← Back to Skills Marketplace
hydroculator

Cathedral Audit

by hydroculator · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
247
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install cathedral-audit
Description
Run a full spec-code audit on the Cathedral codebase. Use after build waves, major refactors, or when spec-code drift is suspected. Produces forward audit (s...
README (SKILL.md)

Cathedral Audit

A structured process for measuring and closing spec-code drift in the Cathedral C# codebase.

When to Run

  • After a build wave (multiple features/refactors landed)
  • Before starting a new major feature (establish baseline)
  • When spec-code drift is suspected
  • Periodically as a health check (not on a calendar — trigger on events)

Process Overview

1. Forward Audit (specs → code)
2. Reverse Audit (code → specs)
3. Consolidation & Prioritization
4. Execution
5. Verification

Step 1: Forward Audit (Specs → Code)

For each spec in kitty-specs/, compare what the spec says against what the code does.

Output per spec: One of:

  • Conformant — code matches spec
  • ⚠️ Divergent — code exists but differs from spec
  • Missing — spec describes something not built

Deliverable: kitty-specs/000-project-context/spec-audit-YYYY-MM-DD.md

Use parallel CC agents (one per spec batch) for speed if memory allows. On memory-constrained hosts (e.g., WSL2), run sequentially — two concurrent CC sessions will OOM. Provide each agent read-only access.

Step 2: Reverse Audit (Code → Specs)

Scan all .cs files in src/Cathedral.Core/ and src/Cathedral.TestHarness/. For each file/subsystem, determine:

  • Is it covered by a spec?
  • Does it match what the spec says?
  • Is it dead/orphaned code?

Output sections:

  1. Executive Summary — counts with delta from previous audit
  2. Unspecced Code — files/subsystems with no spec coverage
  3. Architectural Divergences — code takes a fundamentally different path than spec
  4. Code Exceeding Spec — code has features the spec doesn't document
  5. Dead/Orphaned Code — files with no callers or references
  6. Bugs Discovered — runtime, data, or logic bugs found during review
  7. Comparison with Previous Audit — what improved, what remains

Deliverable: kitty-specs/000-project-context/reverse-audit-YYYY-MM-DD.md

Use parallel CC agents (group files by directory/subsystem) for speed if memory allows. Run sequentially on memory-constrained hosts.

Step 3: Consolidation & Prioritization

Merge findings from both audits into a prioritized action plan:

Priority Category Criteria
P0 Bug fixes Runtime impact — broken endpoints, data corruption, crashes
P1 Dead code removal Safe deletes that reduce confusion and LOC
P2 Data quality fixes Dropped data, wrong defaults, double-logging
P3 Spec coverage Write new specs for unspecced code (no code changes)
P4 Spec accuracy Update existing specs to document code-exceeding-spec features
P5 Mechanical refactors Renames, wiring, entity-scoping completion
P6 Architectural gaps V2 features where code diverges from spec by design (defer)

Rules:

  • Bugs always get their own section with severity ratings
  • "Code exceeding spec" = spec update, not code change
  • Architectural divergences that are intentionally deferred (V2 work) go to P6 and are documented but not actioned
  • Each priority level should be achievable in a single CC session

Deliverable: Recommendations section in the reverse audit report.

Step 4: Execution

Execute fixes by priority tier (P0 first, P6 last or deferred).

Per priority tier:

  1. Log intent to memory/YYYY-MM-DD.md — tier name, CC session name, what's being attempted
  2. Write a task briefing for CC (see references/cc-task-template.md)
  3. Launch CC session: cat /tmp/task.md | claude -p --allowedTools 'Edit,Write,Read,Bash'
  4. Set up monitoring cron (every 5 min)
  5. When CC completes: log results to daily memory — files changed, what was done, any issues
  6. Verify build before committingdotnet build must pass
  7. If CC gets killed (OOM): check git diff --stat, verify build manually, fix any issues, log the incident
  8. Commit with descriptive message referencing the priority tier
  9. Log commit hash to daily memory

Hard rules:

  • ⚠️ ALWAYS verify dotnet build passes before committing. No exceptions. CC may get OOM-killed mid-build-check.
  • ⚠️ ALWAYS log to daily memory file at every step. Log intent before launch, results after completion, commit hash after commit. If the session dies, the log survives for recovery.
  • One commit per priority tier (or logical grouping)

Logging template for daily memory:

## [Priority Tier Name]
- CC session: [name] (launched ~HH:MM CST)
- Task: [brief description]
- Status: [RUNNING | ✅ COMPLETE | ❌ FAILED | ⚠️ KILLED]
- Files changed: [count]
- Key actions: [what was done]
- Issues: [any problems encountered]
- Committed as [hash]

Step 5: Verification

After all tiers are complete, optionally run a quick re-audit to measure improvement:

  • Compare counts: unspecced, divergent, dead code, bugs
  • Verify delta matches expectations
  • Document remaining gaps and whether they're P6/deferred or newly discovered

Deliverable: Updated audit files with comparison section.

Logging

Every audit produces a complete trail in memory/YYYY-MM-DD.md:

  • Audit launch — which audits are being run, baseline reference
  • Audit results — summary counts, key findings
  • Each priority tier — intent, CC session, results, issues, commit hash
  • Final summary — total commits, total lines changed, what's resolved vs deferred

This is non-negotiable. The Feb 17-18 amnesia incident proved that unlogged work is lost work. Log-then-act: write what you're about to do BEFORE doing it, then update with results.

