package.json中无法运行的脚本、过时的Makefile目标

9. Naming and Conventions

9. 命名与规范

Inconsistent naming patterns: mixedCase and snake_case in the same language, or plural/singular inconsistency in file names
Misleading names: Variables or functions whose names do not match their behavior
Abbreviated names: Single-letter variables or heavily abbreviated names outside of small scopes (loop indices are fine)
Boolean naming: Boolean variables not named as predicates (is*, has*, should*, can*)
File organization: No clear pattern for where new files should be created

不一致的命名模式：同一语言中混合使用驼峰式和蛇形命名，或文件名单复数不一致
误导性名称：名称与行为不符的变量或函数
缩写名称：小范围外的单字母变量或高度缩写的名称（循环索引除外）
布尔命名：未命名为谓词的布尔变量（is*、has*、should*、can*）
文件组织：无明确的新文件存放模式

10. Correctness Risks

10. 正确性风险

Race conditions: Shared mutable state accessed from async operations without synchronization
Floating point comparison: Comparing floats with === instead of epsilon-based comparison
Integer overflow: Arithmetic on large numbers without BigInt (JavaScript) or appropriate types
Timezone handling: Date/time operations without explicit timezone handling
Unicode handling: String operations that assume ASCII (length, substring, regex without unicode flag)
Off-by-one errors: Array bounds, pagination calculations, date range calculations
Null coalescing pitfalls: Using || instead of ?? (treating 0, "", false as nullish)
Promise handling: Promises created but never awaited (floating promises)

竞争条件：异步操作中无同步地访问共享可变状态
浮点数比较：使用===比较浮点数而非基于epsilon的比较
整数溢出：对大数进行算术运算未使用BigInt（JavaScript）或适当类型
时区处理：无显式时区处理的日期/时间操作
Unicode处理：假设ASCII的字符串操作（length、substring、无unicode标志的正则）
差一错误：数组边界、分页计算、日期范围计算
空合并陷阱：使用||而非??（将0、""、false视为空值）
Promise处理：创建但从未await的Promise（浮动Promise）

Output Format

输出格式

Code Quality Audit Report

代码质量审计报告

Generated: {timestamp} Auditor: Code Quality Agent (Overnight Repo Auditor)

生成时间：{时间戳} 审计员：代码质量Agent（夜间代码库审计工具）

Executive Summary

执行摘要

Total findings: {count}
Critical: {count}
High: {count}
Medium: {count}
Low: {count}
Overall code health: EXCELLENT / GOOD / FAIR / POOR / CRITICAL
Tech debt estimate: LOW / MODERATE / HIGH / SEVERE
{1-2 sentence overall assessment}

总发现数：{数量}
严重：{数量}
高：{数量}
中：{数量}
低：{数量}
总体代码健康状况：优秀 / 良好 / 一般 / 较差 / 严重
技术债务估算：低 / 中 / 高 / 严重
{1-2句话的总体评估}

Critical Findings

严重发现

{findings}

{发现内容}

High Findings

高优先级发现

{findings}

{发现内容}

Medium Findings

中优先级发现

{findings}

{发现内容}

Low Findings

低优先级发现

{findings}

{发现内容}

Code Health Metrics

代码健康指标

Estimated dead code: {percentage or line count}
Files over 500 lines: {count and list}
Functions over 50 lines: {count}
Average cyclomatic complexity: {estimate}
Test coverage estimate: {percentage of source files with corresponding test files}
Circular dependency chains: {count and list}

估算死代码：{百分比或行数}
超过500行的文件：{数量和列表}
超过50行的函数：{数量}
平均圈复杂度：{估算值}
测试覆盖率估算：{有对应测试文件的源文件百分比}
循环依赖链：{数量和列表}

Top Refactoring Priorities

重构优先事项

{ranked list of the 10 highest-impact refactoring opportunities, with estimated effort}

{按影响排序的前10个最高影响重构机会，带估算成本}

Checklist Coverage

清单覆盖情况

{for each of the 10 categories, note: CHECKED - {count of findings or "Clean"}}

{针对上述10个类别，注明：已检查 - {发现数量或“无问题”}}

Files Reviewed

已审查文件

{list}

{列表}

Methodology Notes

方法说明

{assumptions, limitations}


**End of Code Quality Auditor brief.**

---

{假设、限制}


**代码质量审计员指令结束。**

---

Phase 3: Report Compilation

第三阶段：报告编译

After ALL audit agents have completed (all background agents have returned), the Commander compiles the final report. This phase runs sequentially in the Commander context.

