Audit · sample
acme/dashboard
Found 2 critical · 1 warning · 2 notes across 8 rules files.
Two critical contradictions on the rule surface — a renamed seed-script that AGENTS.md still points at, and a Cursor rule that tells the agent to inline raw SQL while AGENTS.md requires the queries helper. One always-loaded SessionStart hook is masking a skill that's marked conditional. Two skill files use frontmatter keys that aren't in the Claude Code skill schema.
AGENTS.md:13
Broken pointer: ./scripts/seed-fixtures.ts
`AGENTS.md` line 13 references `./scripts/seed-fixtures.ts`, which resolves to `scripts/seed-fixtures.ts` — but no file or directory exists at that path in this commit. The file was renamed to `scripts/seed.ts` four commits ago (sha f8a2c1d3); AGENTS.md was not updated. An agent following the link will hit a dead end. Either remove the reference or update it to the new path.
.cursor/rules/db.mdc:12
Inline-SQL Cursor rule contradicts AGENTS.md
--- globs: ["*.sql", "src/routes/**/*.ts"] alwaysApply: false --- # Database queries Inline raw SQL in route handlers for the lowest possible latency.
`AGENTS.md` (always-loaded) requires every SQL statement to go through `db/queries.ts` so input sanitization stays in one place. This new Cursor rule auto-attaches when the agent edits any `*.sql` or route file and tells it to inline raw SQL instead. Cursor users will write inline; Claude Code users will use the helper. The codebase will diverge in three weeks and the next contributor inherits two patterns. Either align both files or scope the Cursor rule to a directory where inline SQL is acceptable.
# Database queries
Use the helpers in db/queries.ts. They centralise parameter
binding and connection pooling. Adding a new query means adding
a new exported function there, not inlining SQL at the call site..claude/hooks/inject-team-context.sh:24
Always-on hook injects a skill that's marked conditional
cat <<EOF { "hookSpecificOutput": { "hookEventName": "SessionStart", "additionalContext": $(printf '%s\n' "$CONTENT" | jq -Rs .) } } EOF
The SessionStart hook injects the entire contents of `.claude/skills/api-conventions/SKILL.md` into every session, making the skill effectively ALWAYS-LOADED. The skill's frontmatter (`description: Use when designing or reviewing HTTP APIs...`) marks it CONDITIONALLY-LOADED — meant to surface only when the user's task obviously needs it. The hook overrides that intent and crowds the context window with API conventions on every turn, even for unrelated work.
Inject only a routing hint instead of the full skill body, e.g.:
Reference: see `.claude/skills/api-conventions/SKILL.md`
if the task touches HTTP route handlers, request validation,
or response shape.
Let the harness's normal skill-resolution decide when to load
the full body..claude/skills/testing/SKILL.md:5
Unused frontmatter key: license
license: Internal use only — see LICENSE
The skill frontmatter includes a `license` key, which is not part of the Claude Code skill schema. The harness ignores it; it adds tokens to every load without changing behaviour. Move the licence note into the file body or drop it.
(remove the `license:` line from the frontmatter block).claude/skills/api-conventions/SKILL.md:7
Non-standard `metadata` block
metadata: author: platform-team version: "1.4.0" argument-hint: <route-or-pattern>
The `metadata` block is not part of the Claude Code skill schema. It's harmless but ignored by the harness; the version-tracking it implies isn't enforced. If you want versioned skills, do it in the file body or via git history.
(delete the `metadata:` block — keep version/author info in a comment under the frontmatter if you need it)