Self-contained prompts to paste into individual Claude Code terminals so each subagent runs fully autonomously, in parallel, and writes its findings to ./audit-reports/.
Two ways to run:
- MASTER (1 terminal, easiest) — paste
MASTER.mdinto a single Claude Code session. Phase 1 runs inline; 14 Phase-2 agents dispatched in parallel via the Agent tool; Phase 3 synthesis. End-to-end, fully autonomous. - 16 individual terminals (max isolation) — paste each numbered prompt into its own terminal as documented below.
16 prompts — designed to run in 16 individual terminals for max parallelism:
00-orchestrator.md ← Phase 3 (last): synthesises the 15 reports
01-threat-modeler.md ← Phase 1 (first): drives MAS profile selection
02-secrets-scanner.md ┐
03-sbom-vuln.md │
04-sast-dast.md │
05-supabase-rls.md │
06-supabase-auth.md │
07-supabase-edge-functions.md │ Phase 2 (parallel —
08-supabase-postgres.md │ run 14 in parallel)
09-supabase-storage-realtime-network.md │
10-tauri-capabilities.md │
11-tauri-ipc.md │
12-tauri-config-and-distribution.md │ (CSP + WebView + updater + binary hardening)
13-mobile-static.md │
14-mobile-dynamic.md │
15-mobile-platform.md ┘ (deeplinks + Keychain/Keystore + cert pinning)
The audit runs from ~/desktop/travus (your Tauri app repo). audit-skills is installed inside the repo as ./audit/ (gitignored). Reports go to ./audit-reports/ (also gitignored). Every prompt assumes the working directory contains:
src-tauri/— Tauri Rust core + capabilities + tauri.conf.jsonsupabase/(or accessible viaSUPABASE_DB_URL) — Edge Functions + migrations + testsandroid/and/orios/if mobile is built in this repo (otherwise mobile agents skip)package.json— root npm dependenciesaudit/— cloned audit-skills (gitignored)audit-reports/— created on first run, gitignored
cd ~/desktop/travus
curl -fsSL https://raw.githubusercontent.com/user2343242kdisj/audit-skills-mobile-tauri-supabase/main/install.sh | bashinstall.sh clones the repo into ./audit/, installs the exec-agent wrapper, creates ./audit-reports/, and adds both audit/ and audit-reports/ to .gitignore. Secrets live in 1Password and are resolved at runtime via op read — no .audit-env file is created.
cd ~/desktop/travus
# 1. Clone audit-skills INSIDE your app repo as ./audit/
[ -d ./audit ] || git clone https://github.com/user2343242kdisj/audit-skills-mobile-tauri-supabase.git ./audit
# 2. Audit reports directory + gitignore both audit/ and audit-reports/
mkdir -p audit-reports
grep -qxF "audit-reports/" .gitignore 2>/dev/null || echo "audit-reports/" >> .gitignore
grep -qxF "audit/" .gitignore 2>/dev/null || echo "audit/" >> .gitignore
# 3. Verify 1Password CLI is authenticated (agents resolve secrets via `op read`)
op vault list >/dev/nullThe shared path is ./audit/templates/agent-prompts/.... If you prefer an env var for scripts:
export AUDIT_SKILLS_PATH="./audit"# Terminal 1
cd ~/desktop/travus
claude --dangerously-skip-permissions # auto-approve tool calls
# Then paste the contents of ./audit/templates/agent-prompts/01-threat-modeler.mdWait for DONE | threat-modeler | … line. Output: audit-reports/01-threat-model.md.
Open 14 separate terminals (or use tmux/zellij for split-pane). In each:
cd ~/desktop/travus
claude --dangerously-skip-permissions
# Then paste the contents of ./audit/templates/agent-prompts/<NN>-<name>.mdEach writes its report to audit-reports/<NN>-<name>.md.
