Skip to content
auditor
DE
13 audits · MIT · v0.8.0

Turn any AI agent into a swarm of specialist auditors

Copy one master prompt into your AI coding agent. It runs many specialists in parallel, makes independent skeptics refute every finding, and files only what survives — as priority-sorted GitHub issues.

Not another "audit my code" prompt — these make your agent prove every finding before it files it.

See a real run

Copies a template — swap in your repo URL before running.

evidence-bound · ≥2-of-3 adversarial verification · 30/60/90 roadmap

Run it

Point your AI agent at auditor.rapold.io

No install — works with any agent that can fetch a URL and run tools (runs on Claude Code). Tell it to audit a repo using auditor.rapold.io: it fetches the audit prompt — a single entry point that asks your language and which audits to run — then files the issues.

Audit github.com/your/repo using auditor.rapold.io

Copy it, swap in your repo, paste it to your agent.

It then asks: output language (Deutsch / English), which of the 13 audits (or the full repo), and whether to create issues — then runs them and opens a priority-sorted tracker.

AI agents: fetch auditor.rapold.io/llms.txt and act as the audit orchestrator (ask language + scope, then run).

Honest answers to the obvious questions

Won't it hallucinate evidence?
Every file:line is re-checked against the actual file in adversarial verify (Phase 3); unverifiable claims are dropped.
Does my code leave my machine?
No — your agent fetches the prompt; your repo never touches our domain.
What does a run cost?
Just your agent's tokens — scope it to a few audits to control spend.
See the 13 audits

Why it is different

Most audit prompts return unverified opinions. These enforce discipline.

Evidence or it didn't happen

Every finding cites a concrete artifact — file:line, a query plan, a request, a config value. No evidence means it is discarded.

Adversarial self-challenge

No finding survives until independent skeptic agents have tried to refute it — it must clear at least two of three, or it is dropped. If it cannot survive a hostile reading, it is not a finding.

Blind-spot hunting

A completeness critic asks each round which surface, use-case, or assumption went unexamined. Gaps are declared, never hidden.

Actionable issue tracker

Output is GitHub issues — German or English — led by a single priority-sorted tracking issue, each with a management summary and a before/after fix. A finding you cannot act on is just an opinion.

Proof, not claims

We pointed the whole suite at our own repo

The library is dogfooded on itself — pointed at this very repo, with the backlog filed as public GitHub issues. This page got its own content audit; across the full repo, every lens scored A− to A. Below: the real backlog, the grades, and one finding in full.

github.com/marcelrapold/auditor/issues
is:issue label:content23 findings

The real backlog from auditing this very page — 23 findings, every one now fixed.

documentationA94performanceA92securityA910 P0 · 1 P1

Open any issue to check the evidence on GitHub.

P1

/de served <html lang="en">

Evidence
web/app/layout.tsx:71
Before
/ and /de → <html lang="en">
After
/de → <html lang="de">
Issue #81
See the full run (#97)

The library

13 stack-agnostic audits, one shared methodology

Each is a self-contained master prompt: a multi-phase spec, not a one-shot "review my code" question. Run several against the same repo and their findings merge into one priority-sorted tracker — no duplicates — because every audit emits the same issue contract.

security

14 domains: injection, authN/Z, secrets, supply chain, IaCInfrastructure as Code — provisioning infrastructure from version-controlled definitions., CI/CD, business logic, privacy, LLM.

OWASPOpen Worldwide Application Security Project — the reference catalog of web-application security risks. · CWECommon Weakness Enumeration — a catalog of software weakness types (e.g. CWE-79, XSS). · MITREMITRE ATT&CK — a knowledge base of real-world attacker tactics and techniques. · CISCenter for Internet Security — consensus hardening benchmarks for systems and cloud.

repo

Whole-repo engineering: architecture, stack consistency, docs, tests, deps, CI/CD, git hygiene.

Google Eng · SRESite Reliability Engineering — operating systems with engineering, using SLOs and error budgets. · SLSASupply-chain Levels for Software Artifacts — a framework for build and supply-chain integrity.

frontend

16-agent sweep: usability, psychology, visual design, a11y, performance, SEO, copy, CROConversion Rate Optimization — systematically improving the share of visitors who complete a goal..

Nielsen · WCAGWeb Content Accessibility Guidelines — the W3C standard for accessible web content. · CWVCore Web Vitals — Google's user-experience metrics for loading, interactivity, and visual stability.

api

Resource modeling, HTTP semantics, error model, versioning, idempotencyA property where repeating an operation has the same effect as performing it once., rate limits, DXDeveloper Experience — how easy and pleasant an API is for developers to learn and use..

RFC 9110HTTP Semantics — the standard defining HTTP methods, status codes, and header fields./9457 · OpenAPIOpenAPI Specification — a standard, language-agnostic description format for HTTP APIs.

performance

Hotspots, N+1An N+1 query: one extra query per row instead of one for the whole set — a common performance trap., caching, concurrency, leaks, load behavior, resilience, FinOpsCloud financial operations — engineering practices for managing and reducing cloud cost..

SRESite Reliability Engineering — operating systems with engineering, using SLOs and error budgets. · DORADevOps Research and Assessment — the four key software-delivery performance metrics. · SLOsService Level Objective — a target for a reliability metric, such as 99.9% availability.

data

Schema and modeling, constraints, migration safety, transactions, integrity, backup/DRDisaster Recovery — the plan and tooling to restore systems and data after a major outage..

