Audit Discipline · Knowledge Base

7. Prompt Ownership And Review Ownership Are Different Jobs

GoingNinja now treats these as separate responsibilities:

Codex scopes the change and writes the audit prompt
Claude and Gemini receive a review lane and stay inside that lane
the human remains the merge owner

This avoids agent theater and keeps review deterministic.

8. Repeated Audit Findings Are Not Closed Until They Are Written Back

An audit finding is not really closed if it lives only in chat or in one markdown artifact.

Closure requires writeback into at least one durable place:

AGENTS.md
INVARIANTS.md
docs/LEAN_IMPLEMENTATION_CONTRACT.md
a reusable template
or a deterministic check

9. Local Success Is Not Enough

Another recurring failure mode was assuming local output meant the deployed surface matched it.

The correct sequence is:

fix source
rebuild
verify generated output
verify deployed output
only then close the issue

10. Batch Fixes Beat Tiny Audit Loops

The long audit sequence happened because the early code did not yet have strong contract boundaries.

The operational lesson is:

do not rerun external audits after every cosmetic tweak
collect the current contract failures
patch them as one coherent batch
rerun only after the batch is internally green

That is both leaner and more honest.

11. Do Not Declare Lean Too Early

One process failure in this round was declaring the code lean before the current source state had actually passed external review.

That is now an explicit anti-pattern:

local confidence is not enough
visual neatness is not enough
previous audit history is not enough

Only the current audited source state counts.

12. One Snapshot, One Audit Pair

The stable audit loop is now:

patch one coherent batch
build and verify locally
freeze the code
create one fresh snapshot
run Claude and Gemini on that same snapshot

Do not keep editing while an older audit is still running.

13. What Future Repos Should Reuse

Project repos should inherit these lessons immediately:

one source of truth per contract
generated output is never source
no duplicated CSS, SVG, CSP, or route literals
no /tmp source of truth
unknown routes fail closed
equivalent path shapes are validated equally
security trust stays tied to the exact runtime primitive
repeated audit findings must become rules or checks

On this page

7. Prompt Ownership And Review Ownership Are Different Jobs
8. Repeated Audit Findings Are Not Closed Until They Are Written Back
9. Local Success Is Not Enough
10. Batch Fixes Beat Tiny Audit Loops
11. Do Not Declare Lean Too Early
12. One Snapshot, One Audit Pair
13. What Future Repos Should Reuse