Get the FREE Ultimate OpenClaw Setup Guide →

ln-642-layer-boundary-auditor

npx machina-cli add skill levnikolaevich/claude-code-skills/ln-642-layer-boundary-auditor --openclaw
Files (1)
SKILL.md
9.1 KB

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

Layer Boundary Auditor

L3 Worker that audits architectural layer boundaries and detects violations.

Purpose & Scope

  • Read architecture.md to discover project's layer structure
  • Detect layer violations (I/O code outside infrastructure layer)
  • Detect cross-layer consistency issues:
    • Transaction boundaries (commit/rollback ownership)
    • Session ownership (DI vs local)
  • Check pattern coverage (all HTTP calls use client abstraction)
  • Detect error handling duplication
  • Return violations list to coordinator

Out of Scope (owned by ln-628-concurrency-auditor):

  • Blocking I/O in async functions (sync open/read in async def)
  • Fire-and-forget tasks (create_task without error handler)

Input (from ln-640)

- architecture_path: string    # Path to docs/architecture.md
- codebase_root: string        # Root directory to scan
- skip_violations: string[]    # Files to skip (legacy)
- output_dir: string           # e.g., "docs/project/.audit/ln-640/{YYYY-MM-DD}"

# Domain-aware (optional, from coordinator)
- domain_mode: "global" | "domain-aware"   # Default: "global"
- current_domain: string                   # e.g., "users", "billing" (only if domain-aware)
- scan_path: string                        # e.g., "src/users/" (only if domain-aware)

When domain_mode="domain-aware": Use scan_path instead of codebase_root for all Grep/Glob operations. Tag all findings with domain field.

Workflow

Phase 1: Discover Architecture

MANDATORY READ: Load ../ln-640-pattern-evolution-auditor/references/layer_rules.md — use Architecture Presets (fallback), I/O Pattern Boundary Rules (Phase 2), Coverage Checks (Phase 4), Cross-Layer Consistency rules (Phase 3).

Read docs/architecture.md

Extract from Section 4.2 (Top-Level Decomposition):
  - architecture_type: "Layered" | "Hexagonal" | "Clean" | "MVC" | etc.
  - layers: [{name, directories[], purpose}]

Extract from Section 5.3 (Infrastructure Layer Components):
  - infrastructure_components: [{name, responsibility}]

IF architecture.md not found:
  Use fallback presets from layer_rules.md

Build ruleset:
  FOR EACH layer:
    allowed_deps = layers that can be imported
    forbidden_deps = layers that cannot be imported

Phase 2: Detect Layer Violations

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

FOR EACH violation_type IN layer_rules.md I/O Pattern Boundary Rules:
  grep_pattern = violation_type.detection_grep
  forbidden_dirs = violation_type.forbidden_in

  matches = Grep(grep_pattern, scan_root, include="*.py,*.ts,*.js")

  FOR EACH match IN matches:
    IF match.path NOT IN skip_violations:
      IF any(forbidden IN match.path FOR forbidden IN forbidden_dirs):
        violations.append({
          type: "layer_violation",
          severity: "HIGH",
          pattern: violation_type.name,
          file: match.path,
          line: match.line,
          code: match.context,
          allowed_in: violation_type.allowed_in,
          suggestion: f"Move to {violation_type.allowed_in}"
        })

Phase 3: Cross-Layer Consistency Checks

3.1 Transaction Boundary Violations

What: commit()/rollback() called at inconsistent layers (repo + service + API)

Detection:

repo_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/repositories/**/*.py")
service_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/services/**/*.py")
api_commits = Grep("\.commit\(\)|\.rollback\(\)", "**/api/**/*.py")

layers_with_commits = count([repo_commits, service_commits, api_commits].filter(len > 0))

Safe Patterns (ignore):

  • Comment "# best-effort telemetry" in same context
  • File ends with _callbacks.py (progress notifiers)
  • Explicit # UoW boundary comment

Violation Rules:

ConditionSeverityIssue
layers_with_commits >= 3CRITICALMixed UoW ownership across all layers
repo + api commitsHIGHTransaction control bypasses service layer
repo + service commitsHIGHAmbiguous UoW owner (repo vs service)
service + api commitsMEDIUMTransaction control spans service + API

Recommendation: Choose single UoW owner (service layer recommended), remove commit() from other layers

Effort: L (requires architectural decision + refactoring)

3.2 Session Ownership Violations

What: Mixed DI-injected and locally-created sessions in same call chain

Detection:

di_session = Grep("Depends\(get_session\)|Depends\(get_db\)", "**/api/**/*.py")
local_session = Grep("AsyncSessionLocal\(\)|async_sessionmaker", "**/services/**/*.py")
local_in_repo = Grep("AsyncSessionLocal\(\)", "**/repositories/**/*.py")

Violation Rules:

ConditionSeverityIssue
di_session AND local_in_repo in same moduleHIGHRepo creates own session while API injects different
local_session in service calling DI-based repoMEDIUMSession mismatch in call chain

Recommendation: Use DI consistently OR use local sessions consistently. Document exceptions (e.g., telemetry)

Effort: M

3.3 Flat Orchestration Violations

What: Service-layer functions calling other services that call yet other services — deep orchestration chains.

Detection: Per shared/references/ai_ready_architecture.md — map service imports, find chain depth.

Violation Rules:

ConditionSeverityIssue
Service chain >= 3 (A→B→C→D)HIGHDeep orchestration
Service chain = 2 (A→B→C)MEDIUMConsider flattening

Recommendation: Extract orchestrator calling all services at same level. Each service becomes a sink.

