workflow-codebase-auditlisted

# Workflow: Codebase Audit (cold-start multi-domain sweep) **Announce at start:** "Activating `workflow-codebase-audit` to run the cold-start audit sweep." ## When to invoke - Take-home or technical assessment requiring a broad codebase review. - Post-acquisition or due-diligence review of an unfamiliar repo. - Inherited-service onboarding: "I just took ownership of this, what's the state of it?" - Pre-refactor tech-debt sweep across a monorepo or service. ## When NOT to invoke - Single-domain security audit → use `security-auditor` directly (depth-first, OWASP-focused). - Known bug with a repro → use `/swe-workbench:debug` (root-cause + fix lifecycle). - PR diff review → use `/swe-workbench:review` or `workflow-pr-review`. - Code already familiar; you know what to look for → run targeted tools directly. ## Composition This skill orchestrates; domain analysis is delegated to: - `swe-workbench:auditor` subagent — broad multi-domain sweep (security, perf, reliability, tooling, testing). - `swe-workbench:security-auditor` subagent — depth-first CVE + threat review; **deep mode only**, top-N security findings. - `swe-workbench:debugger` subagent — root-cause + fix path on top-N reliability findings by rank; **deep mode only**. - `swe-workbench:ticket-context` skill — prepended when a ticket ref is present in `$ARGUMENTS`. ## Phases ### Phase 1 — Clarify (only when --scope is absent) Skip this phase entirely if `--scope` appears explicitly in `$ARGUMENTS` — including `-