依赖图审计器 - 自动化代码架构分析与边界规则验证工具

ln-644-dependency-graph-auditor by levnikolaevich/claude-code-skills

208 周安装量

339 GitHub Stars

安装命令

npx skills add https://github.com/levnikolaevich/claude-code-skills --skill ln-644-dependency-graph-auditor

🇨🇳中文介绍

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.

Type: L3 Worker Category: 6XX Audit

依赖图审计器

L3 Worker，用于构建和分析模块依赖图以强制执行架构边界。

目的与范围

ln-640 协调器流水线中的 Worker - 由 ln-640-pattern-evolution-auditor 调用
根据导入语句（Python、TS/JS、C#、Java）构建模块依赖图
检测循环依赖：成对（HIGH）+ 通过 DFS 检测传递性（CRITICAL）
验证边界规则：禁止、允许、必需（基于 dependency-cruiser 模式）
计算 Robert C. Martin 指标（Ca、Ce、Instability）+ Lakos 聚合指标（CCD、NCCD）

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

输入（来自 ln-640）

- architecture_path: string    # 指向 docs/architecture.md 的路径
- codebase_root: string        # 要扫描的根目录
- output_dir: string           # 例如："docs/project/.audit/ln-640/{YYYY-MM-DD}"

# 领域感知（可选，来自协调器）
- domain_mode: "global" | "domain-aware"   # 默认："global"
- current_domain: string                   # 例如："users", "billing"（仅在 domain-aware 模式下）
- scan_path: string                        # 例如："src/users/"（仅在 domain-aware 模式下）

# 基线（可选）
- update_baseline: boolean                 # 如果为 true，则将当前状态保存为基线

当 domain_mode="domain-aware" 时： 对所有 Grep/Glob 操作使用 scan_path 而不是 codebase_root。为所有发现项标记 domain 字段。

必读： 加载 shared/references/two_layer_detection.md 以了解检测方法。

阶段 1：发现架构（自适应）

必读： 加载 references/dependency_rules.md — 使用 3 层优先级链、架构预设、自动检测启发式方法。

架构检测使用 3 层优先级 — 显式配置优先于文档，文档优先于自动检测：

# 优先级 1：显式项目配置
IF docs/project/dependency_rules.yaml 存在:
  加载自定义规则（模块、禁止、允许、必需）
  跳过预设检测

# 优先级 2：架构文档
ELIF docs/architecture.md 存在:
  读取第 4.2 节（模块、层、architecture_type）
  读取第 6.4 节（边界规则，如果已定义）
  将文档化的层映射到 dependency_rules.md 中的预设
  应用预设规则，并用第 6.4 节中的显式规则覆盖

# 优先级 3：从目录结构自动检测
ELSE:
  scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root
  运行结构启发式检测：

  signals = {}
  IF Glob("**/domain/**") AND Glob("**/infrastructure/**"):
    signals["clean"] = HIGH
  IF Glob("**/controllers/**") AND Glob("**/services/**") AND Glob("**/repositories/**"):
    signals["layered"] = HIGH
  IF Glob("**/features/*/") with internal structure:
    signals["vertical"] = HIGH
  IF Glob("**/adapters/**") AND Glob("**/ports/**"):
    signals["hexagonal"] = HIGH
  IF Glob("**/views/**") AND Glob("**/models/**"):
    signals["mvc"] = HIGH

  IF len(signals) == 0:
    architecture_mode = "custom"
    confidence = "LOW"
    # 仅检查循环 + 指标，无边界预设
  ELIF len(signals) == 1:
    architecture_mode = signals.keys()[0]
    confidence = signals.values()[0]
    应用 dependency_rules.md 中匹配的预设
  ELSE:
    architecture_mode = "hybrid"
    confidence = "MEDIUM"
    # 识别区域，为每个区域应用不同的预设（参见 dependency_rules.md 混合部分）
    FOR EACH detected_style IN signals:
      zone_path = identify_zone(detected_style)
      zone_preset = load_preset(detected_style)
      zones.append({path: zone_path, preset: zone_preset})
    添加跨区域规则：内部区域可访问，外部区域禁止依赖内部区域

阶段 2：构建依赖图

必读： 加载 references/import_patterns.md — 使用语言检测、导入 Grep 模式、模块解析算法、排除列表。

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

# 步骤 1：检测主要语言
tech_stack = Read(docs/project/tech_stack.md) IF exists
  ELSE detect from file extensions: Glob("**/*.py", "**/*.ts", "**/*.cs", "**/*.java", root=scan_root)

# 步骤 2：按语言提取导入
FOR EACH source_file IN Glob(language_glob_pattern, root=scan_root):
  imports = []

  # Python
  IF language == "python":
    from_imports = Grep("^from\s+([\w.]+)\s+import", source_file)
    plain_imports = Grep("^import\s+([\w.]+)", source_file)
    imports = from_imports + plain_imports

  # TypeScript / JavaScript
  ELIF language == "typescript" OR language == "javascript":
    es6_imports = Grep("import\s+.*\s+from\s+['\"]([^'\"]+)['\"]", source_file)
    require_imports = Grep("require\(['\"]([^'\"]+)['\"]\)", source_file)
    imports = es6_imports + require_imports

  # C#
  ELIF language == "csharp":
    using_imports = Grep("^using\s+([\w.]+);", source_file)
    imports = using_imports

  # Java
  ELIF language == "java":
    java_imports = Grep("^import\s+([\w.]+);", source_file)
    imports = java_imports

  # 步骤 3：仅过滤内部导入（根据 import_patterns.md 排除列表）
  internal_imports = filter_internal(imports, scan_root)

  # 步骤 4：解析到模块
  FOR EACH imp IN internal_imports:
    source_module = resolve_module(source_file, scan_root)
    target_module = resolve_module(imp, scan_root)
    IF source_module != target_module:
      graph[source_module].add(target_module)

阶段 3：检测循环（ADP）

hex-graph 加速： 对于拥有 .hex-skills/codegraph/index.db 的项目，使用 find_cycles 进行即时循环检测。当图不可用时，回退到基于 grep 的 DFS。

根据 Robert C. Martin（Clean Architecture 第 14 章）：“组件依赖图中不允许出现循环。”

# 成对循环（A <-> B）
FOR EACH (A, B) WHERE B IN graph[A] AND A IN graph[B]:
  cycles.append({
    type: "pairwise",
    path: [A, B, A],
    severity: "HIGH",
    fix: suggest_cycle_fix(A, B)
  })
  # 第 2 层：仅测试依赖（devDependencies，测试导入）→ 跳过循环
  # 具有文档化双向设计的插件/扩展架构 → 降级为 LOW

# 通过 DFS 检测传递性循环（A -> B -> C -> A）
visited = {}
rec_stack = {}

FUNCTION dfs(node, path):
  visited[node] = true
  rec_stack[node] = true

  FOR EACH neighbor IN graph[node]:
    IF NOT visited[neighbor]:
      dfs(neighbor, path + [node])
    ELIF rec_stack[neighbor]:
      cycle_path = extract_cycle(path + [node], neighbor)
      IF len(cycle_path) > 2:  # 跳过成对循环（已检测）
        cycles.append({
          type: "transitive",
          path: cycle_path,
          severity: "CRITICAL",
          fix: suggest_cycle_fix_transitive(cycle_path)
        })

  rec_stack[node] = false

FOR EACH module IN graph:
  IF NOT visited[module]:
    dfs(module, [])

# 文件夹级循环（基于 dependency-cruiser 模式）
folder_graph = collapse_to_folders(graph)
Repeat DFS on folder_graph for folder-level cycles

打破循环的建议（来自 Clean Architecture 第 14 章）：

DIP — 在被依赖模块中提取接口，在依赖模块中实现
提取共享组件 — 将共享代码移动到两个模块都依赖的新模块
领域事件 / 消息总线 — 对于跨领域循环，通过异步通信解耦

