Intended vs. Implemented: Auditing the Gap

Purpose

A linter scans code in a vacuum. It can tell you the code is internally consistent; it cannot tell you the code does what you meant, because it has no model of your intent. The highest-value security and correctness bugs live in that gap — a permission documented but never enforced, a "cron-only" endpoint anyone can call, a field marked public-only that leaks private data.

This skill is the method for finding that gap. It is the differentiator: it only works when intent has been written down first (see the shipping-artifacts skill), and that's exactly why commodity tools can't replicate it.

Context

Use this when documented intent exists — permissions.md, architecture.md, variables.md, etc. If those docs are absent or stale, that absence is itself the first finding: you cannot audit intent you never recorded. Recommend documenting first, then auditing.

Method

1. Establish intent. Read the /documentation/*.md set as the source of truth for what should be true: who may access what, which boundaries are trusted, which data is public. Treat the docs as claims to verify, not as proof.

2. Gather implementation evidence. Read the code that enforces (or fails to enforce) each claim. Evidence is a cited file and line — the actual authorization check, the actual query filter, the actual sanitizer. "It's probably handled upstream" is not evidence; the code path is.

3. Compare claim to code, one boundary at a time. For each documented rule, ask: does an enforcement point actually implement it, on the server, on every path? Distrust comments like "internal only," "admin only," or "validated elsewhere" — verify them in code.