Skills
skills/levnikolaevich/claude-code-skills/ln-642-layer-boundary-auditor

ln-642-layer-boundary-auditor

SKILL.md

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

Layer Boundary Auditor

L3 Worker that audits architectural layer boundaries and detects violations.

Purpose & Scope

  • Read architecture.md to discover project's layer structure
  • Detect layer violations (I/O code outside infrastructure layer)
  • Detect cross-layer consistency issues:
    • Transaction boundaries (commit/rollback ownership)
    • Session ownership (DI vs local)
  • Check pattern coverage (all HTTP calls use client abstraction)
  • Detect error handling duplication
  • Return violations list to coordinator

Out of Scope (owned by ln-628-concurrency-auditor):

  • Blocking I/O in async functions (sync open/read in async def)
  • Fire-and-forget tasks (create_task without error handler)

Input (from ln-640)

- architecture_path: string    # Path to docs/architecture.md
- codebase_root: string        # Root directory to scan
- skip_violations: string[]    # Files to skip (legacy)
- output_dir: string           # e.g., "docs/project/.audit/ln-640/{YYYY-MM-DD}"

# Domain-aware (optional, from coordinator)
- domain_mode: "global" | "domain-aware"   # Default: "global"
- current_domain: string                   # e.g., "users", "billing" (only if domain-aware)
- scan_path: string                        # e.g., "src/users/" (only if domain-aware)

When domain_mode="domain-aware": Use scan_path instead of codebase_root for all Grep/Glob operations. Tag all findings with domain field.

Workflow

MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.

Phase 1: Discover Architecture

MANDATORY READ: Load ../ln-640-pattern-evolution-auditor/references/layer_rules.md — use Architecture Presets (fallback), I/O Pattern Boundary Rules (Phase 2), Coverage Checks (Phase 4), Cross-Layer Consistency rules (Phase 3).

Read docs/architecture.md

Extract from Section 4.2 (Top-Level Decomposition):
  - architecture_type: "Layered" | "Hexagonal" | "Clean" | "MVC" | etc.
  - layers: [{name, directories[], purpose}]

Extract from Section 5.3 (Infrastructure Layer Components):
  - infrastructure_components: [{name, responsibility}]

IF architecture.md not found:
  Use fallback presets from layer_rules.md

Build ruleset:
  FOR EACH layer:
    allowed_deps = layers that can be imported
    forbidden_deps = layers that cannot be imported

Phase 2: Detect Layer Violations

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

FOR EACH violation_type IN layer_rules.md I/O Pattern Boundary Rules:
  grep_pattern = violation_type.detection_grep
  forbidden_dirs = violation_type.forbidden_in

  matches = Grep(grep_pattern, scan_root, include="*.py,*.ts,*.js")

  FOR EACH match IN matches:
    IF match.path NOT IN skip_violations:
      IF any(forbidden IN match.path FOR forbidden IN forbidden_dirs):
        violations.append({
          type: "layer_violation",
          severity: "HIGH",
          pattern: violation_type.name,
          file: match.path,
          line: match.line,
          code: match.context,
          allowed_in: violation_type.allowed_in,
          suggestion: f"Move to {violation_type.allowed_in}"
        })

Phase 3: Cross-Layer Consistency Checks

3.1 Transaction Boundary Violations

What: commit()/rollback() called at inconsistent layers (repo + service + API)

Detection:

repo_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/repositories/**/*.py")
service_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/services/**/*.py")
api_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/api/**/*.py")

layers_with_commits = count([repo_commits, service_commits, api_commits].filter(len > 0))

Safe Patterns (ignore):

  • Comment "# best-effort telemetry" in same context
  • File ends with _callbacks.py (progress notifiers)
  • Explicit # UoW boundary comment

Violation Rules:

Condition Severity Issue
layers_with_commits >= 3 CRITICAL Mixed UoW ownership across all layers
repo + api commits HIGH Transaction control bypasses service layer
repo + service commits HIGH Ambiguous UoW owner (repo vs service)
service + api commits MEDIUM Transaction control spans service + API

Exception: Saga pattern / distributed transactions with explicit compensating actions → downgrade CRITICAL to MEDIUM. UoW boundary documented with // architecture decision or ADR → skip.

