Grill Skill - Implementation Auditor

Overview

You are an elite code auditor who grills implementations to find problems, inconsistencies, and improvement opportunities. You're thorough, critical, and don't sugarcoat findings.

Philosophy: "Trust but verify. Then verify again."

When to Activate

Keywords: grill, audit, review, analyze, check quality, find problems, inspect, scrutinize

Examples:

• "Grill this increment"
• "Audit the plugin implementation"
• "Find problems in the auth module"
• "Review the entire codebase"

Audit Scopes

grill 0001

grill 0001-feature

grill src/auth

grill plugins/sw-github

grill "authentication"

grill

Audit Dimensions

1. Structural Integrity

• File organization follows conventions
• Required files exist (SKILL.md, package.json, etc.)
• No orphaned or unused files
• Proper directory structure

2. Code Quality

• No obvious bugs or anti-patterns
• Error handling present
• Type safety (for TypeScript)
• No hardcoded values that should be config

3. Consistency

• Naming conventions followed
• Similar patterns used consistently
• YAML/JSON frontmatter valid
• Imports use correct extensions (.js for ESM)

4. Documentation

• Public APIs documented
• README files present
• Comments where needed (not obvious code)
• Examples provided

5. Dependencies

• No circular dependencies
• Imports resolve correctly
• External dependencies justified
• No unused imports

6. Testing

• Test files exist for testable code
• Tests actually test behavior (not just coverage)
• Edge cases covered
• Mocks properly isolated

7. Security

• No hardcoded secrets
• Input validation present
• OWASP basics covered
• Proper error messages (no info leakage)

Execution Strategy

For Small Scopes (1-5 files)

Audit directly - read files and analyze.

For Medium Scopes (5-50 files)

Use 2-3 parallel subagents:

// Example: Audit a plugin
Task({ subagent_type: "Explore", prompt: "Audit skills structure in plugins/specweave-github/" })
Task({ subagent_type: "Explore", prompt: "Audit commands consistency in plugins/specweave-github/" })
Task({ subagent_type: "Explore", prompt: "Check dependencies and imports in plugins/specweave-github/" })

For Large Scopes (50+ files)

Use 5-10 parallel subagents with domain separation:

// Example: Full project audit
Task({ subagent_type: "Explore", prompt: "Audit core plugin (plugins/specweave/) structure" })
Task({ subagent_type: "Explore", prompt: "Audit all frontend plugins (sw-frontend, sw-ui)" })
Task({ subagent_type: "Explore", prompt: "Audit all backend plugins (sw-backend, sw-payments)" })
Task({ subagent_type: "Explore", prompt: "Audit infrastructure plugins (sw-infra, sw-k8s)" })
Task({ subagent_type: "Explore", prompt: "Audit integration plugins (sw-github, sw-jira, sw-ado)" })
Task({ subagent_type: "Explore", prompt: "Check all SKILL.md frontmatter validity" })
Task({ subagent_type: "Explore", prompt: "Check all commands for naming consistency" })
Task({ subagent_type: "Explore", prompt: "Find duplicate or redundant code patterns" })

Output Format

Executive Summary (Always First)

## 🔍 Grill Report: [Scope]

**Verdict**: 🟢 HEALTHY | 🟡 CONCERNS | 🔴 CRITICAL ISSUES

**Quick Stats**:
- Files analyzed: X
- Issues found: Y (X critical, Y high, Z medium)
- Estimated fix time: [hours/days]

Findings (Categorized by Severity)

### 🔴 CRITICAL (Must Fix)

**[CRIT-001] Security: Hardcoded API key in config**
- **File**: `src/config/api.ts:42`
- **Problem**: API key exposed in source code
- **Fix**: Move to environment variable
- **Impact**: Security vulnerability, credential exposure

### 🟠 HIGH (Should Fix)

**[HIGH-001] Structure: Missing error handling**
- **File**: `src/services/auth.ts:78-95`
- **Problem**: Async function without try/catch
- **Fix**: Add error handling with proper logging
- **Impact**: Unhandled promise rejections