在所有审计Agent完成后（所有后台Agent返回结果），指挥官编译最终报告。此阶段在指挥官上下文中串行运行。

Step 3.1: Read All Agent Reports

步骤3.1：读取所有Agent报告

Read each report file:

```
audit-workspace/00-reconnaissance.md
```
```
audit-workspace/01-security-audit.md
```
```
audit-workspace/02-performance-audit.md
```

audit-workspace/03-accessibility-audit.md

(if generated)

```
audit-workspace/04-dependency-audit.md
```
(if generated)

audit-workspace/05-code-quality-audit.md

读取每个报告文件：

```
audit-workspace/00-reconnaissance.md
```
```
audit-workspace/01-security-audit.md
```
```
audit-workspace/02-performance-audit.md
```

audit-workspace/03-accessibility-audit.md

（如果生成）

```
audit-workspace/04-dependency-audit.md
```
（如果生成）

audit-workspace/05-code-quality-audit.md

Step 3.2: Deduplicate Cross-Agent Findings

步骤3.2：去重跨Agent的重复发现

Certain issues will be flagged by multiple agents. Common overlaps:

Finding Type	Agents That May Flag It
Known CVE in dependency	Security + Dependency
Missing input validation	Security + Code Quality
N+1 queries	Performance + Code Quality
Missing error handling	Security + Code Quality
Large bundle size	Performance + Dependency (heavy deps)
Missing alt text	Accessibility + Code Quality

For each duplicate:

Keep the more detailed finding
Add a cross-reference note: "Also flagged by {other agent} -- see {section}"
Use the higher severity rating if they differ
Do not double-count in the total

某些问题会被多个Agent标记，常见重叠：

发现类型	可能标记的Agent
依赖中的已知CVE	安全 + 依赖
缺失输入验证	安全 + 代码质量
N+1查询	性能 + 代码质量
缺失错误处理	安全 + 代码质量
大包体积	性能 + 依赖（重型依赖）
缺失alt文本	可访问性 + 代码质量

对于每个重复项：

保留更详细的发现
添加交叉引用注释：“也被{其他Agent}标记——见{章节}”
如果严重程度不同，使用更高的评级
总数中不重复计数

Step 3.3: Generate Executive Summary

步骤3.3：生成执行摘要

Create a top-level summary that a CTO or engineering lead can read in 2 minutes:

Overall Health Score: Combine findings across all agents into a single assessment (A through F, with description)
Top 10 Priority Items: The 10 most impactful findings across all categories, ranked by severity and ease of fix
Risk Areas: Which parts of the codebase have the most issues?
Positive Observations: What the codebase does well (always include at least 2-3 positive notes)
Recommended Sprint Plan: Group the top priorities into an actionable sprint plan

创建CTO或工程负责人可在2分钟内读完的顶级摘要：

总体健康评分：将所有Agent的发现合并为单个评估（A到F，带描述）
十大优先事项：所有类别中影响最大的10个发现，按严重程度和修复难度排序
风险领域：代码库哪些部分问题最多？
积极观察：代码库做得好的地方（至少包含2-3条）
推荐迭代计划：将顶级优先事项分组为可操作的迭代计划

Step 3.4: Write the Final Report

步骤3.4：写入最终报告

Write the compiled report to

overnight-audit-report.md

in the repository root.