Recommendation: Choose single UoW owner (service layer recommended), remove commit() from other layers

Effort: L (requires architectural decision + refactoring)

3.2 Session Ownership Violations

What: Mixed DI-injected and locally-created sessions in same call chain

Detection:

di_session = Grep("Depends\(get_session\)|Depends\(get_db\)", "**/api/**/*.py")
local_session = Grep("AsyncSessionLocal\(\)|async_sessionmaker", "**/services/**/*.py")
local_in_repo = Grep("AsyncSessionLocal\(\)", "**/repositories/**/*.py")

Violation Rules:

Condition Severity Issue
di_session AND local_in_repo in same module HIGH Repo creates own session while API injects different
local_session in service calling DI-based repo MEDIUM Session mismatch in call chain

Recommendation: Use DI consistently OR use local sessions consistently. Document exceptions (e.g., telemetry)

Effort: M

3.3 Flat Orchestration Violations

What: Service-layer functions calling other services that call yet other services — deep orchestration chains.

Detection: MANDATORY READ: Load shared/references/ai_ready_architecture.md — map service imports, find chain depth.

Violation Rules:

Condition Severity Issue
Service chain >= 3 (A→B→C→D) HIGH Deep orchestration
Service chain = 2 (A→B→C) MEDIUM Consider flattening

Recommendation: Extract orchestrator calling all services at same level. Each service becomes a sink.

Effort: L

Phase 4: Check Pattern Coverage

# HTTP Client Coverage
all_http_calls = Grep("httpx\\.|aiohttp\\.|requests\\.", codebase_root)
abstracted_calls = Grep("client\\.(get|post|put|delete)", infrastructure_dirs)

IF len(all_http_calls) > 0:
  coverage = len(abstracted_calls) / len(all_http_calls) * 100
  IF coverage < 90%:
    violations.append({
      type: "low_coverage",
      severity: "MEDIUM",
      pattern: "HTTP Client Abstraction",
      coverage: coverage,
      uncovered_files: files with direct calls outside infrastructure
    })

# Error Handling Duplication
http_error_handlers = Grep("except\\s+(httpx\\.|aiohttp\\.|requests\\.)", codebase_root)
unique_files = set(f.path for f in http_error_handlers)

IF len(unique_files) > 2:
  violations.append({
    type: "duplication",
    severity: "MEDIUM",
    pattern: "HTTP Error Handling",
    files: list(unique_files),
    suggestion: "Centralize in infrastructure layer"
  })

Phase 5: Calculate Score

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/references/audit_scoring.md.

Phase 6: Write Report

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/templates/audit_worker_report_template.md.

# Build markdown report in memory with:
# - AUDIT-META (standard penalty-based: score, counts)
# - Checks table (io_isolation, http_abstraction, error_centralization, transaction_boundary, session_ownership)
# - Findings table (violations sorted by severity)
# - DATA-EXTENDED: {architecture, coverage}

IF domain_mode == "domain-aware":
  Write to {output_dir}/642-layer-boundary-{current_domain}.md
ELSE:
  Write to {output_dir}/642-layer-boundary.md

Phase 7: Return Summary

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/642-layer-boundary-users.md
Score: 4.5/10 | Issues: 8 (C:1 H:3 M:4 L:0)

Critical Rules

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

  • Read architecture.md first - never assume architecture type
  • Skip violations list - respect legacy files marked for gradual fix
  • File + line + code - always provide exact location with context
  • Actionable suggestions - always tell WHERE to move the code
  • No false positives - verify path contains forbidden dir, not just substring

Definition of Done

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

  • Architecture discovered from docs/architecture.md (or fallback used)
  • All violation types from layer_rules.md checked
  • Cross-layer consistency checked:
    • Transaction boundaries analyzed (commit/rollback distribution)
    • Session ownership analyzed (DI vs local)
  • Coverage calculated for HTTP abstraction + 2 consistency metrics
  • Violations list with severity, location, suggestion
  • If domain-aware: all Grep scoped to scan_path, findings tagged with domain
  • Report written to {output_dir}/642-layer-boundary[-{domain}].md (atomic single Write call)
  • Summary returned to coordinator

Reference Files

  • Layer rules: ../ln-640-pattern-evolution-auditor/references/layer_rules.md
  • Scoring impact: ../ln-640-pattern-evolution-auditor/references/scoring_rules.md

Version: 2.1.0 Last Updated: 2026-02-08

Weekly Installs
81
Repository
levnikolaevich/…e-skills
GitHub Stars
202
First Seen
Feb 2, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
claude-code73
cursor73
codex72
gemini-cli72
opencode72
github-copilot70