Effort: L

Phase 4: Check Pattern Coverage

# HTTP Client Coverage
all_http_calls = Grep("httpx\\.|aiohttp\\.|requests\\.", codebase_root)
abstracted_calls = Grep("client\\.(get|post|put|delete)", infrastructure_dirs)

IF len(all_http_calls) > 0:
  coverage = len(abstracted_calls) / len(all_http_calls) * 100
  IF coverage < 90%:
    violations.append({
      type: "low_coverage",
      severity: "MEDIUM",
      pattern: "HTTP Client Abstraction",
      coverage: coverage,
      uncovered_files: files with direct calls outside infrastructure
    })

# Error Handling Duplication
http_error_handlers = Grep("except\\s+(httpx\\.|aiohttp\\.|requests\\.)", codebase_root)
unique_files = set(f.path for f in http_error_handlers)

IF len(unique_files) > 2:
  violations.append({
    type: "duplication",
    severity: "MEDIUM",
    pattern: "HTTP Error Handling",
    files: list(unique_files),
    suggestion: "Centralize in infrastructure layer"
  })

Phase 5: Calculate Score

MANDATORY READ: Load shared/references/audit_scoring.md for unified scoring formula.

Phase 6: Write Report

MANDATORY READ: Load shared/templates/audit_worker_report_template.md for file format (ln-640 section: standard AUDIT-META + DATA-EXTENDED).

# Build markdown report in memory with:
# - AUDIT-META (standard penalty-based: score, counts)
# - Checks table (io_isolation, http_abstraction, error_centralization, transaction_boundary, session_ownership)
# - Findings table (violations sorted by severity)
# - DATA-EXTENDED: {architecture, coverage}

IF domain_mode == "domain-aware":
  Write to {output_dir}/642-layer-boundary-{current_domain}.md
ELSE:
  Write to {output_dir}/642-layer-boundary.md

Phase 7: Return Summary

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/642-layer-boundary-users.md
Score: 4.5/10 | Issues: 8 (C:1 H:3 M:4 L:0)

Critical Rules

  • Read architecture.md first - never assume architecture type
  • Skip violations list - respect legacy files marked for gradual fix
  • File + line + code - always provide exact location with context
  • Actionable suggestions - always tell WHERE to move the code
  • No false positives - verify path contains forbidden dir, not just substring

Definition of Done

  • Architecture discovered from docs/architecture.md (or fallback used)
  • All violation types from layer_rules.md checked
  • Cross-layer consistency checked:
    • Transaction boundaries analyzed (commit/rollback distribution)
    • Session ownership analyzed (DI vs local)
  • Coverage calculated for HTTP abstraction + 2 consistency metrics
  • Violations list with severity, location, suggestion
  • If domain-aware: all Grep scoped to scan_path, findings tagged with domain
  • Report written to {output_dir}/642-layer-boundary[-{domain}].md (atomic single Write call)
  • Summary returned to coordinator

Reference Files

  • Worker report template: shared/templates/audit_worker_report_template.md
  • Layer rules: ../ln-640-pattern-evolution-auditor/references/layer_rules.md
  • Scoring impact: ../ln-640-pattern-evolution-auditor/references/scoring_rules.md

Version: 2.1.0 Last Updated: 2026-02-08

Source

git clone https://github.com/levnikolaevich/claude-code-skills/blob/master/ln-642-layer-boundary-auditor/SKILL.mdView on GitHub

Overview

Layer Boundary Auditor is an L3 Worker that scans the codebase to enforce architectural layer boundaries and cross-layer consistency. It detects I/O code outside the infrastructure layer, transaction boundary ownership, and session ownership (DI vs local), and also checks pattern coverage and error handling duplication. It returns a violations list to the coordinator for remediation.

How This Skill Works

Phase 1 reads architecture.md to map the project's layers and builds allowed/forbidden dependencies (falling back to presets if architecture.md is missing). Phase 2 greps for violation patterns across code, filters by skip_violations, and reports layer_violation findings. Phase 3 performs cross-layer consistency checks for transaction boundaries and session ownership and aggregates results for the coordinator.

When to Use It

  • When validating that I/O code remains inside the infrastructure layer.
  • When checking cross-layer transaction boundaries like commit/rollback ownership.
  • When verifying session ownership between dependency injection and local usage.
  • When ensuring all HTTP calls are wrapped by a client abstraction.
  • When generating a violations report to feed the coordinator for remediation.

Quick Start

  1. Step 1: Prepare inputs (architecture_path, codebase_root, skip_violations, output_dir) and optional domain settings.
  2. Step 2: Run the Layer Boundary Auditor to produce a violations list.
  3. Step 3: Review and remediate violations, then re-run to verify fixes.

Best Practices

  • Load architecture.md and layer_rules.md first; if architecture.md is missing rely on presets.
  • Use skip_violations to filter out legacy files and reduce noise.
  • If domain_mode is domain-aware, set scan_path and tag findings with domain.
  • Prioritize HIGH severity results and include the allowed_in target and a suggested move.
  • Run Phase 2 before Phase 3, and review findings with the team before changes.

Example Use Cases

  • Flag: I/O code found outside the infrastructure layer.
  • Flag: commit or rollback called in the wrong layer across repo/service/api.
  • Flag: cross-layer session ownership mismatch between DI and local usage.
  • Flag: HTTP calls without a client abstraction.
  • Flag: duplicated error handling across layers.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers