v1.0.0: Interactive codebase health audit — 8 dimensions, zero dependencies

- 8-dimension scoring: Architecture, Security, Performance,
  Maintainability, Testing, Documentation, Dependencies, Code Quality
- Interactive audit flow with contextual questions
- ASCII scorecard with severity breakdown
- Security scan: hardcoded secrets, SQL injection, XSS, auth gaps
- Performance flags: N+1 queries, memory leaks, blocking calls
- Tech debt detection: dead code, TODO density, god classes
- CI integration: GitHub Actions workflow generation
- Zero dependencies — runs as an AI agent skill

Author: aptratcn

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: aptratcn

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 aptratcn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,179 @@
+# Skill Code Audit — Interactive codebase health audit. 8 dimensions. Zero dependencies.
+
+```
+╔══════════════════════════════════════════════════════════════╗
+║                    CODEBASE HEALTH REPORT                    ║
+╠══════════════════════════════════════════════════════════════╣
+║  Project: my-awesome-app          Lines: 12,847              ║
+║  Language: TypeScript              Files: 247                 ║
+╠══════════════════════════════════════════════════════════════╣
+║                                                              ║
+║  OVERALL HEALTH: 72/100  ████████████░░░░  GOOD             ║
+║                                                              ║
+║  Architecture    78/100  ████████████░░░  GOOD               ║
+║  Security        45/100  ██████░░░░░░░░░░  NEEDS WORK        ║
+║  Performance     82/100  █████████████░░░  GOOD              ║
+║  Maintainability 65/100  █████████░░░░░░░  MODERATE          ║
+║  Testing         55/100  ████████░░░░░░░░  MODERATE          ║
+║  Documentation   90/100  ████████████████  EXCELLENT         ║
+║  Dependencies    70/100  ███████████░░░░░  GOOD              ║
+║  Code Quality    85/100  █████████████░░░  GOOD              ║
+║                                                              ║
+║  🔴 Critical: 2   🟠 High: 5   🟡 Medium: 12   🟢 Low: 23   ║
+╚══════════════════════════════════════════════════════════════╝
+```
+
+## Why This Exists
+
+Linters find syntax errors. This skill finds **architectural rot, security holes, performance traps, and tech debt** — the stuff that kills projects slowly.
+
+Code health isn't just "no lint errors." It's: *Can a new developer understand this code? Are we one dependency update from a security breach? Will this architecture survive the next feature request?*
+
+## Before → After
+
+### Before (what linters see)
+
+```
+✓ No syntax errors
+✓ All imports resolved
+✓ Prettier formatted
+→ "Looks good!" 🤷
+```
+
+### After (what Code Audit finds)
+
+```
+🔴 CRITICAL: Hardcoded Stripe key in config.ts:47
+🔴 CRITICAL: SQL injection in users.ts:123
+🟠 HIGH:     N+1 query in orders.ts:89 (10x slower under load)
+🟠 HIGH:     14 packages outdated, 3 with known CVEs
+🟡 MEDIUM:   God class UserService.ts (847 lines, 23 methods)
+🟡 MEDIUM:   No tests for payment module (handles money!)
+🟢 LOW:      47 TODOs across codebase, oldest from 2022
+```
+
+## Quick Start
+
+### 1. Install the skill
+
+```bash
+# Via ClawHub
+clawhub install skill-code-audit
+
+# Or clone directly
+git clone https://github.com/aptratcn/skill-code-audit.git
+```
+
+### 2. Run an audit
+
+Just tell your AI agent:
+
+```
+"audit this codebase"
+"health check my project"
+"find tech debt in src/"
+```
+
+### 3. Example output
+
+```
+🔍 Scanning project...
+
+📁 Detected: Node.js / TypeScript
