Skip to content
Apothem
Concepts

Audit review sequence

The eleven-command audit sequence that checks Apothem before release.

The audit review sequence is the eleven-command quality-assurance sweep that checks a project before release. Each command audits one quality area and emits findings that must be fixed or explicitly dispositioned.

Two canonical orchestrators drive these eleven dimensions. /audit runs them in parallel as a single report-only pass — it surfaces a deduplicated, severity-triaged findings report and never edits source. /fortress is the closed remediation loop (detect → verify → remediate → re-audit → gate) that hardens a project to a release-gated state. Each dimension also stays individually invocable.

The eleven audit areas

CommandAxisStandard
/code-reviewCode qualityPer-file craft review
/code-auditCode corpusCross-file forensics
/security-auditSecurityOWASP ASVS v4 + Top 10
/perf-auditPerformanceCore Web Vitals + USE method
/architecture-reviewArchitectureDesign artifact conformance
/ux-reviewDev experienceCLI ergonomics + onboarding
/a11y-auditAccessibilityWCAG 2.2 AA
/docs-reviewDocumentationTen-dimension quality
/dependency-auditDependenciesLicense + CVE + freshness
/supply-chain-auditSupply chainSLSA + Sigstore + SBOM
/threat-model-auditThreat modelSTRIDE + PASTA

Release-readiness gates

The sequence contributes to the release-readiness gates:

  • Local gate: Local conformity checks pass.
  • GitHub gate (pre-cutover): GitHub-side verification — CI workflows green on every commit, every check.
  • Audit gate: Full review sequence complete — all eleven areas audited, findings dispositioned, watch items documented.

Remediation loop

The audit commands are report-only: they surface findings, never apply fixes. Remediation runs through /fortress, the closed loop that follows the iterate-until-green pattern — findings are triaged and verified, fixes are applied at each finding's owning surface, the audit is re-run, and the loop continues until the findings clear and the release gate passes. Whole-repo elevation to current best-practice runs through /elevate.

Why the sequence exists

Software quality degrades across several dimensions at once. A single review can miss defects that sit between code quality, security, performance, architecture, accessibility, documentation, dependency posture, and supply chain posture. The audit sequence applies those lenses separately so the release gate sees the full risk profile.

On this page