Knowledge Base logo
Knowledge Base Felix Rascher

Audit Discipline

GoingNinja now treats these as separate responsibilities:

1. Prompt Ownership And Review Ownership Are Different Jobs

GoingNinja now treats these as separate responsibilities:

  • Codex scopes the change and writes the audit prompt
  • Claude and Gemini receive a review lane and stay inside that lane
  • the human remains the merge owner

This avoids agent theater and keeps review deterministic.

2. Repeated Audit Findings Are Not Closed Until They Are Written Back

An audit finding is not really closed if it lives only in chat or in one markdown artifact.

Closure requires writeback into at least one durable place:

  • AGENTS.md
  • INVARIANTS.md
  • docs/LEAN_IMPLEMENTATION_CONTRACT.md
  • a reusable template
  • or a deterministic check

3. Local Success Is Not Enough

Another recurring failure mode was assuming local output meant the deployed surface matched it.

The correct sequence is:

  1. fix source
  2. rebuild
  3. verify generated output
  4. verify deployed output
  5. only then close the issue

4. Batch Fixes Beat Tiny Audit Loops

The long audit sequence happened because the early code did not yet have strong contract boundaries.

The operational lesson is:

  • do not rerun external audits after every cosmetic tweak
  • collect the current contract failures
  • patch them as one coherent batch
  • rerun only after the batch is internally green

That is both leaner and more honest.

5. Do Not Declare Lean Too Early

One process failure in this round was declaring the code lean before the current source state had actually passed external review.

That is now an explicit anti-pattern:

  • local confidence is not enough
  • visual neatness is not enough
  • previous audit history is not enough

Only the current audited source state counts.

6. One Snapshot, One Audit Pair

The stable audit loop is now:

  1. patch one coherent batch
  2. build and verify locally
  3. freeze the code
  4. create one fresh snapshot
  5. run Claude and Gemini on that same snapshot

Do not keep editing while an older audit is still running.

7. What Future Repos Should Reuse

Project repos should inherit these lessons immediately:

  • one source of truth per contract
  • generated output is never source
  • no duplicated CSS, SVG, CSP, or route literals
  • no /tmp source of truth
  • unknown routes fail closed
  • equivalent path shapes are validated equally
  • security trust stays tied to the exact runtime primitive
  • repeated audit findings must become rules or checks

On this page