Baseline Tracking

Always compare against the previous audit. Store audits as:

kitty-specs/000-project-context/
  spec-audit-YYYY-MM-DD.md      (forward)
  reverse-audit-YYYY-MM-DD.md   (reverse)

The executive summary table with deltas is the key metric:

| Category | Previous | Current | Delta |
|----------|----------|---------|-------|
| Unspecced Code | 38 | 24 | -14 |
| Divergences | 12 | 7 | -5 |
| Dead Code | 14 | 8 | -6 |
| Bugs | 0 | 8 | +8 |
| Conformant | ~60 | ~120 | +60 |

CC Task Briefing Template

See references/cc-task-template.md for the standard format for CC task briefings.

Usage Guidance
This skill appears to implement a legitimate audit workflow but has several concerning omissions and contradictions you should resolve before use: - Required tools and credentials: The SKILL.md expects 'claude' CLI, dotnet, git, and commit permissions but the registry metadata declares no required binaries or env vars. Ask the author to explicitly list required binaries and any credentials (and why each is needed). - Read vs write: The doc says to provide agents read-only access but later instructs agents to edit code and commit. Clarify whether agent sessions will be allowed to modify the repo and under what account/credential. - Persistence and cron: The skill instructs creating a cron job (every 5 minutes) and writing persistent audit logs to memory/YYYY-MM-DD.md. Confirm where 'memory' is stored, who can read it, and require explicit user approval before creating cron jobs or persistent system changes. - Logging sensitive data: The workflow mandates logging 'intent' and code changes; ensure logs do not inadvertently store secrets or large swathes of source code in an accessible place. Prefer ephemeral logs or restrict access. - Limit scope of automated edits: If you permit the skill to run fix sessions, prefer running in an isolated environment (ephemeral VM/container) and require human review before committing to main branches. Use a service account with minimal repo permissions for automated commits. If you cannot obtain these clarifications, treat the skill as potentially risky. At minimum run it in an isolated environment, verify the 'claude' CLI and git identity it will use, and disallow cron creation and automatic commits until you have clear, auditable controls.
Capability Analysis
Type: OpenClaw Skill Name: cathedral-audit Version: 1.0.0 The skill bundle defines a complex workflow for auditing C# codebases that includes high-risk behaviors, specifically instructing the agent to invoke a sub-agent (Claude Code) with broad permissions including 'Bash', 'Edit', and 'Write' (SKILL.md). It also directs the agent to 'Set up monitoring cron', which could serve as a persistence mechanism, though it is framed as a tool for process monitoring. While the behavior is aligned with the stated purpose of code maintenance, the request for broad shell access and system-level task scheduling without explicit sandboxing is inherently risky.
Capability Assessment
Purpose & Capability
The skill's name/description (spec↔code audit + driving fixes) aligns with the instructions, but the SKILL.md expects use of local tooling (a 'claude' CLI, dotnet, git) and persistent agent memory/cron changes — none of these tools, binaries, or credentials are declared in the registry metadata. A true audit-orchestrator should declare required binaries and any credentials it will use. Also the doc says 'provide each agent read-only access' yet later the process launches agents that edit files and commit; that contradiction is disproportionate.
Instruction Scope
Instructions direct the agent to scan specific repo paths, run builds (dotnet build), run and drive external CC sessions (piped into a 'claude' CLI with allowedTools including Bash), edit files, commit changes, and create persistent logs in memory/YYYY-MM-DD.md. They also instruct creating a monitoring cron running every 5 minutes. These are powerful actions (file edits, commits, cron setup, arbitrary shell via CC sessions) and the document does not limit or sanitize what gets logged to persistent memory or who can read that memory.
Install Mechanism
No install spec and no code files; lower risk in terms of supply-chain installs. Everything is instruction-only, so nothing will be written at install time by the skill itself.
Credentials
The skill declares no required env vars, but its runtime steps implicitly require tools and credentials: git identity (for commits), access to any remote repos, the 'claude' CLI (or equivalent), and the ability to run dotnet. The lack of declared required binaries/credentials is an omission that conceals necessary privileges (repo write access, build toolchain, possibly network access). Logging code and commit hashes to a shared 'memory' location also risks leaking sensitive code unless the storage and access controls are specified.
Persistence & Privilege
The skill instructs creating persistent artifacts and system changes: cron jobs (monitoring every 5 minutes), persistent memory logs, and repeated commits. While always:false, these steps grant the skill lasting system presence and modify system/agent state (cron, repo history, memory files). The SKILL.md does not require explicit user approval for creating cron jobs or writing memory files, which is a material privilege escalation relative to a read-only audit.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cathedral-audit
  3. After installation, invoke the skill by name or use /cathedral-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of cathedral-audit skill for auditing spec-code drift in the Cathedral C# codebase. - Provides structured steps: forward audit (specs→code), reverse audit (code→specs), consolidation & prioritization, execution, and verification. - Includes detailed priority guidelines and logging requirements for all steps. - Ensures actionable deliverables and prioritization of findings for efficient codebase health improvement. - Emphasizes thorough audit trails and comparisons with previous audits for progress tracking.
Metadata
Slug cathedral-audit
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Cathedral Audit?

Run a full spec-code audit on the Cathedral codebase. Use after build waves, major refactors, or when spec-code drift is suspected. Produces forward audit (s... It is an AI Agent Skill for Claude Code / OpenClaw, with 247 downloads so far.

How do I install Cathedral Audit?

Run "/install cathedral-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cathedral Audit free?

Yes, Cathedral Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Cathedral Audit support?

Cathedral Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cathedral Audit?

It is built and maintained by hydroculator (@hydroculator); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments