Skip to main content
AI/MLjmagly

strict-toolchain-audit

Check build and CI configuration for warning-as-error, strict typechecking, and language-specific compiler/linter floors

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--strict-toolchain-audit
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/security-engineering/skills/strict-toolchain-audit/SKILL.md -o .claude/skills/strict-toolchain-audit.md

Drops the SKILL.md into .claude/skills/strict-toolchain-audit.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Strict Toolchain Audit

Inspect build and CI configuration for the strict-toolchain rule. This maps curl Practice 13 into a reusable AIWG security-engineering audit.

Checks

  • C/C++: compiler flags include -Wall, -Wextra, -Werror, -pedantic; recommended hardening flags are reported when absent.
  • Rust: cargo clippy -- -D warnings or equivalent CI gate.
  • Go: go vet ./... and staticcheck ./... fail CI.
  • Python: ruff check and mypy strictness are configured.
  • TypeScript: strict: true and noUncheckedIndexedAccess: true.

Gradual Adoption

Legacy projects may keep a baseline, but the audit must confirm that new warnings fail the build. A baseline without a ratchet is reported as a finding.

References

  • agentic/code/frameworks/security-engineering/rules/strict-toolchain.md
  • agentic/code/frameworks/security-engineering/skills/sanitizer-in-ci/SKILL.md