阶段 4：验证边界规则

# 从阶段 1 的发现中加载规则
# rules = {forbidden: [], allowed: [], required: []}

# 检查 FORBIDDEN 规则
FOR EACH rule IN rules.forbidden:
  FOR EACH edge (source -> target) IN graph:
    IF matches(source, rule.from) AND matches(target, rule.to):
      IF rule.cross AND same_group(source, target):
        CONTINUE  # cross=true 意味着仅跨组违规
      boundary_violations.append({
        rule_type: "forbidden",
        from: source,
        to: target,
        file: get_import_location(source, target),
        severity: rule.severity,
        reason: rule.reason
      })

# 检查 ALLOWED 规则（白名单模式）
IF rules.allowed.length > 0:
  FOR EACH edge (source -> target) IN graph:
    allowed = false
    FOR EACH rule IN rules.allowed:
      IF matches(source, rule.from) AND matches(target, rule.to):
        allowed = true
        BREAK
    IF NOT allowed:
      boundary_violations.append({
        rule_type: "not_in_allowed",
        from: source,
        to: target,
        file: get_import_location(source, target),
        severity: "MEDIUM",
        reason: "Dependency not in allowed list"
      })

# 检查 REQUIRED 规则
FOR EACH rule IN rules.required:
  FOR EACH module IN graph WHERE matches(module, rule.module):
    has_required = false
    FOR EACH dep IN graph[module]:
      IF matches(dep, rule.must_depend_on):
        has_required = true
        BREAK
    IF NOT has_required:
      boundary_violations.append({
        rule_type: "required_missing",
        module: module,
        missing: rule.must_depend_on,
        severity: "MEDIUM",
        reason: rule.reason
      })

阶段 5：计算图指标

hex-graph 加速： 对于拥有 .hex-skills/codegraph/index.db 的项目，使用 get_module_metrics 进行即时 Ca/Ce/I 计算。当图不可用时，回退到手动计算。

必读： 加载 references/graph_metrics.md — 使用指标定义、每层阈值、SDP 算法、Lakos 公式。

# 每模块指标（Robert C. Martin）
FOR EACH module IN graph:
  Ce = len(graph[module])                          # 传出耦合：出向
  Ca = count(m for m in graph if module in graph[m])  # 传入耦合：入向
  I = Ce / (Ca + Ce) IF (Ca + Ce) > 0 ELSE 0      # 不稳定性

  metrics[module] = {Ca, Ce, I}

# SDP 验证（稳定依赖原则）
FOR EACH edge (A -> B) IN graph:
  IF metrics[A].I < metrics[B].I:
    # 稳定模块依赖于较不稳定的模块 — SDP 违规
    sdp_violations.append({
      from: A, to: B,
      I_from: metrics[A].I, I_to: metrics[B].I,
      severity: "HIGH"
    })

# 阈值检查（根据 graph_metrics.md，考虑检测到的层）
FOR EACH module IN metrics:
  layer = get_layer(module)  # 来自阶段 1 的发现
  thresholds = get_thresholds(layer)  # 来自 graph_metrics.md

  IF metrics[module].I > thresholds.max_instability:
    findings.append({severity: thresholds.severity, issue: f"{module} instability {I} exceeds {thresholds.max_instability}"})
  IF metrics[module].Ce > thresholds.max_ce:
    findings.append({severity: "MEDIUM", issue: f"{module} efferent coupling {Ce} exceeds {thresholds.max_ce}"})

# Lakos 聚合指标
CCD = 0
FOR EACH module IN graph:
  DependsOn = count_transitive_deps(module, graph) + 1  # 包括自身
  CCD += DependsOn

N = len(graph)
CCD_balanced = N * log2(N)  # 具有 N 个节点的平衡二叉树的 CCD
NCCD = CCD / CCD_balanced IF CCD_balanced > 0 ELSE 0

IF NCCD > 1.5:
  findings.append({severity: "MEDIUM", issue: f"Graph complexity (NCCD={NCCD:.2f}) exceeds balanced tree threshold (1.5)"})