ACIDAtomicity, Consistency, Isolation, Durability — the guarantees a database transaction provides./CAPConsistency, Availability, Partition tolerance — a distributed store can fully hold only two at once. · RLSRow-Level Security — database rules that limit which rows each user can read or write.

infrastructure

IaCInfrastructure as Code — provisioning infrastructure from version-controlled definitions., cloud security, IAMIdentity and Access Management — the system governing who may do what on which resources., secrets, containers, k8sAn open-source platform that automates deploying, scaling, and running containerized applications., CI/CD, HAHigh Availability — designing a system to keep running through component failures, with minimal downtime., DRDisaster Recovery — the plan and tooling to restore systems and data after a major outage., observability, cost.

CISCenter for Internet Security — consensus hardening benchmarks for systems and cloud. · Well-ArchitectedAWS Well-Architected Framework — cloud design best practices across reliability, security, cost, and operations. · DORADevOps Research and Assessment — the four key software-delivery performance metrics.

ai-llm

Prompt injectionAn attack that smuggles instructions into model input to override or hijack the system prompt., jailbreaksA prompt crafted to bypass a model's safety guardrails and make it produce restricted output., output handling, agent/tool safety, RAGRetrieval-Augmented Generation — giving an LLM retrieved documents at query time., hallucinationA model output that states fabricated or unsupported information as if it were fact., evalsRepeatable test suites that measure an LLM feature's quality and safety on known cases..

OWASP LLM Top 10OWASP Top 10 for LLM Applications — the reference list of the most critical LLM security risks. · NIST AI RMFNIST AI Risk Management Framework — the U.S. standard for governing AI system risk.

compliance-privacy

Lawful basisThe legal ground under the GDPR that justifies processing personal data, such as consent or contract., consent/cookies, data-subject rightsThe rights the GDPR gives individuals over their data, such as access, erasure, and portability., retention, transfers, breach readiness.

GDPRGeneral Data Protection Regulation — the EU law governing how personal data may be processed. · ePrivacyEU ePrivacy Directive — rules on cookies, tracking, and electronic communications, alongside the GDPR. · EU AI ActEU Artificial Intelligence Act — the EU regulation classifying and governing AI systems by risk.

accessibility

Semantics, keyboard, focus, screen reader, contrast, forms, zoom, motor, motion, cognitive.

WCAGWeb Content Accessibility Guidelines — the W3C standard for accessible web content. 2.2 · EAAEuropean Accessibility Act — the EU law (Directive 2019/882) requiring many products and services to be accessible. · ADAAmericans with Disabilities Act — the US civil-rights law that mandates accessibility, including for digital services./508

documentation

Docs quality vs the standard: head-matter, onboarding, doc–code driftDivergence between what the documentation says and what the code actually does., writing, DiátaxisA documentation framework splitting content into tutorials, how-tos, reference, and explanation..

DOCUMENTATION-STANDARD · DiátaxisA documentation framework splitting content into tutorials, how-tos, reference, and explanation.

content

Content & messaging: thesis challenge, audience fit, evidence & originality, structure, voice, concrete rewrites.

E-E-A-TExperience, Expertise, Authoritativeness, Trustworthiness — Google's content-quality signals. · BLUFBottom Line Up Front — state the conclusion first, then the supporting detail. · rhetoric

lean

Bloat, redundancy & dependency transparency: dead codeCode that can never execute or is never referenced, so removing it changes nothing., unused/phantom depsA package the code actually uses but never declares in the manifest, so it works only by accident., duplication, AI slopLow-value, redundant code or text that AI agents generate in bulk without adding real substance. — a safe strip-down that never over-deletes.

Google Eng · OWASPOpen Worldwide Application Security Project — the reference catalog of web-application security risks. · YAGNIYou Aren't Gonna Need It — a principle against building functionality before it is actually required.

The method

Six phases, every time

Recon, a parallel specialist swarm, then adversarial verification before anything reaches the report.

Audit using auditor.rapold.io

You type — one line, any capable agent.

  1. 0

    Reconnaissance

    Factual inventory and a surface map. No opinions yet.

  2. 1

    Specialist swarm

    Many domain experts run in parallel, each evidence-bound.

    securityaccessibilityperformancedata… · in parallel
  3. 2

    Cross-pollination

    Merge, dedupe, and surface compound findings.

  4. 3

    Adversarial verify

    Independent skeptics try to refute each P0/P1; ≥2 of 3 to survive.

    survives ≥2 of 3
  5. 4

    Benchmark

    Compare against named best-in-class references and standards.

  6. 5

    Synthesis

    Report, scorecard, issues, and a 30/60/90 roadmap.

You get — priority-sorted GitHub issues.

The yardsticks

Two yardsticks. Every report measured against them.

Reusable on their own. One scores 0–100 against a rubric; the other fixes the exact issue shape — so two runs stay comparable even when the generated prose differs.

Documentation standard

A documentation standard with five repo profiles and a 0–100 scoring rubric — the same yardstick the documentation audit scores against.

DOCUMENTATION-STANDARD.md

Issue-output standard

The mandatory contract every audit follows: a priority-sorted tracking issue first, then one German issue per finding, each with its own management summary.

ISSUE-OUTPUT-STANDARD.md

See what your AI agent finds when it has to prove every claim.

It is free and MIT-licensed. Run it on a throwaway branch, read findings that had to survive 2-of-3 skeptics, and keep only the fixes you agree with.

Every claim here survived the same audit — read the public backlog (#97).

Browse the promptsQuickstart