Repo-wide audit skill for "vibe-coded" codebases (parallel feature development, semantic duplication, inconsistent cross-cutting concerns, and architectural drift).
Required:
- Rust toolchain (
cargo) — the installer can set this up for you via rustup
The installer checks for dependencies and offers to install them automatically.
The installer will ask whether you want vector embeddings or BM25-only text search:
- BM25-only — no extra dependencies, works out of the box
- Vector embeddings — the installer handles
llama-serverinstallation and flags the embedding model (~300MB) for automatic download on first audit run
Optional (for PDF export):
pandoc+ a PDF engine (tectonic,typst,xelatex,pdflatex,wkhtmltopdf, orweasyprint)dot(Graphviz) for system map diagrams
Install from GitHub:
curl -sSf https://raw.githubusercontent.com/codesoda/vibe-code-audit/main/install.sh | shInstall from a cloned repo:
sh install.shThe skill is intentionally constrained to:
Bash(llmcc ...)Bash(agentroot ...)Read(vibe-code-audit/**)for skill docs/templatesRead(<target-repo-files>)for audit evidence
Avoid unrelated command families during the audit flow unless explicitly requested by the user.
Avoid Read on generated graph/image artifacts (*.dot, *.png, *.jpg, *.jpeg, *.gif, *.pdf); extract with shell tools instead.
Use portable search commands (rg, grep -E, grep -oE) rather than grep -P.
The skill should ask where to write audit artifacts.
Default when not specified:
<repo>/vibe-code-audit/<UTC-timestamp>/
Within that directory:
audit_index/for index + derived artifactsaudit_report.mdfor the final report
Use the deterministic index runner:
bash vibe-code-audit/scripts/run_index.sh \
--repo /path/to/repo \
--mode standardIf --output is omitted, the script automatically uses:
<repo>/vibe-code-audit/<UTC-timestamp>/
Modes:
fast(top-k 80)standard(top-k 200)deep(top-k 350)
Stack marker detection is recursive (not only repo root), so nested Rust/TS workspaces are detected for indexing masks and graph generation.
run_index.sh auto-detects llmcc and agentroot CLI variants (legacy vs current syntax), so you should not need to run manual --help probes in normal audit flow.
run_index.sh auto-runs bounded read-plan generation, producing:
audit_index/derived/read_plan.tsvaudit_index/derived/read_plan.md
run_index.sh also auto-runs deterministic derived-artifact bootstrap, producing:
audit_index/derived/catalog.jsonaudit_index/derived/hotspots.jsonaudit_index/derived/dup_clusters.md
run_index.sh now includes explicit health gates:
- Uses a run-local agentroot database at:
<output_dir>/audit_index/agentroot/index.sqlite
- Self-heals across CLI syntax drift:
llmcc: retries acrossdepthNand--dir/--depthmodes.agentroot: retries acrossindexandcollection add + updatemodes.agentroot query/vsearch: retries without--format jsonwhen needed.
- Validates indexing quality via
agentroot status --format json. - Fails fast if
agentroot_document_count == 0after fallback indexing. - Runs retrieval checks (
query+vsearch). - If retrieval checks fail due embed instability (for example agentroot UTF-8 panic or embedding transport failures), run continues in degraded BM25 mode by default.
- Set
VIBE_CODE_AUDIT_RETRIEVAL_STRICT=1to keep strict failure behavior. - Continues in degraded mode when vectors are unavailable:
retrieval_mode = "bm25-only"inmanifest.json- analysis should rely on stronger direct-file evidence in this mode.
Auto-embed attempt (enabled by default):
bash vibe-code-audit/scripts/run_index.sh --repo /path/to/repo --mode standardDisable auto-embed (for troubleshooting or explicitly BM25-only runs):
VIBE_CODE_AUDIT_AGENTROOT_AUTO_EMBED=0 \
bash vibe-code-audit/scripts/run_index.sh --repo /path/to/repo --mode standardAuto-embed behavior:
run_index.shcallsvibe-code-audit/scripts/run_agentroot_embed.sh.- It first tries
agentroot embeddirectly. - If
agentrootreports HTTP embedding connection failures, it:- retries against an already-running service on
127.0.0.1:8000, or - optionally boots
llama-serverlocally (when available) with larger ctx/batch defaults.
- retries against an already-running service on
- When
run_index.shinvokes the helper, it keeps a helper-started local embedding server alive through retrieval validation and then cleans it up. - If embedding still fails (including known
agentrootUTF-8 chunk panic cases), indexing continues in BM25 mode and does not fail the audit run. - Manifest now records:
agentroot_embed_attemptedagentroot_embed_okagentroot_embed_backendagentroot_embed_utf8_panic
Useful embed environment toggles:
VIBE_CODE_AUDIT_AGENTROOT_AUTO_EMBED=0
VIBE_CODE_AUDIT_EMBED_START_LOCAL=1
VIBE_CODE_AUDIT_EMBED_KEEP_SERVER=1
VIBE_CODE_AUDIT_EMBED_WAIT_SECONDS=60
VIBE_CODE_AUDIT_EMBED_MODEL_PATH="$HOME/.local/share/agentroot/nomic-embed.gguf"
VIBE_CODE_AUDIT_EMBED_DOWNLOAD_MODEL=0
VIBE_CODE_AUDIT_RETRIEVAL_STRICT=0Manual embedding retry (against an existing audit index):
bash vibe-code-audit/scripts/run_agentroot_embed.sh \
--db /path/to/output/audit_index/agentroot/index.sqlite \
--output-dir /path/to/output/audit_index/agentrootCI now runs tests/run_index_mock_smoke.sh, which exercises compatibility/fallback paths using mocked llmcc and agentroot binaries.
After audit_report.md is written, you can generate a PDF copy:
bash vibe-code-audit/scripts/render_report_pdf.sh \
--report /path/to/output/audit_report.md \
--map-mode crateBehavior:
- If tools are available, it writes
audit_report.pdfand printsPDF_PATH=.... - If tools are missing, it exits successfully and prints
PDF_SKIPPED=1with a reason. - It also tries to render
system_map.pngfirst (non-fatal) usingrender_system_map.sh. - If PDF render fails due oversized diagram content, it retries without embedding the system map image.
- On fallback success, it also prints
PDF_NOTE=rendered_without_system_map.
Required tools for PDF generation:
pandoc- one supported PDF engine:
tectonic,typst,xelatex,pdflatex,wkhtmltopdf, orweasyprint
Optional tools for system map diagram rendering:
dot(Graphviz)- a dot source file (preferred:
<output_dir>/system_map.dot; fallback: llmcc depth graph artifacts)
Optional diagram control:
bash vibe-code-audit/scripts/render_system_map.sh \
--report /path/to/output/audit_report.md \
--mode crateModes:
auto(default): prefers smaller crate/module graphs firstcrate: strongly prefers crate-level readabilityfull: prefers dense full graphs
When running through Claude Code, use subagents and model routing by phase:
haiku: exploration and evidence lookupsonnet: indexing orchestration, pattern mining, synthesisopus: high-severity ambiguity resolution only
See vibe-code-audit/references/claude/subagents-and-model-routing.md for concrete templates and routing rules.
Timeout guidance for Claude Code:
run_index.shwith auto-embed can exceed 5 minutes on medium repos.- Prefer background execution +
TaskOutputpolling. - Use a larger tool timeout for blocking waits (recommended:
900000to1800000ms).
- Finds the local skill source (
./vibe-code-audit/SKILL.md) when available. - Falls back to downloading skill files from
vibe-code-audit/INSTALL_MANIFEST.txtwhen run viacurl | sh. - Symlinks local installs to your checked-out
vibe-code-audit/folder (so updates in repo are immediately reflected). - Copies files for remote installs (
curl | shpath). - Checks for required dependencies:
llmccandagentroot. - Offers to install missing dependencies (via
cargo install). - Offers to install the skill into:
~/.codex/skills/vibe-code-audit~/.claude/skills/vibe-code-audit
sh install.sh --helpSupported flags:
--yes: non-interactive mode; accept default install prompts.--skip-deps: skip dependency checks/install attempts.--codex-only: only install to~/.codex/skills.--claude-only: only install to~/.claude/skills.
Example non-interactive install:
curl -sSf https://raw.githubusercontent.com/codesoda/vibe-code-audit/main/install.sh | sh -s -- --yesIf dependency auto-install fails, run manually:
cargo install llmcc
cargo install agentrootEnvironment overrides:
CODEX_SKILLS_DIRCLAUDE_SKILLS_DIRVIBE_CODE_AUDIT_REPO_OWNERVIBE_CODE_AUDIT_REPO_NAMEVIBE_CODE_AUDIT_REPO_REFVIBE_CODE_AUDIT_RAW_BASE
Example:
CODEX_SKILLS_DIR="$HOME/custom/codex-skills" sh install.sh