级联链扩展： 对于服务文件（**/services/**），将模块级图扩展到函数级。查找每个公共函数的最长副作用链（标记基于 shared/references/ai_ready_architecture.md）。如果 chain_length >= 3：添加到 cascade_findings。在阶段 8 的 DATA-EXTENDED JSON 中输出 "runtime_cascades" 数组。严重性：HIGH（4+），MEDIUM（3）。

阶段 6：基线支持

灵感来自 ArchUnit FreezingArchRule — 支持在遗留项目中增量采用。

baseline_path = docs/project/dependency_baseline.json

IF file_exists(baseline_path):
  known = load_json(baseline_path)
  current = serialize_violations(cycles + boundary_violations + sdp_violations)

  new_violations = current - known
  resolved_violations = known - current

  # 仅将 NEW 违规报告为发现项
  active_findings = new_violations
  baseline_info = {new: len(new_violations), resolved: len(resolved_violations), frozen: len(known - resolved_violations)}

  IF input.update_baseline == true:
    save_json(baseline_path, current)

ELSE:
  # 首次运行 — 报告所有
  active_findings = all_violations
  baseline_info = {new: len(all_violations), resolved: 0, frozen: 0}
  # 建议：输出提示 "Run with update_baseline=true to freeze current violations"

阶段 7：计算分数

必读： 加载 shared/references/audit_worker_core_contract.md 和 shared/references/audit_scoring.md。

penalty = (critical * 2.0) + (high * 1.0) + (medium * 0.5) + (low * 0.2)
score = max(0, 10 - penalty)

注意： 当基线激活时，惩罚仅根据 active_findings（新违规）计算，而不是冻结的违规。

阶段 8：编写报告

必读： 加载 shared/references/audit_worker_core_contract.md 和 shared/templates/audit_worker_report_template.md。

# 在内存中构建 markdown 报告，包含：
# - AUDIT-META（基于惩罚的标准：分数、计数）
# - 检查表（cycle_detection, boundary_rules, sdp_validation, metrics_thresholds, baseline_comparison）
# - 发现项表（按严重性排序的活动违规）
# - DATA-EXTENDED: {graph_stats, cycles, boundary_violations, sdp_violations, metrics, baseline}

IF domain_mode == "domain-aware":
  Write to {output_dir}/644-dep-graph-{current_domain}.md
ELSE:
  Write to {output_dir}/644-dep-graph.md

阶段 9：返回摘要

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/644-dep-graph-users.md
Score: 6.5/10 | Issues: 8 (C:1 H:3 M:3 L:1)

必读： 加载 shared/references/audit_worker_core_contract.md。

自适应架构 — 绝不假设单一风格；从项目结构或文档中检测
3 层优先级 — 自定义规则 > architecture.md > 自动检测
混合支持 — 项目混合风格；为每个区域应用不同的预设
自定义 = 安全模式 — 如果未检测到模式，仅检查循环 + 指标（无错误的边界违规）
仅限内部 — 从图中排除标准库、第三方库（仅项目模块）
基线模式 — 当基线存在时，仅报告 NEW 违规
循环修复 — 始终提供可操作的建议（DIP、提取共享、领域事件）
文件 + 行号 — 始终为违规提供确切的导入位置

必读： 加载 shared/references/audit_worker_core_contract.md。

架构已发现（已应用自适应 3 层检测）
依赖图已根据导入语句构建（仅内部模块）
循环依赖已检测（成对 + 传递性 DFS + 文件夹级）
边界规则已验证（禁止 + 允许 + 必需）
指标已计算（每模块 Ca、Ce、I + 聚合 CCD、NCCD）
SDP 已验证（稳定模块不依赖于不稳定模块）
基线已应用（如果存在）（仅报告新违规）
如果为领域感知：所有 Grep/Glob 作用域限定为 scan_path，发现项标记有领域
根据 audit_scoring.md 计算分数
报告已写入 {output_dir}/644-dep-graph[-{domain}].md（原子性单次 Write 调用）
摘要已返回给协调器

边界规则和预设：references/dependency_rules.md
指标和阈值：references/graph_metrics.md
导入模式：references/import_patterns.md
评分算法：shared/references/audit_scoring.md

Version: 1.0.0 Last Updated: 2026-02-11

🇺🇸English

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.

