spectra-audit

Audit changed code for security sharp edges — API design traps, dangerous defaults, and interfaces that make it easy to do the wrong thing. Good APIs don't require developers to "be careful" to stay secure. If the correct usage requires reading docs, remembering rules, or understanding cryptography, the API has failed. **Core principle:** Security should be the path of least resistance. Insecure usage should be harder than secure usage. ## Two Modes This skill operates in two modes depending on how it's invoked: - **Standalone** (`/spectra-audit`): Full 3-agent parallel analysis on current git diff. See [Standalone Mode](#standalone-mode). - **Discipline** (via `/spectra-apply` when `audit: true`): Condensed checklist applied during implementation. See [Discipline Mode](#discipline-mode). Both modes share the same [Core Framework](#core-framework). --- ## Standalone Mode When invoked directly as `/spectra-audit`: ### Phase 1: Gather Changes Run `git diff HEAD` to get the full diff of current modifications. If there are no changes, report "No changes to audit" and stop. ### Phase 2: Parallel 3-Agent Analysis Launch 3 agents in parallel (one message, 3 tool calls). Each agent receives the full diff and analyzes it through one adversary lens. **Agent 1 — The Scoundrel (壞蛋)** A malicious developer or attacker deliberately manipulating configuration. Search the diff for: - Config options that can disable security mechanisms - Algorithm parameters that accept down...