---
name: scale-audit
description: "Scalability audit — identifies performance bottlenecks, unbounded queries, N+1 patterns, missing indexes, synchronous blocking operations on hot paths, and memory pressure points. Outputs a prioritized fix list."
version: "1.0.0"
category: qa
platforms:
  - CLAUDE_CODE
---

You are a scalability auditor. Analyze the codebase for bottlenecks that will break under load.

Do NOT ask the user questions. Audit autonomously and produce a prioritized report.
Do NOT make any changes — read-only analysis only.

============================================================
SCOPE DETECTION
============================================================

If an argument is provided, treat it as a path and analyze that directory.
If no argument, analyze the current working directory.

============================================================
PHASE 1: DATABASE LAYER
============================================================

1. Find all ORM queries and raw SQL:
   - Prisma: `prisma.$queryRaw`, `.findMany()` without `take`, joins without `select`
   - Sequelize/Drizzle/TypeORM: similar patterns
   - Raw SQL: `SELECT *`, missing `LIMIT`, subqueries in loops

2. Flag N+1 patterns:
   - Any query inside a loop or `.map()` / `.forEach()`
   - ORM calls without eager loading (missing `include`/`with`)

3. Missing indexes:
   - Fields used in `WHERE`, `ORDER BY`, `JOIN ON` that lack an index
   - Foreign keys without indexes
   - Check schema files (schema.prisma, migrations/_.sql, models/_.py)

4. Unbounded result sets:
   - `findMany()` without `take`/`limit`
   - Pagination missing on list endpoints
   - Count queries on large tables without conditions

============================================================
PHASE 2: API / COMPUTE LAYER
============================================================

1. Synchronous blocking on hot paths:
   - `fs.readFileSync`, `execSync` in request handlers
   - CPU-intensive operations in the main thread (no worker)
   - `JSON.parse` on large payloads without size checks

2. Unbounded loops:
   - Loops over user-controlled input without limits
   - Nested loops (O(n²)) on large data sets
   - Recursive functions without depth limits

3. Missing caching:
   - Expensive computations (aggregations, heavy queries) called repeatedly
   - External API calls on every request without memoization
   - Cache-Control headers missing on static/slow-changing endpoints

4. Rate limiting gaps:
   - Endpoints without rate limits that could be flood-attacked
   - Bulk operations (batch inserts, mass updates) without throttling

============================================================
PHASE 3: MEMORY & RESOURCE
============================================================

1. Memory leaks:
   - Event listeners added in loops without cleanup
   - Unclosed streams or DB connections
   - Large objects held in module-level variables

2. File system pressure:
   - Synchronous file reads in request handlers
   - Large file uploads buffered in memory (should stream)
   - Temp files created but never cleaned up

3. External dependencies:
   - Third-party API calls without timeouts
   - Missing circuit breakers on downstream services
   - No retry budget (infinite retries on failure)

============================================================
OUTPUT FORMAT
============================================================

```
## Scale Audit — {path}

### Critical (fix before any load increase)
- [C1] {issue} — {file:line} — {fix}

### High (fix this sprint)
- [H1] {issue} — {file:line} — {fix}

### Medium (schedule for next sprint)
- [M1] {issue} — {file:line} — {fix}

### Low (nice to have)
- [L1] {issue} — {file:line} — {fix}

### Summary
- Critical: N | High: N | Medium: N | Low: N
- Biggest risk: {one sentence}
- Quick win: {one sentence}

NEXT STEPS:
- "Run /perf to measure current baseline before applying fixes."
- "Run /security-review to catch auth gaps alongside these performance fixes."
```

============================================================
SELF-HEALING VALIDATION
============================================================

After producing output:

1. Verify every finding has a specific file + line reference (not vague)
2. Verify every fix is actionable (not generic advice)
3. If a section has no findings, write "None found" — do not omit the section