Type: L3 Worker Category: 6XX Audit

Dependency Graph Auditor

L3 Worker that builds and analyzes the module dependency graph to enforce architectural boundaries.

Purpose & Scope

Worker in ln-640 coordinator pipeline - invoked by ln-640-pattern-evolution-auditor
Build module dependency graph from import statements (Python, TS/JS, C#, Java)
Detect circular dependencies: pairwise (HIGH) + transitive via DFS (CRITICAL)
Validate boundary rules: forbidden, allowed, required (per dependency-cruiser pattern)
Calculate Robert C. Martin metrics (Ca, Ce, Instability) + Lakos aggregate (CCD, NCCD)
Validate Stable Dependencies Principle (SDP)
Support baseline/freeze for incremental legacy adoption (per ArchUnit FreezingArchRule)
Adaptive: 3-tier architecture detection — custom rules > docs > auto-detect

Out of Scope (owned by other workers):

I/O isolation violations (grep-based) -> ln-642-layer-boundary-auditor
API contract violations -> ln-643-api-contract-auditor
Code duplication -> ln-623-code-principles-auditor

Input (from ln-640)

- architecture_path: string    # Path to docs/architecture.md
- codebase_root: string        # Root directory to scan
- output_dir: string           # e.g., "docs/project/.audit/ln-640/{YYYY-MM-DD}"

# Domain-aware (optional, from coordinator)
- domain_mode: "global" | "domain-aware"   # Default: "global"
- current_domain: string                   # e.g., "users", "billing" (only if domain-aware)
- scan_path: string                        # e.g., "src/users/" (only if domain-aware)

# Baseline (optional)
- update_baseline: boolean                 # If true, save current state as baseline

When domain_mode="domain-aware": Use scan_path instead of codebase_root for all Grep/Glob operations. Tag all findings with domain field.

Workflow

MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.

Phase 1: Discover Architecture (Adaptive)

MANDATORY READ: Load references/dependency_rules.md — use 3-Tier Priority Chain, Architecture Presets, Auto-Detection Heuristics.

Architecture detection uses 3-tier priority — explicit config wins over docs, docs win over auto-detection:

# Priority 1: Explicit project config
IF docs/project/dependency_rules.yaml exists:
  Load custom rules (modules, forbidden, allowed, required)
  SKIP preset detection

# Priority 2: Architecture documentation
ELIF docs/architecture.md exists:
  Read Section 4.2 (modules, layers, architecture_type)
  Read Section 6.4 (boundary rules, if defined)
  Map documented layers to presets from dependency_rules.md
  Apply preset rules, override with explicit rules from Section 6.4

# Priority 3: Auto-detection from directory structure
ELSE:
  scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root
  Run structure heuristics:

  signals = {}
  IF Glob("**/domain/**") AND Glob("**/infrastructure/**"):
    signals["clean"] = HIGH
  IF Glob("**/controllers/**") AND Glob("**/services/**") AND Glob("**/repositories/**"):
    signals["layered"] = HIGH
  IF Glob("**/features/*/") with internal structure:
    signals["vertical"] = HIGH
  IF Glob("**/adapters/**") AND Glob("**/ports/**"):
    signals["hexagonal"] = HIGH
  IF Glob("**/views/**") AND Glob("**/models/**"):
    signals["mvc"] = HIGH

  IF len(signals) == 0:
    architecture_mode = "custom"
    confidence = "LOW"
    # Only check cycles + metrics, no boundary presets
  ELIF len(signals) == 1:
    architecture_mode = signals.keys()[0]
    confidence = signals.values()[0]
    Apply matching preset from dependency_rules.md
  ELSE:
    architecture_mode = "hybrid"
    confidence = "MEDIUM"
    # Identify zones, apply different presets per zone (see dependency_rules.md Hybrid section)
    FOR EACH detected_style IN signals:
      zone_path = identify_zone(detected_style)
      zone_preset = load_preset(detected_style)
      zones.append({path: zone_path, preset: zone_preset})
    Add cross-zone rules: inner zones accessible, outer zones forbidden to depend on inner

Phase 2: Build Dependency Graph

MANDATORY READ: Load references/import_patterns.md — use Language Detection, Import Grep Patterns, Module Resolution Algorithm, Exclusion Lists.