You can also batch them with claude -p (non-interactive):
# In a launch script, looping over Phase 2 prompts (skip 00 and 01):
cd ~/desktop/travus
op vault list >/dev/null # unlock 1Password once
for prompt in ./audit/templates/agent-prompts/0[2-9]-*.md \
./audit/templates/agent-prompts/1[0-5]-*.md; do
name=$(basename "$prompt" .md)
log="audit-reports/$name.log"
(claude --dangerously-skip-permissions -p "$(cat "$prompt")" > "$log" 2>&1) &
done
wait
echo "All 14 Phase 2 agents complete."cd ~/desktop/travus
claude --dangerously-skip-permissions
# Then paste the contents of ./audit/templates/agent-prompts/00-orchestrator.mdOutput: audit-reports/00-FINAL.md.
Every prompt embeds the same autonomy rules:
- No questions to user mid-flight. Missing input → write
BLOCKED: <reason>and exit cleanly. - No destructive operations. Audit only. No DROP, DELETE, force push,
rm -rfoutside/tmp. - Writes restricted to
./audit-reports/. Never modifies app code. - Reads from approved paths only: the app repo (including
./audit/),/tmp/. - Never pushes to git — the user reviews the report directory and acts on it.
- Final stdout line is parse-friendly:
DONE | <agent-name> | <CRITICAL> CRITICAL | <HIGH> HIGH | <report-path>.
| File | Contents |
|---|---|
audit-reports/00-FINAL.md |
Aggregated executive report; quotes from subagent reports with attribution |
audit-reports/01-threat-model.md |
DFD, STRIDE list, attack tree, MAS profile recommendation |
audit-reports/02-secrets-scan.md |
ggshield + TruffleHog + Gitleaks consolidated findings |
audit-reports/03-sbom-vuln.md |
CycloneDX SBOMs + Grype/Trivy/cargo-audit findings |
audit-reports/04-sast-dast.md |
Semgrep + Schemathesis + BOLA harness + ZAP results |
audit-reports/05-supabase-rls.md |
Splinter (28 rules) + pgTAP coverage + policy review |
audit-reports/06-supabase-auth.md |
GoTrue version, MFA, JWT migration, CVE-2026-31813 / 2025-48370 / GHSA-3529 checks |
audit-reports/07-supabase-edge-functions.md |
Deno lint + 13 custom Semgrep rules |
audit-reports/08-supabase-postgres.md |
Roles, grants, search_path, extensions, FDWs, 7 upstream PG CVEs |
audit-reports/09-supabase-storage-realtime-network.md |
Bucket + signed URL audit · realtime.messages policies + private channel check · TLS testssl.sh + Network Restrictions |
audit-reports/10-tauri-capabilities.md |
ACL invariants, high-risk identifiers, runtime add_capability, dep pin (CVE-2026-42184 / 2025-31477 / 2024-35222) |
audit-reports/11-tauri-ipc.md |
Commands (6-class vuln checklist), custom schemes, isolation pattern, channels, events |
audit-reports/12-tauri-config-and-distribution.md |
CSP/WebView (sec A) + updater Ed25519 (sec B) + binary hardening + signing (sec C) |
audit-reports/13-mobile-static.md |
MobSF + jadx + apktool + manifest red-flags + plutil/codesign/otool |
audit-reports/14-mobile-dynamic.md |
Frida pinning bypass + Burp + Objection memory dump + Drozer scanners |
audit-reports/15-mobile-platform.md |
Deeplinks/intents (sec A) + Keychain/Keystore (sec B) + cert pinning (sec C) |
If your stack doesn't have a layer (e.g. no mobile app, just Tauri + Supabase), skip the mobile prompts. The orchestrator detects missing reports and notes them as N/A rather than failing.
After remediation, re-run only the affected agents:
cd ~/desktop/travus
# Example: re-run after fixing CVE-2026-31813
claude --dangerously-skip-permissions -p "$(cat ./audit/templates/agent-prompts/06-supabase-auth.md)"
# Then re-run orchestrator to refresh the synthesis
claude --dangerously-skip-permissions -p "$(cat ./audit/templates/agent-prompts/00-orchestrator.md)"For continuous auditing in CI, see templates/security-workflow.yml. The CI workflow uses the same tools but as deterministic GitHub Actions steps rather than agent-driven prompts. Both have a place:
- Agent prompts → human-in-the-loop deep audit; pre-launch
- CI workflow → mechanical regression gating; every PR