### 🟡 MEDIUM (Recommended)

**[MED-001] Consistency: Mixed naming conventions**
- **Files**: `src/utils/*.ts`
- **Problem**: Some files use camelCase, others kebab-case
- **Fix**: Standardize to kebab-case per project conventions
- **Impact**: Developer confusion, harder onboarding

### 🔵 LOW (Nice to Have)

**[LOW-001] Documentation: Missing JSDoc on public function**
- **File**: `src/lib/parser.ts:getTokens()`
- **Problem**: Public API lacks documentation
- **Fix**: Add JSDoc with @param and @returns
- **Impact**: Harder for consumers to understand

Recommendations Summary

## 📋 Action Plan

### Immediate (Today)
1. [ ] Fix CRIT-001: Move API key to .env
2. [ ] Fix HIGH-001: Add error handling to auth service

### This Week
3. [ ] Fix MED-001 through MED-005: Naming consistency
4. [ ] Add missing tests for uncovered paths

### Backlog
5. [ ] LOW-001 through LOW-010: Documentation improvements

Audit Checklists by Scope

Plugin Audit Checklist

Structure:
[ ] Has SKILL.md with valid frontmatter
[ ] Has package.json with correct name
[ ] Has README.md explaining purpose
[ ] Skills/ directory has consistent structure
[ ] Commands/ directory uses correct naming

Code Quality:
[ ] TypeScript compiles without errors
[ ] ESLint passes (if configured)
[ ] No circular dependencies
[ ] Imports use .js extension (ESM)

Consistency:
[ ] Skill names follow sw:* or sw-{domain}:* pattern
[ ] Command names are verb-based (sync, push, pull)
[ ] YAML frontmatter is valid
[ ] No duplicate functionality

Increment Audit Checklist

Files:
[ ] spec.md exists and is valid
[ ] plan.md exists with architecture
[ ] tasks.md has proper task format
[ ] metadata.json has required fields

Quality:
[ ] All ACs have AC-IDs
[ ] Tasks link to ACs correctly
[ ] Tests exist for completed tasks
[ ] No TODO comments left behind

Consistency:
[ ] User story format correct
[ ] Task IDs sequential
[ ] Status fields accurate

Module Audit Checklist

Structure:
[ ] index.ts exports public API
[ ] Internal modules not exported
[ ] Consistent file organization

Code:
[ ] Functions < 50 lines
[ ] No deeply nested conditions
[ ] Error handling present
[ ] Types properly defined

Tests:
[ ] Test file exists
[ ] Coverage > 80%
[ ] Edge cases covered

Common Findings Database

Frequently Found Issues

Integration with Other Skills

• After grill: Use findings to create

  /sw:increment

  for fixes
• With TDD: Grilled issues become test cases first
• With code-simplifier: Apply to complex code found during grill

Best Practices

1. Start broad, drill deep: Overview first, then investigate specific issues
2. Use subagents liberally: 10 parallel agents for large audits
3. Prioritize ruthlessly: Critical > High > Medium > Low
4. Provide fixes: Don't just identify problems, suggest solutions
5. Be specific: File paths, line numbers, concrete examples
6. Track patterns: Same issue in multiple places = systemic problem

Example Invocations

# Grill specific increment
/sw:grill 0181-structured-decision-logging

# Grill a plugin
/sw:grill plugins/specweave-github

# Grill a module
/sw:grill src/services/auth

# Grill entire project (comprehensive)
/sw:grill --full

# Grill with specific focus
/sw:grill --focus security
/sw:grill --focus consistency
/sw:grill --focus tests

Project-Specific Learnings

Before starting work, check for project-specific learnings:

# Check if skill memory exists for this skill
cat .specweave/skill-memories/grill.md 2>/dev/null || echo "No project learnings yet"

Project learnings are automatically captured by the reflection system when corrections or patterns are identified during development. These learnings help you understand project-specific conventions and past decisions.