auditlisted

# Audit — Verify Everything **CRITICAL**: Run `HARNESS_DIR=$(epic path)` first. NEVER use `.harness/` in the project directory. ## Execution Modes This skill has 3 internal modes that run in parallel: 1. **audit:code** — Code quality, logic, style, test coverage, spec coverage 2. **audit:security** — OWASP Top 10 + performance (N+1, leaks) 3. **audit:test** — Full test suite, AC verification, coverage delta ### `--strict` Mode (Trust Boundary Isolation) When invoked with `--strict` (or when `.harness/engagement.md` has `mode: strict`), the audit enforces independence between verification agents to prevent reward hacking: - **Artifact-only delivery**: Each mode receives only the code diff and spec — no builder context, no session history, no prior agent conclusions. - **Cross-check independence**: `audit:code` and `audit:security` run without visibility into each other's findings. Results are combined only during synthesis (Step 4). - **Blind scoring**: No mode can see another mode's verdict until synthesis. This prevents anchoring bias where a clean code review inflates the security score. - **No self-review**: If the same agent built the code (via `/go`), a different agent instance must run audit. The builder's session ID is checked and excluded. Use `--strict` for security-sensitive projects, compliance requirements, or when the build phase had ambiguous outcomes. --- ## Process ### Step 0: Prerequisites Confirm go has run: ```bash git symbolic-ref --short HEAD