repo-hygiene — Repository Health Check
A structured, periodic health check for repositories. Run anytime to detect drift,
accumulation of tech debt, and configuration issues before they become problems.
Not a release gate. For pre-release checks, use the
skill instead.
This skill is for ongoing maintenance — run it weekly, after major refactors, when
onboarding to a repo, or whenever things feel "off".
When to Use
- Onboarding to a new (or forgotten) repo — "what shape is this in?"
- Weekly/monthly maintenance sweep
- After a large refactor or dependency upgrade
- Before starting a new feature sprint
- When CI starts failing mysteriously
- After a team member leaves and you inherit their repo
Supported Stacks
| Stack | Package manager | Detected by |
|---|
| Node.js / TypeScript | npm | + |
| Python | uv / pip | or |
| Go | go modules | |
Detect the stack from the project root. Multiple stacks in one repo is fine — run
applicable checks for each. If the stack isn't listed, skip stack-specific checks
and run the universal ones (git, CI, docs, security).
The Workflow
Step 0: Detect Project
bash
# What are we working with?
ls package.json pyproject.toml go.mod 2>/dev/null
git rev-parse --show-toplevel
Determine: stack(s), git remote, default branch, CI system (GitHub Actions, GitLab CI, etc.).
Step 1: Dependency Health
Node.js / npm
| # | Check | Command | Severity |
|---|
| D1 | Known vulnerabilities | | 🔴 critical/high = Fix Now, moderate = Fix Soon |
| D2 | Outdated dependencies | | 🟡 major bumps = Fix Soon, minor/patch = Info |
| D3 | Unused dependencies | | 🟡 Fix Soon |
| D4 | Phantom dependencies (used but undeclared) | → | 🔴 Fix Now |
| D5 | Lockfile freshness | See below | 🟡 Fix Soon |
| D6 | Duplicate dependencies | npm ls --all --json 2>/dev/null | grep -c '"deduped"'
| ℹ️ Info |
D5 — Lockfile freshness check:
bash
# package.json changed more recently than lockfile?
LOCK_DATE=$(git log -1 --format=%ct -- package-lock.json 2>/dev/null || echo 0)
PKG_DATE=$(git log -1 --format=%ct -- package.json 2>/dev/null || echo 0)
if [ "$PKG_DATE" -gt "$LOCK_DATE" ]; then
echo "⚠️ package.json modified after lockfile — run npm install"
fi
How to fix:
- D1: for compatible fixes; for breaking (review changes). For stubborn advisories: check if the vuln is reachable, or override in .
- D2: for minor/patch; for major (check changelogs).
- D3: for each unused dep.
- D4: for each missing dep.
- D5: to regenerate lockfile, commit it.
- D6: then verify tests pass.
Python (uv / pip)
| # | Check | Command | Severity |
|---|
| D1 | Known vulnerabilities | | 🔴 Fix Now |
| D2 | Outdated dependencies | or pip list --outdated --format=json
| 🟡 Fix Soon |
| D3 | Unused dependencies | (if available) | 🟡 Fix Soon |
| D5 | Lockfile freshness | Compare vs timestamps | 🟡 Fix Soon |
How to fix:
- D1:
uv pip install --upgrade <pkg>
- D2:
uv pip install --upgrade <pkg>
- D3: Remove from in , then .
- D5: .
Go
| # | Check | Command | Severity |
|---|
| D1 | Known vulnerabilities | | 🔴 Fix Now |
| D2 | Outdated dependencies | | 🟡 Fix Soon |
| D3 | Unused dependencies | (reports removed) | 🟡 Fix Soon |
How to fix:
- D1: for vulnerable deps, then .
- D2: for all, or selectively.
- D3: removes unused; commit and .
Step 2: Git Hygiene
| # | Check | Command | Severity |
|---|
| G1 | Stale local branches (merged) | git branch --merged main | grep -v '^\*|main|develop'
| 🟡 Fix Soon |
| G2 | Stale remote branches (merged) | git branch -r --merged origin/main | grep -v 'HEAD|main|develop'
| 🟡 Fix Soon |
| G3 | Large files in repo | See below | 🟡 Fix Soon (🔴 if >10MB) |
| G4 | completeness | See below | 🟡 Fix Soon |
| G5 | Untracked files that should be ignored | git status --porcelain | grep '^??'
| ℹ️ Info |
| G6 | Uncommitted changes | | ℹ️ Info |
G3 — Large files check:
bash
# Top 10 largest tracked files
git ls-files -z | xargs -0 -I{} git log --diff-filter=A --format='%H' -1 -- '{}' | head -20
# Simpler: just check current tree
git ls-files -z | xargs -0 du -sh 2>/dev/null | sort -rh | head -10
G4 — .gitignore completeness:
Must include (per stack):
- Universal: , , , , , , , (or be deliberate about tracking it)
- Node: , , , , ,
- Python: , , , , , ,
- Go: binary name (check ), (if not vendoring)
How to fix:
- G1: for each merged local branch.
