feat: add AI readiness audit plugin with marketplace distribution (#101)

* feat: restructure awos-audit as Claude Code plugin with marketplace

Set up this repo as a plugin marketplace and restructure the audit skill
into a proper Claude Code plugin with:
- Orchestrator skill (/awos:audit) that auto-discovers dimensions and
  coordinates phased parallel execution via the dimension-auditor agent
- Generic dimension-auditor agent that runs each dimension in its own
  context window for thorough analysis
- Marketplace manifest at repo root for plugin distribution
- Preserved auto-discovery: drop a .md in dimensions/ to extend

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: apply best practices to plugin manifest and agent

- Add Write tool to dimension-auditor agent (needed for artifact files)
- Improve agent description with explicit delegation trigger phrase
- Add license, keywords, and explicit component paths to plugin.json

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove invalid skills/agents fields from plugin manifest

These fields are not recognized by the plugin schema validator and
cause installation failure. Auto-discovery handles standard directory
names (skills/, agents/) without explicit declaration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): skip SEC-03 env template check when no env vars are used

SEC-03 was unconditionally failing for modules that don't use
environment variables. Now detects env var usage patterns first
(process.env, os.environ, dotenv, docker-compose env_file, etc.)
and skips the check when none are found.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): make SEC-05 gitignore check stack-aware

Instead of checking a hardcoded list of file extensions, SEC-05 now
infers relevant sensitive file types from the project's topology.
Only flags missing patterns for file types that apply to the detected
stack (e.g., *.jks only for Java, service-account*.json only for GCP).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): make DOC-03 API docs check proportional to API surface

DOC-03 now assesses API volume and exposure before requiring OpenAPI
specs. Small closed APIs (co-located server+client, few endpoints)
are skipped. Large public APIs still require formal documentation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(audit): rework CLAUDE.md checks as ecosystem-level assessment

- AI-01: now evaluates the combined CLAUDE.md ecosystem (root + service
  + rules), not individual files. Criteria weight what's missing —
  FAIL for missing fundamentals, WARN for minor gaps.
- AI-02 (old service-level existence check): removed, absorbed into AI-01
- Renumber AI-03..AI-08 to AI-02..AI-07
- AI-06: auto-pass when AWOS is detected in the project
- AI-07 (old AI-08): reworked from "not bloated" to "meaningful" with
  200-line limit per official docs, key test, structure/duplication checks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(audit): add AI-08 agent feedback loop check

New check verifies whether Claude Code has the tools to run and
observe the application — browser MCP for web UIs, local invoke
for serverless, dry-run for infra, etc. API/CLI/library auto-pass
since Bash is built-in. Also refines AI-01 WARN/FAIL criteria to
weight what's missing (fundamentals vs minor gaps).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(audit): rewrite SDD dimension as AWOS-specific checks

Replace 7 generic SDD checks with 7 AWOS-focused checks:
- SDD-01: AWOS installation gatekeeper (all others SKIP if not installed)
- SDD-02: Product context completeness (product-definition, roadmap, architecture)
- SDD-03: Architecture doc vs codebase drift detection
- SDD-04: Feature branches correlate with spec activity
- SDD-05: Spec directory triad completeness
- SDD-06: Stale/abandoned spec detection
- SDD-07: Meaningful agent assignments in tasks

Also update E2E-03 to reference new SDD-04 check ID.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(audit): remove redundant AI-06 workflow documentation check

AI-06 always auto-PASSed when AWOS was detected, making it redundant
with SDD-01 which already gates AWOS installation. Renumber AI-07/08.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(audit): handle plugin-provided MCP servers in AI-04 check

AI-04 now checks for enabledPlugins in settings.json as fallback when
no .mcp.json is found, since plugins may provide MCP servers that
cannot be verified from project files alone.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(installer): register AWOS plugin marketplace in settings.json

Add a new installer step that registers the awos-marketplace in the
project's .claude/settings.json, so users can discover and install
AWOS plugins via `/plugin install` without manual marketplace setup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(audit): add context-aware next steps after audit report

Replace the HTML-only post-audit prompt with a unified "What's Next?"
step that detects project context (AWOS installed, roadmap exists) and
offers relevant options: HTML report, roadmap update/creation, or an
AWOS installation tip for non-AWOS projects.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: apply prettier formatting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: kmakarychev-dev

