How the /ship-check Command Audits AI-Generated Code in pm-skills

The /ship-check command orchestrates a six-step workflow that transforms AI-generated code into a review-ready shipping packet by documenting system intent, auditing security and performance against that baseline, and deriving test coverage maps to close quality gaps.

The phuryn/pm-skills repository provides structured command specifications for AI-assisted project management. When you need to validate AI-generated code before production, the /ship-check command audits AI-generated code by chaining specialized skills into a comprehensive quality gate that compares documented intent against actual implementation.

The Six-Step Audit Workflow

The audit process defined in pm-ai-shipping/commands/ship-check.md executes sequentially, with each step building upon the artifacts of the previous one.

Step 1: Document the System Intent

The workflow begins by establishing an intended-state baseline. The command runs /document-app (or ingests existing documentation) and applies the shipping-artifacts skill to generate architecture.md, flows.md, permissions.md, and variables documentation. This creates the authoritative reference that all subsequent audits compare against.

Step 2: Wire Agent Context

Next, /ship-check creates or updates CLAUDE.md and a thin AGENTS.md derived from the documentation. This step gives downstream AI agents a clear operating manual, ensuring that all future changes respect the documented architectural intent and security boundaries.

Step 3: Execute Security Audit

The command runs /security-audit-static to perform a static analysis that:

  • Maps entry points to trust boundaries and sinks
  • Inspects high-value paths (authentication, data access)
  • Cross-references the intended-vs-implemented skill against the docs from Step 1
  • Applies self-refutation to dismiss false positives
  • Reports only evidence-backed risks

This security audit specifically flags where implementation diverges from documented permissions or flows, as implemented in pm-ai-shipping/commands/security-audit-static.md.

Step 4: Run Performance Audit

In parallel to the security pass, /ship-check executes /performance-audit-static to catch over-fetching, missing database indexes, and caching problems. This guarantees the code meets performance expectations before shipping.

Step 5: Derive Test Coverage Map

The workflow calls /derive-tests to turn documented rules and uncovered audit findings into a tests.md coverage map. This artifact marks which rules already have tests, which are only proposed, and which lack verification entirely. By converting every detected gap into an explicit regression test requirement, the command prevents the same issue from resurfacing after subsequent AI edits.

Step 6: Compile the Shipping Packet

Finally, /ship-check synthesizes all artifacts into a single markdown packet (e.g., shipping_packet_2024-07-01.md). The packet includes:

  • Documentation inventory
  • Agent context status
  • Test-coverage summary
  • Security and performance summaries
  • Launch blockers
  • Recommended next actions

This document serves as the hand-off artifact for human reviewers, clearly showing what was audited, what passed, and what requires sign-off.

Reliability Mechanisms

The /ship-check command achieves audit reliability through four core architectural decisions.

Ordered Orchestration

Each step depends on the outputs of the previous step, ensuring that security and performance audits always compare against the most current "intent" documentation. This prevents audits from running against stale or missing specifications.

Intended-vs-Implemented Verification

By cross-referencing files like permissions.md and flows.md with the actual codebase using the intended-vs-implemented skill (pm-ai-shipping/skills/intended-vs-implemented.md), the audit catches missing security checks or architectural deviations that static analysis alone would miss.

Self-Refutation Protocol

The security command attempts to disprove every candidate finding before reporting it. Only risks that survive this adversarial validation—those backed by concrete evidence of divergence from documented intent—appear in the final report.

Test Coverage Derivation

Rather than simply listing vulnerabilities, the workflow immediately converts audit gaps into concrete test requirements. This closes the loop between audit and quality assurance, ensuring every finding has a verification path.

Usage Examples

Run /ship-check against your entire repository or target specific services:


# Full repository audit

/ship-check

# Target a specific microservice

/ship-check payments-service

# Audit a directory of Supabase functions

/ship-check supabase/functions

The command prints a concise summary to the console and writes the detailed shipping packet to the workspace root, ready for attachment to a pull request.

Key Source Files

The audit logic resides in the pm-ai-shipping directory:

Summary

  • The /ship-check command audits AI-generated code through a six-step ordered workflow: document, wire context, security audit, performance audit, derive tests, and compile packet.
  • It relies on the shipping-artifacts skill to generate baseline documentation and the intended-vs-implemented skill to catch deviations.
  • The self-refutation protocol eliminates false positives by requiring evidence-backed findings.
  • Every audit gap converts into a test requirement via /derive-tests, creating a closed-loop quality system.
  • Output artifacts include CLAUDE.md, tests.md, and a comprehensive shipping packet for human review.

Frequently Asked Questions

What is the primary purpose of the /ship-check command?

The /ship-check command serves as an orchestrator that transforms raw AI-generated code into a validated shipping packet. It automates the audit process by chaining documentation generation, security analysis, performance checks, and test derivation into a single workflow that ensures code aligns with documented architectural intent before release.

How does /ship-check prevent false positives in security findings?

The command implements a self-refutation protocol within /security-audit-static that actively attempts to disprove each candidate vulnerability. Only findings that survive this adversarial scrutiny—those with concrete evidence of divergence from documented permissions or flows—are included in the final report, drastically reducing noise for human reviewers.

What files does the /ship-check command generate?

The command generates several key artifacts: CLAUDE.md and AGENTS.md for agent context, tests.md mapping coverage gaps, and a timestamped shipping_packet_YYYY-MM-DD.md containing the comprehensive audit summary. It also produces or updates documentation files like architecture.md and permissions.md via the shipping-artifacts skill.

Can /ship-check target specific parts of a codebase?

Yes. While running /ship-check without arguments audits the entire repository, you can pass a specific service name or directory path as an argument (e.g., /ship-check payments-service or /ship-check supabase/functions) to limit the audit scope to that particular component.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:
curl -s "https://instagit.com/install.md"

Works with
Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →