security_patterns:
  hardcoded_credentials:
    - regex: '(password|secret|api_key|token)\s*=\s*["\'][^"\']+["\']'
    - exclude: ['*.example', '*.template', 'test_*']
    - severity: CRITICAL

  missing_input_validation:
    - pattern: 'request\.(body|query|params)\[.*\]'
    - without: ['validate', 'sanitize', 'escape']
    - severity: HIGH

  sql_injection:
    - pattern: 'f".*SELECT.*{.*}"'
    - severity: CRITICAL

architecture_patterns:
  circular_dependencies:
    - tool: 'madge --circular'
    - severity: MEDIUM

  god_class:
    - metric: 'lines_per_file > 1000'
    - severity: LOW

quality_patterns:
  missing_types:
    - python: 'mypy --strict'
    - typescript: 'tsc --noEmit'
    - threshold: 80%

  test_coverage:
    - tool: 'coverage report'
    - threshold: 60%

operations_patterns:
  no_cicd:
    - missing: ['.github/workflows', '.gitlab-ci.yml', 'Jenkinsfile']
    - severity: HIGH

  no_containerization:
    - missing: ['Dockerfile', 'docker-compose.yml']
    - severity: MEDIUM

Score = 100 - Σ(severity_weight × issue_count)

Severity Weights:
- CRITICAL: 15 points
- HIGH: 8 points
- MEDIUM: 3 points
- LOW: 1 point
- INFO: 0 points

Dimension Weights:
- Security: 30%
- Architecture: 25%
- Quality: 25%
- Operations: 20%

Overall = Σ(dimension_score × dimension_weight)

# Repository Audit Report

**Repository**: [name]
**Branch**: [branch]
**Commit**: [sha]
**Audit Date**: [timestamp]
**Auditor Version**: 1.0.0

---

## Executive Summary

| Dimension | Score | Grade |
|-----------|-------|-------|
| **Overall** | [score]/100 | [A-F] |
| Security | [score]/100 | [A-F] |
| Architecture | [score]/100 | [A-F] |
| Code Quality | [score]/100 | [A-F] |
| Operations | [score]/100 | [A-F] |

### Issue Summary

| Severity | Count |
|----------|-------|
| CRITICAL | [n] |
| HIGH | [n] |
| MEDIUM | [n] |
| LOW | [n] |
| INFO | [n] |

---

## Findings

### CRITICAL Issues

#### [ISSUE-001] [Title]

**Category**: Security
**File**: `path/to/file.py:42`
**Evidence**:
```python
[code snippet showing vulnerability]

**Usage**: Generate this report after completing all analysis phases.

---

## Examples

### Example 1: Python Web Application Audit

**Input**: "Audit this Flask repository for security issues"

**Execution**:
1. Clone repository
2. Detect stack: Python (Flask)
3. Run security patterns:
   - Check for hardcoded secrets in config files
   - Scan for SQL injection in database queries
   - Verify input validation on routes
4. Run quality patterns:
   - Check for type hints
   - Measure test coverage
5. Check operations:
   - Look for Dockerfile
   - Check for CI/CD workflows

**Output**:

**Explanation**: The audit identified critical security issues that require immediate attention before deployment.

### Example 2: Node.js Microservice

**Input**: "Review this TypeScript API for production readiness"

**Output Summary**:
- Overall Score: 78/100 (C+)
- Key Finding: Missing rate limiting on public endpoints
- Recommendation: Add express-rate-limit middleware

---

## Validation Checklist

Before completing any audit, verify:

- [ ] All file types in repository were scanned
- [ ] Dependency manifests were analyzed (package.json, requirements.txt, etc.)
- [ ] .env.example checked for sensitive defaults
- [ ] Git history not searched (respects privacy)
- [ ] All CRITICAL issues have specific remediation steps
- [ ] Effort estimates provided for all actionable items
- [ ] Report uses consistent severity classifications
- [ ] No false positives in CRITICAL/HIGH findings (verified manually)

---

## Related Resources

- [OWASP Top 10](https://owasp.org/Top10/)
- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
- Skill: `cicd-pipeline-generator` - Generate pipelines with security scanning
- Skill: `system-hardening-toolkit` - Server-side security configuration

---

## Changelog

### 1.0.0 (January 2026)
- Initial release
- Support for Python, Node.js, Go, Rust detection
- Four-dimension scoring system
- Automated roadmap generation