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

# Step 1: Detect primary language
tech_stack = Read(docs/project/tech_stack.md) IF exists
  ELSE detect from file extensions: Glob("**/*.py", "**/*.ts", "**/*.cs", "**/*.java", root=scan_root)

# Step 2: Extract imports per language
FOR EACH source_file IN Glob(language_glob_pattern, root=scan_root):
  imports = []

  # Python
  IF language == "python":
    from_imports = Grep("^from\s+([\w.]+)\s+import", source_file)
    plain_imports = Grep("^import\s+([\w.]+)", source_file)
    imports = from_imports + plain_imports

  # TypeScript / JavaScript
  ELIF language == "typescript" OR language == "javascript":
    es6_imports = Grep("import\s+.*\s+from\s+['\"]([^'\"]+)['\"]", source_file)
    require_imports = Grep("require\(['\"]([^'\"]+)['\"]\)", source_file)
    imports = es6_imports + require_imports

  # C#
  ELIF language == "csharp":
    using_imports = Grep("^using\s+([\w.]+);", source_file)
    imports = using_imports

  # Java
  ELIF language == "java":
    java_imports = Grep("^import\s+([\w.]+);", source_file)
    imports = java_imports

  # Step 3: Filter internal only (per import_patterns.md Exclusion Lists)
  internal_imports = filter_internal(imports, scan_root)

  # Step 4: Resolve to modules
  FOR EACH imp IN internal_imports:
    source_module = resolve_module(source_file, scan_root)
    target_module = resolve_module(imp, scan_root)
    IF source_module != target_module:
      graph[source_module].add(target_module)

Phase 3: Detect Cycles (ADP)

hex-graph acceleration: For projects with .hex-skills/codegraph/index.db, use find_cycles for instant cycle detection. Fall back to grep-based DFS when graph is unavailable.

Per Robert C. Martin (Clean Architecture Ch14): "Allow no cycles in the component dependency graph."

# Pairwise cycles (A <-> B)
FOR EACH (A, B) WHERE B IN graph[A] AND A IN graph[B]:
  cycles.append({
    type: "pairwise",
    path: [A, B, A],
    severity: "HIGH",
    fix: suggest_cycle_fix(A, B)
  })
  # Layer 2: Test-only dependencies (devDependencies, test imports) → skip cycle
  # Plugin/extension architecture with documented bidirectional design → downgrade to LOW

# Transitive cycles via DFS (A -> B -> C -> A)
visited = {}
rec_stack = {}

FUNCTION dfs(node, path):
  visited[node] = true
  rec_stack[node] = true

  FOR EACH neighbor IN graph[node]:
    IF NOT visited[neighbor]:
      dfs(neighbor, path + [node])
    ELIF rec_stack[neighbor]:
      cycle_path = extract_cycle(path + [node], neighbor)
      IF len(cycle_path) > 2:  # Skip pairwise (already detected)
        cycles.append({
          type: "transitive",
          path: cycle_path,
          severity: "CRITICAL",
          fix: suggest_cycle_fix_transitive(cycle_path)
        })

  rec_stack[node] = false

FOR EACH module IN graph:
  IF NOT visited[module]:
    dfs(module, [])

# Folder-level cycles (per dependency-cruiser pattern)
folder_graph = collapse_to_folders(graph)
Repeat DFS on folder_graph for folder-level cycles

Cycle-breaking recommendations (from Clean Architecture Ch14):

DIP — extract interface in depended-upon module, implement in depending module
Extract Shared Component — move shared code to new module both depend on
Domain Events / Message Bus — for cross-domain cycles, decouple via async communication