Final report structure:

markdown

undefined

将编译后的报告写入代码库根目录的

overnight-audit-report.md

。

最终报告结构：

markdown

undefined

Overnight Codebase Audit Report

夜间代码库审计报告

Repository: {repo name} Generated: {date and time} Audit Duration: {time from start to finish} Auditor: Overnight Repo Auditor (Claude Code Skill) Runtime: Anthropic Managed Agents (14.5-hour task horizon)

代码库：{代码库名称} 生成时间：{日期和时间} 审计时长：{从开始到结束的时间} 审计员：夜间代码库审计工具（Claude Code Skill） 运行时：Anthropic Managed Agents（14.5小时任务时长）

Executive Summary

执行摘要

Overall Health: {A/B/C/D/F} - {one-line description}

总体健康状况：{A/B/C/D/F} - {一句话描述}

Category	Critical	High	Medium	Low	Total
Security	{n}	{n}	{n}	{n}	{n}
Performance	{n}	{n}	{n}	{n}	{n}
Accessibility	{n}	{n}	{n}	{n}	{n}
Dependencies	{n}	{n}	{n}	{n}	{n}
Code Quality	{n}	{n}	{n}	{n}	{n}
Total	{n}	{n}	{n}	{n}	{n}

类别	严重	高	中	低	总计
安全	{n}	{n}	{n}	{n}	{n}
性能	{n}	{n}	{n}	{n}	{n}
可访问性	{n}	{n}	{n}	{n}	{n}
依赖	{n}	{n}	{n}	{n}	{n}
代码质量	{n}	{n}	{n}	{n}	{n}
总计	{n}	{n}	{n}	{n}	{n}

Top 10 Priority Items

十大优先事项

{numbered list with severity badge, title, category, and one-line description}

{带严重程度徽章、标题、类别和一句话描述的编号列表}

Positive Observations

积极观察

{what the codebase does well}

{代码库做得好的地方}

Recommended Action Plan

Detailed Findings by Category

按类别划分的详细发现

Security Audit

安全审计

{full content from 01-security-audit.md, with deduplication notes}

{01-security-audit.md的完整内容，带去重注释}

Performance Audit

性能审计

{full content from 02-performance-audit.md, with deduplication notes}

{02-performance-audit.md的完整内容，带去重注释}

Accessibility Audit

可访问性审计

{full content from 03-accessibility-audit.md, or "Not Applicable" note}

{03-accessibility-audit.md的完整内容，或“不适用”注释}

Dependency Audit

依赖审计

{full content from 04-dependency-audit.md, or "Not Applicable" note}

{04-dependency-audit.md的完整内容，或“不适用”注释}

Code Quality Audit

代码质量审计

{full content from 05-code-quality-audit.md, with deduplication notes}

{05-code-quality-audit.md的完整内容，带去重注释}

Repository Overview

代码库概览

{content from 00-reconnaissance.md}

{00-reconnaissance.md的内容}

Audit Metadata

审计元数据

Configuration

配置

Agents deployed: {count}
Audit modules: {list of active modules}
WCAG standard: 2.1 Level AA
Severity rubric: 4-tier (Critical/High/Medium/Low)

已部署Agent数：{数量}
审计模块：{已激活模块列表}
WCAG标准：2.1 AA级
严重程度标准：4级（严重/高/中/低）

Methodology

方法

This audit was conducted through static analysis of the source code by specialized AI agents running in parallel. Each agent independently reviewed the codebase against a comprehensive checklist specific to its domain. Findings were then compiled, deduplicated, and severity-rated by the Commander agent.

本次审计由专业AI Agent并行对源代码进行静态分析完成。每个Agent独立对照其领域的全面清单审查代码库。然后由指挥官Agent编译发现结果、去重并进行严重程度评级。

Limitations

限制

This is a static analysis audit. Runtime behavior, actual performance metrics, and real-user accessibility testing are not covered.
Dependency vulnerability data is current as of the audit date. New CVEs may be disclosed after this report.
Code paths that require specific runtime conditions or environment variables to reach may not be fully analyzed.
This audit does not replace professional penetration testing, performance load testing, or accessibility testing with assistive technology users.

