21 specialised subagents that turn this audit toolkit into a hierarchy: one orchestrator + 20 narrow domain experts. Each agent has a tight, audit-specific system prompt and references the deep documents in ../../docs/.
audit-orchestrator ← top-level "gestor"
│
├── threat-modeler ← runs first, drives profile selection
│
├── Supabase (7)
│ ├── supabase-rls-auditor RLS policies, Splinter, pgTAP
│ ├── supabase-storage-auditor storage.buckets, signed URLs, MIME limits
│ ├── supabase-edge-functions-auditor Deno + 13 Semgrep rules
│ ├── supabase-auth-auditor GoTrue, JWT, MFA, CVE-2026-31813
│ ├── supabase-realtime-auditor channels, broadcast/presence, postgres-changes
│ ├── supabase-postgres-auditor roles, grants, search_path, pgaudit
│ └── supabase-network-auditor TLS, regions, Network Restrictions
│
├── Tauri (5)
│ ├── tauri-capabilities-auditor capability files, ACL invariants
│ ├── tauri-ipc-auditor #[tauri::command], custom schemes, isolation
│ ├── tauri-csp-webview-auditor CSP, asset protocol, freezePrototype
│ ├── tauri-updater-auditor updater config, Ed25519 keys
│ └── tauri-binary-hardening-auditor code signing, RUSTFLAGS, RASP=NONE
│
├── Mobile (4)
│ ├── mobile-static-analysis-auditor APK/IPA, MobSF, jadx, manifest
│ ├── mobile-dynamic-analysis-auditor Frida, Objection, Burp, Drozer
│ ├── mobile-deeplinks-auditor App Links, Universal Links, intents
│ └── mobile-storage-crypto-auditor Keychain, Keystore, cert pinning
│
└── Cross-cutting (4)
├── secrets-scanner-coordinator ggshield + TruffleHog + Gitleaks
├── sast-dast-coordinator Semgrep + Schemathesis + BOLA harness + ZAP
├── threat-modeler pytm + STRIDE + 16 custom threats
└── sbom-vuln-coordinator CycloneDX + Grype + Trivy + cargo-audit
In your app repo:
# From the app repo root:
git clone https://github.com/<your>/audit-skills-mobile-tauri-supabase /tmp/audit-skills
mkdir -p .claude/agents
cp /tmp/audit-skills/templates/claude-agents/*.md .claude/agents/Or, if you use this repo as a submodule:
git submodule add https://github.com/<your>/audit-skills-mobile-tauri-supabase audit-skills
ln -s ../audit-skills/templates/claude-agents .claude/agents# Inside Claude Code:
/agentsShould list all 21 agents under your project scope.
> Run a full pre-launch security audit on this codebase.
→ The audit-orchestrator invokes phases:
threat-modeler(first, drives profile)- Static analysis subagents (in parallel)
- Configuration auditors (in parallel)
- Dynamic / DAST (sequential, needs test users)
- IPC + Tauri runtime
- Synthesis + final report
> Audit just the RLS policies on the new schema.
→ Goes directly to supabase-rls-auditor. The orchestrator is for multi-domain requests.
> The CVE-2026-31813 fix is deployed. Re-run the auth audit and confirm clean.
→ supabase-auth-auditor re-runs version checks and reports clean / regression.
Every subagent is engineered for highest precision in a narrow domain, following these rules:
- One scope per agent. Each agent declares its scope in plain English at the top and lists out-of-scope items with the correct subagent to delegate.
- No invented findings. When data is missing, agents ask for the missing input and stop. They never speculate.
- Source-cited. Every finding cites
path:line, CVE/GHSA ID, Splinter rule ID, MASWE ID, or URL. - Knowledge baked in. Each agent's prompt embeds the relevant CVEs, schemas, rules verbatim from
docs/owasp-mas-analysis.md,docs/tauri-2-security-analysis.md,docs/supabase-security-tools.md. No external lookup needed for routine work. - Output format fixed. Each agent has a structured output template; the orchestrator can compose them mechanically.
- Tool access scoped. Most agents have
Read, Bash, Grep, Globonly. The threat-modeler also hasWrite(produces a model file). The orchestrator hasWrite(produces the final report). - No model override. Each agent inherits the parent model — for sustained audit work on Opus-class capability, run the parent on Opus; subagents follow.
- Write the file:
templates/claude-agents/<name>.md - Frontmatter:
name,description(when to invoke), optionaltoolsandmodel - System prompt body following the structure: scope → out-of-scope → knowledge base → workflow → output format → references
- Add a row to the orchestrator's routing table (
audit-orchestrator.md) - Add to this README's hierarchy diagram
- Copy to your
.claude/agents/to test
- Don't create one mega-agent that "does everything". Defeats the precision-via-narrow-scope design.
- Don't duplicate scope across agents. If two agents both audit RLS, findings will collide and contradict.
- Don't put generic security advice in subagent prompts. The point is domain-specific actionable guidance.
- Don't skip the threat-modeler for full audits. Profile selection (L1/L2/R/P) drives everything else.
All subagents reference the deep documents in this repo:
docs/owasp-mas-analysis.md— MAS / MASVS / MASTG / MASWE deep divedocs/tauri-2-security-analysis.md— 30-section Tauri 2 audit referencedocs/supabase-security-tools.md— Supabase security-tooling stack