--- name: ln-629-runtime-lifecycle-config-auditor description: "Checks runtime lifecycle and config validation: bootstrap, shutdown, probes, cleanup, env sync, and fail-fast startup. Use for runtime readiness." allowed-tools: Read, Grep, Glob, Bash, mcp__hex-graph__trace_paths, mcp__hex-line__read_file, mcp__hex-line__grep_search, mcp__hex-line__outline license: MIT model: claude-sonnet-4-6 --- > **Paths:** File paths (`references/`, `../ln-*`) are relative to this skill directory. # Runtime Lifecycle & Config Auditor (L3 Worker) **Type:** L3 Worker Specialized worker auditing runtime readiness, lifecycle, and startup configuration validation. ## Purpose & Scope - Audit **runtime lifecycle and config validation** (Category 12: Medium Priority) - Check bootstrap, shutdown, signal handling, probes, resource cleanup, env/config sync, and fail-fast startup validation - Emit `FIX_BOOTSTRAP`, `ADD_CONFIG_VALIDATION`, or `FIX_SHUTDOWN` - Calculate compliance score (X/10) ## Inputs **MANDATORY READ:** Load `references/audit_worker_core_contract.md`. Tool policy: follow host AGENTS.md MCP preferences; load `references/mcp_tool_preferences.md` and `references/mcp_integration_patterns.md` only when host policy is absent or MCP behavior is unclear. Receives `contextStore` with tech stack, deployment type, codebase root, output_dir. Use `hex-graph` first when lifecycle tracing materially improves confidence. Use `hex-line` first for local code reads when available. If MCP is unavailable, unsupported, or not indexed, continue with built-in `Read/Grep/Glob/Bash` and state the fallback in the report. ## Workflow Detection policy: use two-layer detection (candidate scan, then context verification); load `references/two_layer_detection.md` only when the verification method is ambiguous. 1) Parse context + output_dir 2) Check lifecycle and config validation patterns (Layer 1: grep for SIGTERM, shutdown handlers, probes, env reads, settings validation) 3) Analyze context per candidate (Layer 2): - Bootstrap order: read main file -- trace actual init sequence, verify dependencies satisfied before use - Graceful shutdown: read signal handlers -- do they actually close all resources? Or just log and exit? - Resource cleanup: read shutdown handler -- are ALL opened resources (DB, Redis, queues) closed? - Probes: check deployment config (Dockerfile, k8s manifests) -- is this containerized? - Config validation: are required env/config values validated at startup, before serving traffic? 4) Collect confirmed findings 5) Calculate score 6) **Write Report:** Build full markdown report in memory per `references/templates/audit_worker_report_template.md`, write to `{output_dir}/ln-629--global.md` in single Write call 7) **Return Summary:** Return minimal summary ## Audit Rules ### 1. Bootstrap Initialization Order **Detection:** - Check main/index file for initialization sequence - Verify dependencies loaded before usage (DB before routes) **Severity:** - **HIGH:** Incorrect order causes startup failures **Recommendation:** Initialize in correct order: config -> DB -> routes -> server **Effort:** M (refactor startup) ### 2. Graceful Shutdown **Detection:** - Grep for `SIGTERM`, `SIGINT` handlers - Check `process.on('SIGTERM')` (Node.js) - Check `signal.Notify` (Go) **Severity:** - **HIGH:** No shutdown handler (abrupt termination) **Recommendation:** Add SIGTERM handler, close connections gracefully **Effort:** M (add shutdown logic) ### 3. Resource Cleanup on Exit **Detection:** - Check if DB connections closed on shutdown - Verify file handles released - Check worker threads stopped **Severity:** - **MEDIUM:** Resource leaks on shutdown **Recommendation:** Close all resources in shutdown handler **Effort:** S-M (add cleanup calls) ### 4. Signal Handling **Detection:** - Check handlers for SIGTERM, SIGINT, SIGHUP - Verify proper signal propagation to child processes **Severity:** - **MEDIUM:** Missing signal handlers **Recommendation:** Handle all standard signals **Effort:** S (add signal handlers) ### 5. Liveness/Readiness Probes **Detection (for containerized apps):** - Check for `/live`, `/ready` endpoints - Verify Kubernetes probe configuration **Severity:** - **MEDIUM:** No probes (Kubernetes can't detect health) **Recommendation:** Add `/live` (is running) and `/ready` (ready for traffic) **Effort:** S (add endpoints) ### 6. Startup Config Validation **Detection:** - Find env/config reads in startup path - Check for validation frameworks or explicit fail-fast checks - Compare required runtime vars from code with documented startup config when available **Severity:** - **HIGH:** Required config can be missing while app still starts - **MEDIUM:** Defaults/desync can make local, CI, and deployed startup differ **Recommendation:** Validate required config at boot and fail before accepting traffic **Effort:** M ## Scoring Algorithm **MANDATORY READ:** Load `references/audit_scoring.md`. ## Output Format **MANDATORY READ:** Load `references/templates/audit_worker_report_template.md`. Write JSON summary per `references/audit_summary_contract.md`. In managed mode the caller passes both `runId` and `summaryArtifactPath`; in standalone mode the worker generates its own run-scoped artifact path per shared contract. Write report to `{output_dir}/ln-629--global.md` with `category: "Runtime Lifecycle & Config"` and checks: bootstrap_order, graceful_shutdown, resource_cleanup, signal_handling, probes, startup_config_validation. Return summary per `references/audit_summary_contract.md`. When `summaryArtifactPath` is absent, write the standalone runtime summary under `.hex-skills/runtime-artifacts/runs/{run_id}/evaluation-worker/{worker}--{identifier}.json` and optionally echo the same summary in structured output. ``` Report written: .hex-skills/runtime-artifacts/runs/{run_id}/audit-report/ln-629--global.md Score: X.X/10 | Issues: N (C:N H:N M:N L:N) ``` ## Reference Files - **Audit output schema:** `references/audit_output_schema.md` ## Critical Rules Apply the already-loaded `references/audit_worker_core_contract.md`. - **Do not auto-fix:** Report only, lifecycle changes risk downtime - **Deployment-aware:** Adapt probe checks to deployment type (Kubernetes = probes required, bare metal = optional) - **Effort realism:** S = <1h, M = 1-4h, L = >4h - **Exclusions:** Skip CLI tools and scripts (no long-running lifecycle), skip serverless functions (platform-managed lifecycle) - **Initialization order matters:** Flag DB usage before DB init as HIGH regardless of context - **Unique angle:** Audit runtime readiness and startup config validation only. Do not audit configuration architecture boundaries, package health, or diagnostic telemetry. - **Action required:** Every finding uses `FIX_BOOTSTRAP`, `ADD_CONFIG_VALIDATION`, or `FIX_SHUTDOWN`. ## Definition of Done Apply the already-loaded `references/audit_worker_core_contract.md`. - [ ] contextStore parsed (deployment type, output_dir) - [ ] All 6 checks completed (bootstrap order, graceful shutdown, resource cleanup, signal handling, probes, startup config validation) - [ ] Findings collected with severity, location, effort, action, recommendation - [ ] Score calculated per `references/audit_scoring.md` - [ ] Report written to `{output_dir}/ln-629--global.md` (atomic single Write call) - [ ] Summary written per contract --- **Version:** 3.0.0 **Last Updated:** 2025-12-23