这是静态分析审计，不涵盖运行时行为、实际性能指标和真实用户可访问性测试。
依赖漏洞数据截至审计日期，审计后可能会披露新的CVE。
需要特定运行时条件或环境变量才能触发的代码路径可能未被全面分析。
本次审计不能替代专业渗透测试、性能负载测试或使用辅助技术用户进行的可访问性测试。

Files

文件

Reconnaissance: audit-workspace/00-reconnaissance.md
Security audit: audit-workspace/01-security-audit.md
Performance audit: audit-workspace/02-performance-audit.md
Accessibility audit: audit-workspace/03-accessibility-audit.md
Dependency audit: audit-workspace/04-dependency-audit.md
Code quality audit: audit-workspace/05-code-quality-audit.md
This report: overnight-audit-report.md

undefined

侦察报告：audit-workspace/00-reconnaissance.md
安全审计：audit-workspace/01-security-audit.md
性能审计：audit-workspace/02-performance-audit.md
可访问性审计：audit-workspace/03-accessibility-audit.md
依赖审计：audit-workspace/04-dependency-audit.md
代码质量审计：audit-workspace/05-code-quality-audit.md
本报告：overnight-audit-report.md

undefined

Step 3.5: Final Summary to User

步骤3.5：向用户发送最终摘要

After writing the report, output a brief completion message:

Overnight audit complete.

Report: overnight-audit-report.md
Individual reports: audit-workspace/

Summary:
- Overall health: {grade}
- Total findings: {n} ({critical} critical, {high} high, {medium} medium, {low} low)
- Top priority: {title of #1 finding}

The full report with all findings, evidence, and recommendations is in overnight-audit-report.md.

写入报告后，输出简短的完成消息：

夜间审计已完成。

报告：overnight-audit-report.md
独立报告：audit-workspace/

摘要：
- 总体健康状况：{评级}
- 总发现数：{n}（{critical}个严重，{high}个高优先级，{medium}个中优先级，{low}个低优先级）
- 最高优先级：{#1发现的标题}

包含所有发现、证据和建议的完整报告在overnight-audit-report.md中。

Error Handling

错误处理

This skill is designed for autonomous execution. Errors must be handled without user interaction.

该工具专为自主执行设计，错误处理无需用户交互。

Agent Failure

Agent失败

If an audit agent fails to complete or returns an error:

Retry once: Re-deploy the agent with the same brief
If retry fails: Write a partial report noting the failure
Continue with other agents: Never let one agent's failure block the others
Document in final report: Note which agents failed and what coverage was lost

如果审计Agent未完成或返回错误：

重试一次：使用相同指令重新部署Agent
如果重试失败：写入部分报告并注明失败情况
继续其他Agent：绝不因一个Agent失败而阻塞其他Agent
在最终报告中记录：注明哪些Agent失败以及丢失的覆盖范围

File Access Errors

文件访问错误

If a file cannot be read (permissions, binary file, etc.):

Skip the file
Log it in the agent's "Methodology Notes" section
Continue with remaining files

如果无法读取文件（权限、二进制文件等）：

跳过该文件
在Agent的“方法说明”部分记录
继续处理剩余文件

Timeout Management

超时管理

The 14.5-hour window is generous, but for very large codebases:

Each agent should prioritize high-risk files first (auth, payments, data handling, public endpoints)
If an agent detects it has reviewed >2000 files, it should note that a sampling strategy was used for lower-risk files
The Commander should monitor agent completion and compile partial results if the window is closing

14.5小时的窗口足够宽裕，但对于超大型代码库：

每个Agent应优先处理高风险文件（认证、支付、数据处理、公共端点）
如果Agent检测到已审查>2000个文件，应注明对低风险文件使用了抽样策略
指挥官应监控Agent完成情况，若窗口即将关闭则编译部分结果

Disk Space

磁盘空间

All reports are markdown text files. Total output is typically under 1MB even for large audits. If the audit-workspace directory already exists from a previous run, the new audit will overwrite it.

所有报告均为Markdown文本文件，即使大型审计总输出通常也在1MB以下。如果audit-workspace目录已存在（来自之前的运行），新审计将覆盖它。

Scaling Behavior

扩展行为

Codebase Size	Estimated Duration	Agent Strategy
< 10K lines	15-30 minutes	All 5 agents, single pass each
10K - 50K lines	30-90 minutes	All 5 agents, thorough pass
50K - 200K lines	1-4 hours	All 5 agents, may need sub-agents for Security and Code Quality
200K - 500K lines	4-8 hours	All agents spawn 2-3 sub-agents each to parallelize file review
500K+ lines	8-14 hours	Full sub-agent deployment with file-batch assignments per sub-agent

For codebases over 200K lines, each audit agent should spawn sub-agents to parallelize:

Security Agent
 |-- Sub-agent: Auth & Sessions (auth/, middleware/, login/*)
 |-- Sub-agent: Data Handling (models/, schemas/, migrations/*)
 |-- Sub-agent: API Surface (routes/, controllers/, handlers/*)
 |-- Sub-agent: Infrastructure (Dockerfile, CI/CD, configs)

The agent briefs above instruct agents to self-organize sub-agent deployment based on the repository size discovered during their audit.