+📊 247 source files, 45 test files, 12,847 LOC
+
+Quick questions before I dive deep:
+1. Production app or internal tool?
+2. Any specific concerns?
+3. Timeline for fixes?
+
+> Production app, security is top priority, sprint next week
+
+Got it. Security-first with sprint-ready action items.
+
+🚨 Found 2 critical security issues:
+   • Hardcoded API key in config.ts:47
+   • SQL injection in users.ts:123
+
+⚡ Top performance bottleneck:
+   • N+1 query in orders.ts — 10x overhead under load
+
+📊 Full scorecard generated. Overall: 72/100
+   Security needs immediate attention: 45/100
+
+Sprint-ready fixes (estimated 5h total):
+1. Move secrets to env vars (2h) — blocks deployment
+2. Parameterize SQL queries (1h) — data breach risk
+3. Batch order queries (1.5h) — 10x perf improvement
+4. Update vulnerable packages (0.5h) — 3 CVEs patched
+
+Create fix branch? → Yes → PR ready with all 4 fixes
+```
+
+## The 8 Dimensions
+
+| # | Dimension | Weight | What It Measures |
+|---|-----------|--------|-----------------|
+| 1 | **Architecture** | 15% | Pattern detection (MVC, microservices, monolith), coupling, cohesion, dependency direction |
+| 2 | **Security** | 20% | Hardcoded secrets, SQL injection, XSS, auth gaps, known CVEs |
+| 3 | **Performance** | 12% | N+1 queries, memory leaks, missing indexes, blocking calls |
+| 4 | **Maintainability** | 15% | Complexity metrics, dead code, TODO density, god classes |
+| 5 | **Testing** | 12% | Coverage gaps, test quality, missing critical tests |
+| 6 | **Documentation** | 8% | README quality, API docs, inline comments, ADRs |
+| 7 | **Dependencies** | 10% | Outdated packages, license conflicts, supply chain risks |
+| 8 | **Code Quality** | 8% | Naming, style consistency, error handling, code smells |
+
+### Scoring Criteria
+
+Each dimension scores 0-100:
+
+| Score | Rating | Meaning |
+|-------|--------|---------|
+| 90-100 | 🟢 EXCELLENT | Production-ready, no concerns |
+| 70-89 | 🟢 GOOD | Minor issues, low risk |
+| 50-69 | 🟡 MODERATE | Noticeable debt, plan remediation |
+| 30-49 | 🟠 NEEDS WORK | Significant issues, prioritize fixes |
+| 0-29 | 🔴 CRITICAL | Urgent action required |
+
+## Code Audit vs Linters
+
+| Feature | Linters (ESLint, etc.) | Code Audit |
+|---------|----------------------|------------|
+| Syntax errors | ✅ | ✅ |
+| Style violations | ✅ | ✅ |
+| Security vulnerabilities | ⚠️ (some rules) | ✅ Deep scan |
+| Architecture analysis | ❌ | ✅ Pattern detection |
+| Performance issues | ❌ | ✅ N+1, memory, blocking |
+| Tech debt quantification | ❌ | ✅ Scored & prioritized |
+| Interactive Q&A | ❌ | ✅ Contextual follow-ups |
+| Prioritized fix plan | ❌ | ✅ Impact-based ordering |
+| CI integration | ⚠️ (fail/pass) | ✅ Detailed report |
+
+**Think of it this way:** Linters are spell check. Code Audit is a full editorial review.
+
+## Interactive Features
+
+- **Ask questions** — The audit adapts to your project type and priorities
+- **Deep dive** — Focus on specific dimensions or modules
+- **Sprint-ready fixes** — Prioritized by impact, estimated by effort
+- **CI integration** — Generate GitHub Actions workflow for ongoing audits
+
+## Tech Stack Support
+
+Works with any codebase. Special detection for:
+
+- **JavaScript/TypeScript** — Node.js, React, Next.js, Vue, Express
+- **Python** — Django, Flask, FastAPI
+- **Go** — Standard layout, microservices
+- **Rust** — Cargo projects
+- **Java** — Spring Boot, Maven/Gradle
+- **Ruby** — Rails, Sinatra
+- **PHP** — Laravel, Symfony
+
+## License
+
+MIT License — use it however you want.
+
+---
+
+**Made for AI agents. By AI agents.** 🤖