Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Code owners for auditor.
#
# These rules request a review from the listed owner whenever a matching path
# changes. Later rules win, so the more specific path-based rules below override
# the catch-all. Syntax: https://docs.github.com/articles/about-code-owners

# Default owner for everything in the repo.
* @marcelrapold

# Release surface — the prompts, their checksums, the build/CI scripts, and the
# GitHub configuration. Changes here ship to consumers, so they need review.
/scripts/ @marcelrapold
/CHECKSUMS.txt @marcelrapold
/audit-prompts/ @marcelrapold
/.github/ @marcelrapold

# Web app (the landing page deployed to auditor.rapold.io).
/web/ @marcelrapold
2 changes: 1 addition & 1 deletion CHECKSUMS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ afaad3168640d047af7082f93721ff6169f8c67ee0937f2a7a785fad21a0a798 *audit-prompts/
26ae6a7f36ee3cd7e44539238ab833026a585b38884c3334ab785c19e35ce440 *audit-prompts/infrastructure-audit-master-prompt.md
9322253707945af22ebb32104bb4657dff584869a23798091985f0226e336e58 *audit-prompts/lean-audit-master-prompt.md
eade468bffad5ee4143e0461502ccc8c607846fb4861c6b672b2a0af52031d4f *audit-prompts/performance-audit-master-prompt.md
b98bdf8671d2640b8582f0bec2a7e35f07ac1a67ec457496d239b0e9e8174ae4 *audit-prompts/repo-audit-master-prompt.md
ddee61e41e75d4b6d4a23d114f58eb5d1be7e13f29bbcf6ad37184076b14f872 *audit-prompts/repo-audit-master-prompt.md
435e1661ad34a4398d41715763c243cd4c76d9efb4d01b933f05768dca4ccc73 *audit-prompts/security-audit-master-prompt.md
6bcc77a3a95524cb58a189042ee579cd1172cc44ccc4fd1b7961387bfd899626 *ISSUE-OUTPUT-STANDARD.md
d5c630f94295b56fb451a53836c69f5815e5096f4a694347a40c1f09543afb78 *DOCUMENTATION-STANDARD.en.md
Expand Down
81 changes: 46 additions & 35 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -1,51 +1,62 @@
# Contributing

Danke für deinen Beitrag. Dieses Repo ist eine Sammlung von Audit-Master-Prompts plus den
Standards, die sie durchsetzen. Bitte halte beide Konventionen ein.
Thanks for your contribution. This repo is a collection of audit master prompts plus the standards
they enforce. Please follow both conventions.

## Dokumentation
## Documentation

Jede Markdown-Datei folgt dem [`DOCUMENTATION-STANDARD.md`](DOCUMENTATION-STANDARD.md)
(englisch: [`DOCUMENTATION-STANDARD.en.md`](DOCUMENTATION-STANDARD.en.md)). Kurz:
Every Markdown file follows the [`DOCUMENTATION-STANDARD.md`](DOCUMENTATION-STANDARD.md)
(English: [`DOCUMENTATION-STANDARD.en.md`](DOCUMENTATION-STANDARD.en.md)). In short:

- Überschriften in Satz-Schreibweise, **keine Emojis in Überschriften/Titeln**.
- Zweite Person, Präsens, Aktiv; kurze Sätze; parallele Listen.
- Hinweise als GitHub-Alerts (`> [!NOTE]`, `> [!TIP]`, `> [!WARNING]`) statt Emoji.
- Keine toten Links; keine Doku-Code-Drift.
- Headings in sentence case, **no emojis in headings or titles**.
- Second person, present tense, active voice; short sentences; parallel lists.
- Notes as GitHub alerts (`> [!NOTE]`, `> [!TIP]`, `> [!WARNING]`) instead of emoji.
- No dead links; no doc–code drift.