Phase 4: Validate Boundary Rules

# Load rules from Phase 1 discovery
# rules = {forbidden: [], allowed: [], required: []}

# Check FORBIDDEN rules
FOR EACH rule IN rules.forbidden:
  FOR EACH edge (source -> target) IN graph:
    IF matches(source, rule.from) AND matches(target, rule.to):
      IF rule.cross AND same_group(source, target):
        CONTINUE  # cross=true means only cross-group violations
      boundary_violations.append({
        rule_type: "forbidden",
        from: source,
        to: target,
        file: get_import_location(source, target),
        severity: rule.severity,
        reason: rule.reason
      })

# Check ALLOWED rules (whitelist mode)
IF rules.allowed.length > 0:
  FOR EACH edge (source -> target) IN graph:
    allowed = false
    FOR EACH rule IN rules.allowed:
      IF matches(source, rule.from) AND matches(target, rule.to):
        allowed = true
        BREAK
    IF NOT allowed:
      boundary_violations.append({
        rule_type: "not_in_allowed",
        from: source,
        to: target,
        file: get_import_location(source, target),
        severity: "MEDIUM",
        reason: "Dependency not in allowed list"
      })

# Check REQUIRED rules
FOR EACH rule IN rules.required:
  FOR EACH module IN graph WHERE matches(module, rule.module):
    has_required = false
    FOR EACH dep IN graph[module]:
      IF matches(dep, rule.must_depend_on):
        has_required = true
        BREAK
    IF NOT has_required:
      boundary_violations.append({
        rule_type: "required_missing",
        module: module,
        missing: rule.must_depend_on,
        severity: "MEDIUM",
        reason: rule.reason
      })

Phase 5: Calculate Graph Metrics

hex-graph acceleration: For projects with .hex-skills/codegraph/index.db, use get_module_metrics for instant Ca/Ce/I calculation. Fall back to manual computation when graph is unavailable.

MANDATORY READ: Load references/graph_metrics.md — use Metric Definitions, Thresholds per Layer, SDP Algorithm, Lakos Formulas.

# Per-module metrics (Robert C. Martin)
FOR EACH module IN graph:
  Ce = len(graph[module])                          # Efferent: outgoing
  Ca = count(m for m in graph if module in graph[m])  # Afferent: incoming
  I = Ce / (Ca + Ce) IF (Ca + Ce) > 0 ELSE 0      # Instability

  metrics[module] = {Ca, Ce, I}

# SDP validation (Stable Dependencies Principle)
FOR EACH edge (A -> B) IN graph:
  IF metrics[A].I < metrics[B].I:
    # Stable module depends on less stable module — SDP violation
    sdp_violations.append({
      from: A, to: B,
      I_from: metrics[A].I, I_to: metrics[B].I,
      severity: "HIGH"
    })

# Threshold checks (per graph_metrics.md, considering detected layer)
FOR EACH module IN metrics:
  layer = get_layer(module)  # From Phase 1 discovery
  thresholds = get_thresholds(layer)  # From graph_metrics.md

  IF metrics[module].I > thresholds.max_instability:
    findings.append({severity: thresholds.severity, issue: f"{module} instability {I} exceeds {thresholds.max_instability}"})
  IF metrics[module].Ce > thresholds.max_ce:
    findings.append({severity: "MEDIUM", issue: f"{module} efferent coupling {Ce} exceeds {thresholds.max_ce}"})

# Lakos aggregate metrics
CCD = 0
FOR EACH module IN graph:
  DependsOn = count_transitive_deps(module, graph) + 1  # Including self
  CCD += DependsOn

N = len(graph)
CCD_balanced = N * log2(N)  # CCD of balanced binary tree with N nodes
NCCD = CCD / CCD_balanced IF CCD_balanced > 0 ELSE 0

IF NCCD > 1.5:
  findings.append({severity: "MEDIUM", issue: f"Graph complexity (NCCD={NCCD:.2f}) exceeds balanced tree threshold (1.5)"})

Cascade chain extension: For service files (**/services/**), extend module-level graph to function-level. Find longest side-effect chain per public function (markers per shared/references/ai_ready_architecture.md). If chain_length >= 3: add to cascade_findings. Output "runtime_cascades" array in Phase 8 DATA-EXTENDED JSON. Severity: HIGH (4+), MEDIUM (3).

