DoseTap — Master Audit Skill

Audit Architecture

The audit uses seven sequential phases. Each phase has a dedicated reference file with detailed instructions. Phases MUST execute in order — each has stop conditions that gate the next.

Phase 0 ─ Security Secrets Sweep        → references/security-audit.md (Phase 1 only)
   │       Stop-the-bleeding. Rotate if creds found.
   ▼
Phase 1 ─ Repo Hygiene + Atlas          → references/repo-hygiene-atlas.md
   │       Canonical inventory. No destructive changes.
   ▼
Phase 2 ─ Universal Repo Audit          → references/universal-audit.md
   │       Correctness vs SSOT. Ghosts and zombies.
   ▼
Phase 3 ─ Full Security Audit           → references/security-audit.md (Phases 2–5)
   │       Deps, entitlements, runtime, CI security.
   ▼
Phase 4 ─ CI/CD Automator Audit         → references/cicd-audit.md
   │       Pipeline gaps, pre-commit, branch protection.
   ▼
Phase 5 ─ DX / Productivity Audit       → references/dx-productivity.md
   │       Clone-to-test time, friction log, onboarding.
   ▼
Phase 6 ─ Strategy / Tech Debt          → references/strategy-tech-debt.md
           Quantified Top-20 backlog with ROI framing.

Output Artifacts

Create docs/audit/YYYY-MM-DD/ (today's date) and maintain:

Phase Execution

Phase 0 — Security Secrets Sweep

Goal: Determine if the repo has ever leaked credentials. This gates everything.

Read: references/security-audit.md Phase 1 section.

1. Record environment in 00_run_context.md: branch, git status --short, tool versions, scope.
2. Scan git history for secrets:
   • Preferred: gitleaks detect --source . --verbose --report-format json
   • Fallback: git log --all -p | grep -nE '(whoopClient(ID|Secret)|api[_-]?key|-----BEGIN.*PRIVATE|password\s*=\s*"[^"]+")' | head -100
3. Verify .gitignore covers: Secrets.swift, *.p12, *.pem, *.key, .env*
4. Check for committed build artifacts: git ls-files | grep -E '\.(ipa|app|dSYM|xcarchive|p12|pem|key|mobileprovision)$'
5. STOP: If P0 secret found → write Containment Plan (rotate, rewrite history, invalidate tokens). If clean → proceed.

Phase 1 — Repo Hygiene + Build Graph + Atlas

Goal: Build canonical inventory for all subsequent phases.

Read: references/repo-hygiene-atlas.md for detailed instructions.

1. Verify baseline: swift build -q, swift test -q (525+ tests), bash tools/ssot_check.sh
2. Traverse file tree (depth 4), document every directory.
3. Build Inclusion Map: parse Package.swift (24 core, 30 test files) + project.pbxproj compile sources.
4. Flag ghosts (files in no build target) and duplicates.
5. Generate ASCII Architecture Atlas.
6. Produce DRY_RUN cleanup script (do NOT execute).
7. STOP: Builds pass, inclusion map complete, atlas generated.

Phase 2 — Universal Repo Audit

Goal: Deep semantic audit — prove timing invariants, find ghosts/zombies.

Read: references/universal-audit.md for detailed instructions.

1. Read governance docs (constitution, SSOT, architecture, copilot instructions).
2. Read all ios/Core/ files — verify domain logic against SSOT.
3. Verify invariants: dose window 150–240m, default target 165m, rollover 6 PM, snooze rules, undo window 5s.
4. Identify ghosts (SSOT says yes, code says no) and zombies (code exists, SSOT ignores).
5. Check architecture: state leaks, notification consistency, channel parity, race conditions, time injection.
6. STOP: All P0/P1 issues have reproduction conditions, call-path breadcrumbs, proposed fix, verification test.

Phase 3 — Full Security Audit

Goal: Complete security posture (deps, entitlements, privacy, runtime, CI).

Read: references/security-audit.md Phases 2–5.

1. Dependency audit: Package.resolved versions, licenses, CVEs, staleness. Flag missing dependabot.yml.
2. Entitlements vs code: .entitlements files vs actual usage (HealthKit, iCloud, critical alerts, background).
3. Privacy manifest: check PrivacyInfo.xcprivacy. Data at rest: SQLite encryption, Keychain vs UserDefaults.
4. Data in transit: cert pinning, no http:// URLs. Logging: no print(), os.Logger privacy annotations.
5. CI security: actions pinned to SHA?, secrets scoped?, no pull_request_target?
6. STOP: Every HIGH/CRITICAL security item has a concrete fix plan and verification step.

Phase 4 — CI/CD Automator Audit

Goal: Identify pipeline gaps and propose hardening.

Read: references/cicd-audit.md for detailed instructions.

1. Read all CI workflows line by line (ci.yml, ci-swift.yml, ci-docs.yml).
2. Map triggers, job dependencies, coverage matrix.
3. Audit pre-commit hook, PR template, branch protection.
4. Version pinning: Swift, Xcode, runner OS, GitHub Actions, SwiftPM deps.
5. Trace the full release path.
6. STOP: CI gaps converted into concrete workflow patches and branch protection recommendations.

Phase 5 — DX / Productivity Audit

Goal: Minimize "clone to first passing test" time.

Read: references/dx-productivity.md for detailed instructions.

1. Simulate fresh clone test (or static analysis if tooling limited).
2. Grade documentation: README, TESTING_GUIDE, architecture, copilot instructions.
3. Check one-command setup (Makefile, justfile, setup.sh) — propose if missing.
4. Build friction log with proposed fixes.
5. Produce onboarding scorecard.
6. STOP: "One command setup" proposal exists. Friction log complete.

Phase 6 — Strategy / Tech Debt Synthesis

Goal: Quantify, rank, produce decision-ready backlog from the findings ledger.

Read: references/strategy-tech-debt.md for detailed instructions.

1. Scan for complexity debt (files >500 LOC, god objects, coupling).
2. Aggregate all findings from ledger. Assign fix cost, carrying cost, interest rate, ROI.
3. Produce ranked Top-20 backlog with sprint targets.
4. Propose GitHub labels, issue templates, 20% rule cadence.
5. Write executive summary.
6. STOP: Top-20 backlog with ROI framing exists. Executive summary links to all phase reports.

Executive Summary (Final Output)

After all phases, produce executive_summary.md:

1. Overall Health: 🟢 Good / 🟡 Fair / 🔴 Poor
2. Audit Scope: Branch, date, tool versions
3. Key Metrics: Findings by severity, test count, LOC
4. Top 3 Risks: Business-impact framing (non-technical)
5. Top 10 Actions: Ordered by ROI with effort estimates
6. Limitations: What could not be verified
7. Links: To each phase report

Logging Discipline

Every phase report MUST contain:

1. Environment & Preconditions
2. Command Log — every command and key output
3. Files Read — list of files actually scanned
4. Findings Added — AUD-### IDs added to ledger
5. Stop Condition Verification — explicit pass/fail

Key Repository Context

• Build: swift build -q (SwiftPM), xcodebuild (Xcode app)
• Test: swift test -q (525+ DoseCore tests), Xcode simulator tests (11 test files)
• SSOT check: bash tools/ssot_check.sh
• CI watch: bash tools/ci_watch.sh (live progress monitor)
• Core files: ios/Core/ (24 files) — platform-free dose logic
• App files: ios/DoseTap/ — SwiftUI app layer
• Test files: Tests/DoseCoreTests/ (30 files), ios/DoseTapTests/ (11 files)
• SSOT: docs/SSOT/README.md, docs/SSOT/constants.json
• Constitution: .specify/memory/constitution.md
• Version: 0.3.2 (alpha)

Begin

Start with Phase 0. Record the environment. Execute the secrets sweep. Show your work.