## Eine neue Audit-Vorlage beitragen
## Contributing a new audit template

Neue Vorlagen folgen dem Hausschema, damit sie mit den übrigen zusammenpassen:
New templates follow the house structure so they compose with the rest. Use the canonical heading
order — a CI gate enforces it (see below):

1. **Mission + Universality** (was geprüft wird; warum stack-agnostisch).
2. **Operating principles** (evidence-bound, cite-the-standard, severity-earned, adversarial,
praise-the-good, no-silent-truncation, fix-forward).
3. **Severity-Skala** (P0–P3) + Aufwand + Priority/ICE-Score.
4. **Phasen** 0 Recon → 1 paralleler Schwarm → 2 Dedupe → 3 adversarielle Verifikation →
4 Benchmark → 5 Synthese.
5. **Shared finding schema** (JSON) und **Definition of Done**.
6. **Issue-Ausgabe** nach [`ISSUE-OUTPUT-STANDARD.md`](ISSUE-OUTPUT-STANDARD.md) — verbindlich:
zuerst ein Tracking-Issue (priorisierter Index + Management-Summary + Roadmap), dann pro
Befund ein Issue mit eigener Management-Summary. Standardsprache der Issues: Deutsch.
1. **Title + mission blockquote** (what is audited; why it is stack-agnostic).
2. **How to use this prompt** (the `TARGET`/`SCOPE`/… parameter block).
3. **Operating principles** (evidence-bound, cite-the-standard, severity-earned, adversarial,
praise-the-good, no-silent-truncation, fix-forward) plus the **P0–P3 severity scale** and the
effort + priority/ICE score.
4. **Phases 0–5**: 0 Recon → 1 parallel swarm → 2 dedupe → 3 adversarial verification →
4 benchmark → 5 synthesis.
5. **Issue output** per [`ISSUE-OUTPUT-STANDARD.md`](ISSUE-OUTPUT-STANDARD.md) — mandatory: a
tracking issue first (prioritized index + management summary + roadmap), then one issue per
finding with its own management summary. Default issue language: German.
6. **Shared finding schema** (JSON) and **Definition of done**.

Halte Vorlagen provider-agnostisch, mappe Befunde auf anerkannte Standards und mache jede
Empfehlung sofort umsetzbar.
Keep templates provider-agnostic, map findings to recognized standards, and make every
recommendation immediately actionable.

## Pull-Requests
> [!NOTE]
> **Structure gate.** `node scripts/check-prompts.mjs` (the `prompts` workflow) enforces the house
> structure across all prompts so their findings compose: every canonical heading must be present,
> in the canonical order, with the P0–P3 severity scale and no legacy German severities, and the
> `Shared finding schema` block must carry the shared field keys (`id`, `title`, `severity`,
> `confidence`, `effort`, `evidence`, `fix`, `expected_impact`). `full-audit-master-prompt.md` is
> the orchestrator and is exempt. Run it before opening a PR.

- Ein PR pro thematischer Änderung; aussagekräftige Commit-Nachrichten.
- Aktualisiere [`CHANGELOG.md`](CHANGELOG.md) unter `[Unreleased]`.
- Versionierung nach [SemVer](https://semver.org/).
## Pull requests

## Release-Surface (Prompts und Checksummen)
- One PR per topical change; meaningful commit messages.
- Update [`CHANGELOG.md`](CHANGELOG.md) under `[Unreleased]`.
- Versioning per [SemVer](https://semver.org/).

- Beim Editieren eines `audit-prompts/*.md` oder eines Standards die `CHECKSUMS.txt` regenerieren
## Release surface (prompts and checksums)

- When editing an `audit-prompts/*.md` file or a standard, regenerate `CHECKSUMS.txt`
(`sha256sum audit-prompts/*.md ISSUE-OUTPUT-STANDARD.md DOCUMENTATION-STANDARD*.md > CHECKSUMS.txt`).
Die `prompts`-CI prüft das mit `sha256sum -c` und schlägt sonst fehl.
- Die in URLs gepinnte Release-Version wird **nur beim Release** gebumpt — über
`node scripts/bump-version.mjs vX.Y.Z`, nie von Hand. Siehe [`RELEASING.md`](RELEASING.md).
The `prompts` CI verifies it with `sha256sum -c` and fails otherwise.
- The release version pinned in URLs is bumped **only at release time** — via
`node scripts/bump-version.mjs vX.Y.Z`, never by hand. See [`RELEASING.md`](RELEASING.md).

## Verhalten und Sicherheit
## Conduct and security

- Es gilt der [`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md) (Contributor Covenant).
- Schwachstellen bitte **vertraulich** melden — siehe [`SECURITY.md`](SECURITY.md), nicht als öffentliches Issue.
- The [`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md) (Contributor Covenant) applies.
- Please report vulnerabilities **confidentially** — see [`SECURITY.md`](SECURITY.md), not as a
public issue.
Loading
Loading