audit_project
Audit manifest and lockfile pairs together to return a verified dependency verdict, splitting direct from transitive dependencies for accurate production leads.
Instructions
Audit one or more manifest/lockfiles TOGETHER and return a VERIFIED result.
Pass a {filename: content} map. When you have both a manifest and its lockfile (e.g. package.json AND package-lock.json), send both: that pairing is what recovers npm's direct-vs-transitive split, so the production dependency you actually own surfaces as the DIRECT lead instead of collapsing to transitive. A single-file map works too (e.g. just requirements.txt). A subdir prefix like server/package.json is allowed. Versions are the INSTALLED lockfile versions, not the declared floor; advisories are confirmed via OSV. Deterministic, no LLM.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| files | Yes |