代码库大小	估算时长	Agent策略
< 1万行	15-30分钟	所有5个Agent，各单次遍历
1万 - 5万行	30-90分钟	所有5个Agent，全面遍历
5万 - 20万行	1-4小时	所有5个Agent，安全和代码质量可能需要子Agent
20万 - 50万行	4-8小时	所有Agent各生成2-3个子Agent并行处理文件
50万+行	8-14小时	完全部署子Agent，按文件批次分配给子Agent

对于20万行以上的代码库，每个审计Agent应生成子Agent并行处理：

安全Agent
 |-- 子Agent：认证与会话（auth/、middleware/、login/*）
 |-- 子Agent：数据处理（models/、schemas/、migrations/*）
 |-- 子Agent：API表面（routes/、controllers/、handlers/*）
 |-- 子Agent：基础设施（Dockerfile、CI/CD、configs）

上述Agent指令指导Agent根据侦察阶段发现的代码库大小自行组织子Agent部署。

Invocation Examples

调用示例

Basic Usage

基本用法

User: "Run an overnight audit on this repo"

The skill runs the full protocol: recon, deploy 5 parallel agents, compile report.

用户：“对这个代码库运行夜间审计”

工具运行完整流程：侦察、部署5个并行Agent、编译报告。

Targeted Audit

定向审计

User: "Run an overnight audit, but focus on security and dependencies only"

The Commander deploys only the Security and Dependency agents (skipping Performance, Accessibility, and Code Quality). The final report only includes those two sections.

用户：“运行夜间审计，但仅关注安全和依赖”

指挥官仅部署安全和依赖Agent（跳过性能、可访问性和代码质量），最终报告仅包含这两个部分。

Repeat Audit

重复审计

User: "Re-run the overnight audit, the code has changed since last time"

The skill overwrites the previous audit-workspace directory and overnight-audit-report.md with fresh results. Previous results are not preserved (the user should commit or copy them first if needed).

用户：“重新运行夜间审计，代码自上次以来已变更”

工具覆盖之前的audit-workspace目录和overnight-audit-report.md，生成新结果。之前的结果不会保留（用户需提前提交或复制）。

Important Notes

重要说明

This skill does NOT modify any source code. It is read-only. The only files it creates are in the
```
audit-workspace/
```
directory and the
```
overnight-audit-report.md
```
file.
This skill does NOT run tests, build the project, or execute any project code. It performs static analysis only.
Exception: the Dependency Auditor may run
```
npm audit
```
,
```
pip audit
```
, or similar package manager audit commands, which are read-only operations that query vulnerability databases.
If the repository contains sensitive code (proprietary algorithms, security infrastructure), the audit reports will contain descriptions of that code. Treat the reports with the same sensitivity as the source code itself.
The
```
audit-workspace/
```
directory should be added to
```
.gitignore
```
to prevent accidentally committing audit reports. The skill will suggest this if
```
.gitignore
```
exists but does not include the directory.

该工具不会修改任何源代码，仅为只读操作。它创建的唯一文件位于
```
audit-workspace/
```
目录和
```
overnight-audit-report.md
```
文件中。
该工具不会运行测试、构建项目或执行任何项目代码，仅执行静态分析。
例外：依赖审计员可能会运行
```
npm audit
```
、
```
pip audit
```
或类似的包管理器审计命令，这些是查询漏洞数据库的只读操作。
如果代码库包含敏感代码（专有算法、安全基础设施），审计报告将包含该代码的描述。请像对待源代码一样对待报告。
```
audit-workspace/
```
目录应添加到
```
.gitignore
```
中，防止意外提交审计报告。如果
```
.gitignore
```
存在但未包含该目录，工具会建议添加。",