- G2:
git push origin --delete <branch>
- G3: For files that shouldn't be tracked: add to , . For files already in history: or BFG Repo-Cleaner (destructive — confirm first).
- G4: Add missing patterns to . Use a generator like gitignore.io as a starting point.
- G5: Either add to or if they should be tracked.
Step 3: CI/CD Health
Skip if no CI configuration found.
| # | Check | Command | Severity |
|---|
| C1 | Workflow files exist | ls .github/workflows/*.yml 2>/dev/null
| ℹ️ Info |
| C2 | Actions pinned by SHA | grep -rE 'uses: [^@]+@v[0-9]' .github/workflows/
| 🟡 Fix Soon |
| C3 | Least-privilege permissions | Scan for blocks; flag or missing job-level perms | 🟡 Fix Soon |
| C4 | No secret leaks in workflows | Check for , secret in / | 🔴 Fix Now |
| C5 | Deprecated actions | Check for known deprecated: actions/create-release@v1
| 🟡 Fix Soon |
| C6 | Node/Python version matches project | Compare workflow matrix with , , pyproject.toml [requires-python]
| 🟡 Fix Soon |
How to fix:
- C2: Replace
uses: actions/checkout@v4
uses: actions/checkout@<full-sha>
gh api repos/actions/checkout/git/ref/tags/v4 --jq .object.sha
- C3: Add explicit at job level. Start with and add only what's needed.
- C4: Remove secret interpolation. Use blocks or write to files with masking.
- C5: Replace deprecated actions with current equivalents. → file.
- C6: Align versions. Use or as the source of truth.
Step 4: Code Quality Drift
| # | Check | Command | Severity |
|---|
| Q1 | TODO/FIXME/HACK count | git grep -ciE '(TODO|FIXME|HACK)' -- '*.ts' '*.js' '*.py' '*.go' ':!node_modules' ':!vendor' ':!.venv'
| ℹ️ Info (🟡 if >20) |
| Q2 | in src (JS/TS) | git grep -c 'console\.log' -- 'src/**/*.ts' 'src/**/*.js' ':!*.test.*' ':!*.spec.*'
| 🟡 Fix Soon |
| Q3 | Disabled/skipped tests | git grep -cE '(it\.skip|test\.skip|describe\.skip|xit|xdescribe|@pytest\.mark\.skip|t\.Skip)' -- '*.test.*' '*.spec.*' '*_test.*' '*_test.go'
| 🟡 Fix Soon |
| Q4 | Lint passes | / / | 🟡 Fix Soon |
| Q5 | Tests pass | / / | 🔴 Fix Now |
| Q6 | Build succeeds | / / | 🔴 Fix Now |
| Q7 | Type errors (TS) | | 🟡 Fix Soon |
| Q8 | Dead exports (TS) | npx ts-prune 2>/dev/null | grep -v '(used in module)'
| ℹ️ Info |
How to fix:
- Q1: Triage each TODO — either do it, create an issue/task for it, or remove it if obsolete.
- Q2: Replace with a proper logger, or remove debug logging.
grep -rn 'console.log' src/
- Q3: Either fix the underlying issue and un-skip, or delete the test if the feature was removed.
- Q4–Q7: Fix the errors. Run the tool, address each issue.
- Q8: Remove unused exports, or add if they're part of the public API.
Step 5: Documentation Freshness
| # | Check | Command | Severity |
|---|
| F1 | README.md exists | File check | 🔴 Fix Now |
| F2 | README freshness vs. source | Compare git log -1 --format=%cr -- README.md
git log -1 --format=%cr -- src/
| 🟡 if src is >30 days newer |
| F3 | CHANGELOG exists | File check | 🟡 Fix Soon (for published packages) |
| F4 | Broken internal links | See below | 🟡 Fix Soon |
| F5 | LICENSE file present | File check | 🔴 Fix Now |
| F6 | LICENSE matches package metadata | Compare LICENSE text with / | 🟡 Fix Soon |
| F7 | AGENTS.md references valid paths | If exists, check that referenced files/dirs exist | 🟡 Fix Soon |
F4 — Broken link check:
bash
# Find markdown links and verify targets exist
grep -roE '\[([^]]+)\]\(([^)]+)\)' *.md docs/**/*.md 2>/dev/null | \
grep -v 'http' | \
while IFS= read -r line; do
# Extract path from markdown link
path=$(echo "$line" | sed 's/.*](\([^)]*\)).*/\1/' | sed 's/#.*//')
if [ -n "$path" ] && [ ! -e "$path" ]; then
echo "BROKEN: $line"
fi
done
How to fix:
- F1: Write a README with: what it does, how to install, how to use, prerequisites, license.
- F2: Review README against current code — update examples, API docs, feature lists.
- F3: Add a CHANGELOG.md. Consider for automated generation (see skill).
- F4: Update or remove broken links.
- F5: Add a LICENSE file. Use choosealicense.com if unsure.
- F6: Make LICENSE file and metadata agree.
- F7: Update AGENTS.md to reflect current project structure.
Step 6: Configuration Consistency
| # | Check | How | Severity |
|---|
| X1 | EditorConfig present | exists | ℹ️ Info |
| X2 | Strict mode (TS) | → | 🟡 Fix Soon |
| X3 | Formatter configured | / / (built-in) | 🟡 Fix Soon |
| X4 | Linter configured | or / / config | 🟡 Fix Soon |
| X5 | Engine constraints match CI | vs CI matrix; vs CI | 🟡 Fix Soon |
| X6 | / matches | Compare with / / CI config | ℹ️ Info |
How to fix:
- X1: Add . Minimal: , block with , , , .
- X2: Set in . Fix resulting type errors (usually worth it).
- X3–X4: Add config files. Use the project's existing style as a baseline.
- X5–X6: Pick one source of truth (recommend / ) and align everything else.
Step 7: Security Posture
Lightweight security checks for ongoing hygiene. For the full pre-release security audit
(gitleaks, trufflehog, workflow audit), use the
skill.
| # | Check | Command | Severity |
|---|
| S1 | No tracked or files | git ls-files '*.env' '*.env.*' '*.local' '*.local.*' '.env' '.env.local'
| 🔴 Fix Now |
| S2 | exists (if in ) | File check | 🟡 Fix Soon |
| S3 | No hardcoded secrets in source | git grep -iE '(api[_-]?key|secret|password|token)\s*[:=]\s*["\x27][^"\x27]{8,}' -- ':!*.lock' ':!node_modules' ':!*.example' ':!*.sample'
| 🔴 Fix Now |
| S4 | Secrets scanning config present | or pre-commit hooks | ℹ️ Info |
| S5 | No broad file permissions | Check for or in scripts | 🔴 Fix Now |
How to fix:
- S1: , add to , commit. If the file contained real secrets, rotate them immediately — they're in git history.
- S2: Create with placeholder values () for every var in .
- S3: Move secrets to env vars or a secrets manager. Replace in code with / .
- S4: Add (even a minimal one enables CI scanning). Or add to pre-commit hooks.
- S5: Use least-privilege permissions ( for files, for executables).
Step 8: Project Metadata
| # | Check | How | Severity |
|---|
| M1 | Required package fields | , , , in / | 🟡 Fix Soon |
| M2 | Repository URL set | field in package metadata | 🟡 Fix Soon |
| M3 | Keywords present | array | ℹ️ Info |
| M4 | (public repos) | exists | ℹ️ Info |
| M5 | Pi package compliance | If ships skills/extensions: keyword, manifest, includes skill dirs | 🟡 Fix Soon (if applicable) |
How to fix:
- M1–M3: Add the missing fields to or .
- M4: Create with .
- M5: See pi package docs for required fields.
Baseline Tracking
Save a baseline after each run to detect drift over time. Store at
.pi/hygiene-baseline.json
:
json
{
"timestamp": "2026-02-14T23:00:00Z",
"stack": ["node"],
"scores": {
"dependencies": { "status": "healthy", "vulns": 0, "outdated": 3, "unused": 0 },
"git": { "status": "healthy", "stale_branches": 0, "large_files": 0 },
"ci": { "status": "warning", "unpinned_actions": 2, "permission_issues": 0 },
"quality": { "status": "healthy", "todos": 5, "skipped_tests": 0, "lint_clean": true },
"docs": { "status": "warning", "readme_stale_days": 45, "broken_links": 1 },
"config": { "status": "healthy", "strict_ts": true, "formatter": true, "linter": true },
"security": { "status": "healthy", "tracked_env": 0, "hardcoded_secrets": 0 },
"metadata": { "status": "healthy", "complete": true }
},
"overall": "7/10"
}
On subsequent runs, compare with baseline and flag regressions:
text
📉 Dependencies: 0 → 3 vulnerabilities (regression since last check)
📈 Quality: 15 → 5 TODOs (improvement!)
→ CI: unchanged — 2 unpinned actions remain
When the user approves the report, offer to update the baseline.
Report Format
Present the final report as a health scorecard:
markdown
# Repo Health: <project-name>
## Score: 7/10 — GOOD
## Stack: Node.js + TypeScript
## Last check: 2026-01-15 (30 days ago) | Baseline: 6/10 📈
### 🔴 Fix Now (2)
|---|----------|-------|-----|
| S1 | Security | `.env.local` tracked in git | `git rm --cached .env.local` |
| D1 | Deps | 2 high-severity npm audit findings | `npm audit fix` |
### 🟡 Fix Soon (4)
|---|----------|-------|-----|
| D2 | Deps | 8 outdated packages (2 major) | `npm outdated` → upgrade |
| C2 | CI | 3 actions not pinned by SHA | Pin to commit SHA |
| F2 | Docs | README 45 days behind source | Review and update |
| Q3 | Quality | 2 skipped tests | Fix or remove |
### 🟢 Healthy (12)
- ✅ Dependencies: no unused, no phantom, lockfile fresh
- ✅ Git: clean tree, no stale branches, no large files
- ✅ Code: lint clean, build passes, tests pass, strict TS
- ✅ Config: EditorConfig, Prettier, ESLint all configured
- ✅ Security: no tracked secrets, .env.example present
- ✅ Metadata: all fields present, license matches
### 📊 Trends (vs. baseline 2026-01-15)
|----------|------|-----|-------|
| Vulnerabilities | 0 | 2 | 📉 |
| Outdated deps | 5 | 8 | 📉 |
| TODOs | 15 | 8 | 📈 |
| Skipped tests | 0 | 2 | 📉 |
### Recommendations
1. **Immediate**: Fix the 2 security/vulnerability items above
2. **This week**: Pin CI actions and update stale README
3. **Ongoing**: Address skipped tests and outdated deps in next sprint
Use your project's task tracking to schedule these items.
Scoring
Calculate the score from check results:
| Result | Points deducted |
|---|
| Each 🔴 Fix Now | −1.5 |
| Each 🟡 Fix Soon | −0.5 |
| ℹ️ Info | 0 |
Start at 10, apply deductions, floor at 0. Round to nearest integer.
| Score | Label |
|---|
| 9–10 | 🟢 EXCELLENT |
| 7–8 | 🟢 GOOD |
| 5–6 | 🟡 FAIR |
| 3–4 | 🟠 NEEDS WORK |
| 0–2 | 🔴 POOR |
Auto-Fix Offers
After presenting the report, offer to fix issues that are safe and mechanical.
Always present what will be done and get confirmation before executing.
Safe to offer (low risk, reversible)
- Delete merged local branches ()
- Run (compatible fixes only, not )
- Run /
- Add missing patterns
- Add from template
- Remove from source files
- Create from (with values replaced by )
- Add missing fields (description, repository, keywords)
- Create
Offer with warning (confirm carefully)
- Delete merged remote branches ()
- Run (may have breaking changes)
- Major dependency upgrades
- Enable TypeScript strict mode (may produce many errors)
- Update CI action pinning (must verify correct SHAs)
Never auto-fix (explain, let user decide)
- Removing tracked files (may need secret rotation)
- Rewriting git history (BFG / filter-repo)
- Changing license files
- Modifying CI permissions model
- Removing hardcoded secrets (need to determine replacement strategy)
Tips
- Run early, run often. A monthly cadence catches drift before it compounds.
- Don't try to fix everything at once. Focus on 🔴 items first, batch 🟡 items into a maintenance sprint.
- Baseline tracking is your friend. Even if the score isn't perfect, trending upward means you're winning.
- Pair with pre-release. Run for ongoing health, when you're ready to ship. They complement each other — hygiene keeps the baseline high so pre-release has fewer surprises.
- New repos start clean. Run this right after to establish a perfect baseline. It's easier to maintain 10/10 than to recover from 4/10.