.claude-plugin/marketplace.json

@@ -0,0 +1,18 @@
+{
+  "name": "awos-marketplace",
+  "owner": {
+    "name": "Provectus"
+  },
+  "metadata": {
+    "description": "AWOS plugins for AI-native development workflows",
+    "version": "1.0.0"
+  },
+  "plugins": [
+    {
+      "name": "awos",
+      "source": "./plugins/awos",
+      "description": "Comprehensive code quality audit framework with auto-discoverable dimensions",
+      "version": "1.0.0"
+    }
+  ]
+}

plugins/awos/.claude-plugin/plugin.json

@@ -0,0 +1,10 @@
+{
+  "name": "awos",
+  "version": "1.0.0",
+  "description": "AWOS code quality audit framework",
+  "author": {
+    "name": "Provectus"
+  },
+  "license": "MIT",
+  "keywords": ["audit", "code-quality", "dimensions"]
+}

plugins/awos/README.md

@@ -0,0 +1,134 @@
+# AWOS Audit Plugin
+
+Extensible, dimension-based code quality audit for Claude Code. Each dimension runs in its own context window for thorough analysis. Run `/awos:audit` and get a scored report with actionable recommendations.
+
+## Install
+
+From the AWOS marketplace:
+
+```bash
+claude plugin marketplace add <org>/awos
+claude plugin install awos
+```
+
+Or directly for local development:
+
+```bash
+claude --plugin-dir ./plugins/awos
+```
+
+## Usage
+
+Full audit across all dimensions:
+
+```
+/awos:audit
+```
+
+Single dimension:
+
+```
+/awos:audit security
+```
+
+## How It Works
+
+Each **dimension** is a self-contained `.md` file in `skills/audit/dimensions/` with YAML frontmatter declaring its dependencies. The orchestrator:
+
+1. Auto-discovers all dimension files and builds a dependency DAG
+2. Groups dimensions into execution phases
+3. Launches each dimension as a **separate agent** with its own context window (via the `dimension-auditor` agent)
+4. Within each phase, all dimensions run **in parallel**
+5. Compiles results into a scored report with an overall grade
+
+### Scoring
+
+Every check produces a status: **PASS**, **WARN**, **FAIL**, or **SKIP**. Deductions scale by severity:
+
+| Severity | Max Points | FAIL | WARN  |
+| -------- | ---------- | ---- | ----- |
+| critical | 3          | -3   | -1.5  |
+| high     | 2          | -2   | -1    |
+| medium   | 1          | -1   | -0.5  |
+| low      | 0.5        | -0.5 | -0.25 |
+
+Dimension scores average into an overall percentage mapped to a letter grade (A: 90-100, B: 75-89, C: 60-74, D: 40-59, F: 0-39).
+
+## Dimensions
+
+| Dimension                   | Severity | Dependencies     |
+| --------------------------- | -------- | ---------------- |
+| **Project Topology**        | medium   | —                |
+| **Security Guardrails**     | critical | project-topology |
+| **AI Development Tooling**  | high     | project-topology |
+| **Spec-Driven Development** | critical | project-topology |
+| **Documentation Quality**   | critical | project-topology |
+| **Code Architecture**       | high     | project-topology |
+| **Software Best Practices** | high     | project-topology |
+| **End-to-End Delivery**     | high     | all others       |
+
+**Project Topology** runs first as a reconnaissance phase — it detects the repo structure, languages, and layers so downstream dimensions can skip irrelevant checks.
+
+**End-to-End Delivery** runs last since it depends on every other dimension's results.
+
+## Outputs
+
+Each audit run writes to `context/audits/YYYY-MM-DD/`:
+
+```
+context/audits/YYYY-MM-DD/
+├── project-topology.md          # per-dimension artifact
+├── security.md
+├── ...
+├── report.md                    # full audit report
+├── recommendations.md           # prioritized action items
+└── report.html                  # standalone HTML report (optional)
+```
+
+When a previous audit exists, the report includes score deltas per dimension.
+
+## Plugin Structure
+
+```
+plugins/awos/
+├── .claude-plugin/
+│   └── plugin.json              # plugin manifest
+├── skills/
+│   └── audit/
+│       ├── SKILL.md             # orchestrator skill
+│       ├── dimensions/          # auto-discovered dimension files
+│       ├── scoring.md           # scoring algorithm
+│       ├── output-format.md     # artifact format spec
+│       └── report-template.md   # HTML report spec
+├── agents/
+│   └── dimension-auditor.md     # generic agent for any dimension
+└── README.md
+```
+
+## Extending
+
+Add a new dimension by dropping a `.md` file into `skills/audit/dimensions/`. No other changes needed — the orchestrator auto-discovers it.
+
+```markdown
+---
+name: my-dimension
+title: My Dimension
+description: What this dimension measures
+severity: high
+depends-on: [project-topology]
+---
+
+# My Dimension
+
+## Checks
+
+### CHECK-01: Descriptive check name
+
+- **What:** What to verify
+- **How:** Commands or instructions to evaluate
+- **Pass:** Criteria for PASS
+- **Fail:** Criteria for FAIL
+- **Severity:** critical | high | medium | low
+```
+
+See `skills/audit/SKILL.md` for the full frontmatter schema.

plugins/awos/agents/dimension-auditor.md

@@ -0,0 +1,51 @@
+---
+name: dimension-auditor
+description: >-
+  Audits a codebase against a specific quality dimension. Receives dimension
+  checks, output format, and optionally a topology summary via the task prompt.
+  Produces a structured per-dimension artifact with check results, evidence,
+  and scores. Use when executing individual dimension audits as part of the
+  /awos:audit workflow or when a single audit dimension needs to run in its
+  own context window.
+tools: Read, Write, Grep, Glob, Bash
+---
+
+You are a code quality auditor running a single audit dimension.
+
+## Input
+
+You will receive via the task prompt:
+
+1. **Dimension content** — the full markdown file for one dimension, including check definitions with What/How/Pass/Fail/Warn/Skip-When/Severity fields
+2. **Output format** — the per-dimension artifact format specification
+3. **Output path** — where to write the artifact (e.g. `context/audits/2025-01-15/security.md`)
+4. **Topology summary** (optional) — structured output from the project-topology dimension, provided when this dimension depends on topology results
+
+## Execution
+
+For each check in the dimension:
+
+1. Read the **How** instructions carefully — they describe exactly what to look for (glob patterns, grep searches, file reads)
+2. If the check has a **Skip-When** condition, evaluate it first. If the condition is met, mark the check as SKIP
+3. Execute the investigation steps described in **How**
+4. Compare your findings against the **Pass**, **Fail**, and **Warn** criteria
+5. Record the status: PASS, WARN, FAIL, or SKIP
+6. Collect concrete evidence: file paths, line numbers, counts, relevant snippets
+
+## Rules
+
+- Follow **How** instructions literally — use the exact glob patterns, grep searches, and file reads specified
+- Never invent evidence. If you cannot find what a check looks for, that is a finding (likely FAIL or WARN)
+- Keep evidence concise: one line per check, with specific file paths or counts
+- If a check references the topology summary and none was provided, mark it SKIP
+- Do not modify any project files — this is a read-only audit
+
+## Output
+
+Write the per-dimension artifact to the specified output path using the provided output format. The artifact must include:
+
+- Dimension title, date, score, and grade
+- Results table with columns: #, Check, Severity, Status, Evidence
+- Any dimension-specific summary data (e.g. topology summary for downstream consumption)
+
+Compute the dimension score using the scoring rules provided in the task prompt.

