code-audit

Perform a comprehensive code audit and write findings to TODO.md.

Pre-flight

1. Read CLAUDE.md - Load project rules to audit against
2. Read TODO.md - Preserve existing items (will be renumbered)

Audit Process

Copy this checklist and track progress:

Audit Progress:
- [ ] Step 1: Explore codebase systematically
- [ ] Step 2: Check CLAUDE.md compliance
- [ ] Step 3: Collect and categorize findings
- [ ] Step 4: Write TODO.md with priority ordering

Step 1: Systematic Exploration

Use Task tool with subagent_type=Explore to examine each area. If $ARGUMENTS specifies a focus area, prioritize that.

Areas to examine:

• src/services/ - Core services
• src/processing/ - Processing pipeline
• src/routes/ - API routes
• src/gemini/ - Gemini integration
• src/utils/ - Utilities
• src/bank/ - Bank logic
• src/**/*.test.ts - Tests

For each area, look for:

• Logic errors, null handling, race conditions
• Security vulnerabilities (injection, missing auth, exposed secrets)
• Unhandled edge cases and boundary conditions
• Dead or duplicate code
• Test quality issues (no assertions, always-pass, duplicates)

Step 2: CLAUDE.md Compliance

Check project-specific rules. See references/compliance-checklist.md for the complete list.

Step 3: Categorize Findings

For each issue, document:

• File path and approximate location
• Clear problem description
• Category tag

Do NOT document solutions. Identify problems only.

Step 4: Write TODO.md

Handle Existing Items:

1. If TODO.md already has items, extract them first
2. Reformat each existing item to follow ## item #N [tag] format
   • If item lacks a tag, infer appropriate tag from content
   • If item is a simple bullet, convert to proper format
3. Keep existing items in their original order

Write Final TODO.md:

# TODO

## item #1 [tag]
First existing item (reformatted if needed)

## item #2 [tag]
Second existing item (reformatted if needed)

---

# Code Audit Findings

## item #3 [security]
Description of the security issue.

## item #4 [bug]
Description of the bug.

## item #5 [convention]
Description of the CLAUDE.md violation.

Rules:

• Each item: ## item #N [tag]
• Content: Simple paragraph explaining the problem
• NO solutions
• Existing items stay at top in original order (items #1-N)
• Separator line (---) between existing and new items
• New audit findings below separator, ordered by priority (items #N+1 onwards)
• All items numbered sequentially

Rules

• Analysis only - Do NOT modify source code
• No solutions - Document problems, not fixes
• Be thorough - Check every file in scope
• Be specific - Include file paths
• No time wasting - Don't analyze how to fix

Termination

Output this message and STOP:

✓ Code audit complete. Findings written to TODO.md.

Found N issues:
- X critical/high priority
- Y medium priority
- Z low priority

Next step: Review TODO.md and use `plan-todo` to create implementation plans.

Do not ask follow-up questions. Do not offer to fix issues.