Code Audit Readonly

Run a full technical repository audit in read-only mode and record everything in improvements.md.

Mandatory rules

1. Operate in read-only mode for the audited project.
2. Do not edit source code, configs, or tests in the audited project.
3. Do not run automatic refactors, formatters that write to disk, or destructive commands.
4. Allow only the creation/update of improvements.md as the final audit output.
5. Do not ask for confirmation to proceed with the audit; execute the plan end to end.
6. Record every validated finding; do not impose arbitrary limits.
7. If multiple locations share the same issue pattern, still register every location with explicit file and line references.
8. This audit is intentionally slow: prioritize depth, evidence quality, and completeness over speed.
9. Do not optimize for fast turnaround if that reduces analysis coverage or confidence.
10. Never reproduce secrets or raw credential material in improvements.md, tool output, or final responses.
11. For secret-related findings, record only the file path, line range, secret class, and sanitized context needed to explain the risk.
12. Do not quote full offending lines when they contain tokens, keys, passwords, cookies, connection strings, private keys, or other sensitive values.