plugins/awos/skills/audit/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: audit
+description: >-
+  Run a comprehensive code quality audit across extensible dimensions. Use when
+  asked to "audit the code", "run a code audit", "check code quality", "audit
+  this project", or when the /awos:audit command is invoked. Discovers dimension
+  files automatically — drop a new .md in dimensions/ to extend. Each dimension
+  runs in its own context window for thorough analysis.
+disable-model-invocation: true
+argument-hint: '[dimension-name] or blank for full audit'
+---
+
+# Code Audit — Orchestrator
+
+You are the audit orchestrator. Your job is to coordinate dimension-specific auditors, each running in their own context window, and compile results into a final report.
+
+## Step 1 — Discover Dimensions
+
+1. Read all `*.md` files from the `dimensions/` directory (relative to this SKILL.md)
+2. Parse YAML frontmatter from each file to extract: `name`, `title`, `severity`, `depends-on`
+3. If `$ARGUMENTS` is provided and non-empty, filter to only the dimension whose `name` matches `$ARGUMENTS`. If no match, list available dimensions and stop.
+
+## Step 2 — Build Dependency DAG
+
+1. Build a dependency graph from the `depends-on` fields
+2. Group dimensions into execution phases:
+   - **Phase 1:** Dimensions with no `depends-on` (roots of the DAG)
+   - **Phase N:** Dimensions whose `depends-on` are all completed in prior phases
+3. Phases are computed dynamically — adding or removing dimension files automatically updates the DAG
+
+## Step 3 — Prepare Artifacts Directory
+
+```
+context/audits/YYYY-MM-DD/
+```
+
+Create this directory. If it already exists, results will be overwritten.
+
+## Step 4 — Check for Previous Audit
+
+1. Scan `context/audits/` for previous audit directories (date-named folders other than today)
+2. If a previous audit exists, read its `report.md` to extract per-dimension scores for delta comparison later
+
+## Step 5 — Execute Dimensions
+
+For each execution phase, launch all dimensions in the phase **in parallel** using the Task tool with the `dimension-auditor` agent.
+
+For each dimension, provide the agent with:
+
+1. **The full dimension file content** (read from `dimensions/{name}.md`)
+2. **The output format** (read from `output-format.md` in this skill directory — the "Per-Dimension Artifact Format" section)
+3. **The scoring rules** (read from `scoring.md` in this skill directory)
+4. **The output path:** `context/audits/YYYY-MM-DD/{name}.md`
+5. **Topology summary** (for Phase 2+ dimensions): read from `context/audits/YYYY-MM-DD/project-topology.md` — the "Topology Summary" section written by the topology auditor
+
+Wait for all dimensions in a phase to complete before starting the next phase.
+
+### Important
+
+- Launch each dimension as a **separate Task** with `subagent_type: "dimension-auditor"` so each gets its own context window
+- Within a phase, launch all Tasks in a **single message** (parallel execution)
+- The dimension-auditor agent is read-only — it will not modify project files
+
+## Step 6 — Compile Report
+
+After all dimensions complete:
+
+1. Read all per-dimension artifacts from `context/audits/YYYY-MM-DD/`
+2. Compute the overall score: average of all dimension percentages (using the scoring algorithm from `scoring.md`)
+3. If a previous audit was found in Step 4, compute per-dimension deltas
+4. Compile the full report using the report template from `output-format.md`
+5. Write the report to `context/audits/YYYY-MM-DD/report.md`
+6. Write prioritized recommendations to `context/audits/YYYY-MM-DD/recommendations.md`
+7. Present the full report to the user
+
+## Step 7 — What's Next?
+
+After presenting the report, check the project context and offer next steps using `AskUserQuestion` with `multiSelect: true`.
+
+### Detect context
+
+- **AWOS installed:** `.awos/commands/` directory exists
+- **Roadmap exists:** `context/product/roadmap.md` file exists
+
+### Build options
+
+**Always include:**
+
+- "Generate HTML report" — create a standalone HTML version of the audit report
+
+**If AWOS installed + roadmap exists, also include:**
+
+- "Update roadmap with audit findings" — incorporate recommendations into the existing product roadmap
+
+**If AWOS installed + no roadmap, also include:**
+
+- "Create a roadmap informed by audit findings" — start a new roadmap using audit results as input
+
+**If AWOS is NOT installed**, append this note after the question:
+
+> Tip: install AWOS (`npx @provectusinc/awos`) — the best way to make your repo AI-friendly and act on these findings.
+
+### Execute selected options
+
+- **HTML report:** Read the HTML report specification from `report-template.md` in this skill directory. Generate `context/audits/YYYY-MM-DD/report.html` — a single self-contained HTML file (inline CSS, no external dependencies). Include: overall score/grade, per-dimension summary table, detailed checklists, recommendations, issue-only filter toggle.
+- **Roadmap (update or create):** Tell the user to run `/awos:roadmap` and reference the audit recommendations at `context/audits/YYYY-MM-DD/recommendations.md` as input.
+
+## Adding New Dimensions
+
+Drop a `.md` file in `dimensions/` with this structure:
+
+```markdown
+---
+name: my-dimension
+title: My Dimension
+description: What this dimension measures
+severity: high
+depends-on: [project-topology]
+---
+
+# My Dimension
+
+Brief description.
+
+## Checks
+
+### CHECK-01: Short name
+
+- **What:** What to verify
+- **How:** Glob/Grep/Read instructions to evaluate
+- **Pass:** Criteria for PASS
+- **Fail:** Criteria for FAIL
+- **Warn:** (optional) Partial compliance
+- **Skip-When:** (optional) Condition to auto-skip
+- **Severity:** critical | high | medium | low
+```
+
+### Frontmatter Fields
+
+| Field         | Required | Description                                                            |
+| ------------- | -------- | ---------------------------------------------------------------------- |
+| `name`        | yes      | Unique identifier, used for CLI filtering (`/awos:audit my-dimension`) |
+| `title`       | yes      | Human-readable display name                                            |
+| `description` | yes      | One-line purpose                                                       |
+| `severity`    | yes      | Default severity for all checks. Individual checks can override.       |
+| `depends-on`  | no       | Dimension `name`s that must complete first. Omit if no dependencies.   |