Phase 6: Baseline Support

Inspired by ArchUnit FreezingArchRule — enables incremental adoption in legacy projects.

baseline_path = docs/project/dependency_baseline.json

IF file_exists(baseline_path):
  known = load_json(baseline_path)
  current = serialize_violations(cycles + boundary_violations + sdp_violations)

  new_violations = current - known
  resolved_violations = known - current

  # Report only NEW violations as findings
  active_findings = new_violations
  baseline_info = {new: len(new_violations), resolved: len(resolved_violations), frozen: len(known - resolved_violations)}

  IF input.update_baseline == true:
    save_json(baseline_path, current)

ELSE:
  # First run — report all
  active_findings = all_violations
  baseline_info = {new: len(all_violations), resolved: 0, frozen: 0}
  # Suggest: output note "Run with update_baseline=true to freeze current violations"

Phase 7: Calculate Score

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/references/audit_scoring.md.

penalty = (critical * 2.0) + (high * 1.0) + (medium * 0.5) + (low * 0.2)
score = max(0, 10 - penalty)

Note: When baseline is active, penalty is calculated from active_findings only (new violations), not frozen ones.

Phase 8: Write Report

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/templates/audit_worker_report_template.md.

# Build markdown report in memory with:
# - AUDIT-META (standard penalty-based: score, counts)
# - Checks table (cycle_detection, boundary_rules, sdp_validation, metrics_thresholds, baseline_comparison)
# - Findings table (active violations sorted by severity)
# - DATA-EXTENDED: {graph_stats, cycles, boundary_violations, sdp_violations, metrics, baseline}

IF domain_mode == "domain-aware":
  Write to {output_dir}/644-dep-graph-{current_domain}.md
ELSE:
  Write to {output_dir}/644-dep-graph.md

Phase 9: Return Summary

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/644-dep-graph-users.md
Score: 6.5/10 | Issues: 8 (C:1 H:3 M:3 L:1)

Critical Rules

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

Adaptive architecture — never assume one style; detect from project structure or docs
3-tier priority — custom rules > architecture.md > auto-detection
Hybrid support — projects mix styles; apply different presets per zone
Custom = safe mode — if no pattern detected, only check cycles + metrics (no false boundary violations)
Internal only — exclude stdlib, third-party from graph (only project modules)
Baseline mode — when baseline exists, report only NEW violations
Cycle fixes — always provide actionable recommendation (DIP, Extract Shared, Domain Events)
File + line — always provide exact import location for violations

Definition of Done

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

Architecture discovered (adaptive 3-tier detection applied)
Dependency graph built from import statements (internal modules only)
Circular dependencies detected (pairwise + transitive DFS + folder-level)
Boundary rules validated (forbidden + allowed + required)
Metrics calculated (Ca, Ce, I per module + CCD, NCCD aggregate)
SDP validated (stable modules not depending on unstable)
Baseline applied if exists (only new violations reported)
If domain-aware: all Grep/Glob scoped to scan_path, findings tagged with domain
Score calculated per audit_scoring.md
Report written to {output_dir}/644-dep-graph[-{domain}].md (atomic single Write call)
Summary returned to coordinator

Reference Files

Boundary rules & presets: references/dependency_rules.md
Metrics & thresholds: references/graph_metrics.md
Import patterns: references/import_patterns.md
Scoring algorithm: shared/references/audit_scoring.md

Version: 1.0.0 Last Updated: 2026-02-11

Weekly Installs

144

Repository

levnikolaevich/…e-skills

GitHub Stars

245

First Seen

Feb 12, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

cursor136

gemini-cli135

codex135

github-copilot135

opencode135

amp133

智能代码探索工具smart-explore：AST解析结构化代码搜索与导航

798 周安装