The AI-Powered System Audit: Do this before your Vibe Project Breaks
A single prompt that turns an AI agent into a staff-level engineer performing a complete technical inventory of any codebase
Every engineering leader has lived through it. You inherit a system. Maybe it's an acquisition. Maybe the previous team left. Maybe you're the new CTO and nobody who built the original platform is still around. You open the repo and find a README that was last updated eighteen months ago, an architecture doc that describes a system that no longer exists, and a Confluence page titled "How Deployment Works" that contains three bullet points and a broken diagram.
You're now responsible for a production system serving real users, and you don't know how it works.
The traditional response is to spend weeks—sometimes months—having your new team reverse-engineer the codebase. Senior engineers trace request flows through unfamiliar frameworks. Someone discovers an undocumented cron job that turns out to be critical. The database has tables nobody can explain. There are environment variables referenced in code that aren't in any .env.example file. Half the API endpoints aren't documented anywhere. The deployment process lives in one person's head, and that person left six months ago.
It's archaeology, and it's brutally expensive. Not just in engineering hours, but in risk. Every day your new team operates a system they don't fully understand is a day something can break in a way nobody knows how to fix.
We Built a Better Way
At Quantum Studio, we manage and build systems across multiple sectors—property, travel, events, music, spatial computing. Systems come and go. Teams rotate. Due diligence on acquisitions happens fast. We needed a repeatable process that could produce a comprehensive technical handoff package for any system in hours, not months.
So we built a prompt. Not a chatbot conversation. Not a template. A single, detailed instruction set—roughly 3,000 words of precise directives—that turns an AI coding agent into a staff-level engineer performing a complete technical audit of any codebase and its running infrastructure.
You point the agent at a repository, give it access to the running environment, and let it work. What comes back is a structured engineering handoff package that would take a senior engineer weeks to produce manually. We've now used it on dozens of systems. It works. And we're sharing it publicly.
What the Audit Covers
The prompt instructs the AI agent to inspect the actual running system—not guess from documentation, not summarise a README, not give you a shallow overview. It traces real code paths, examines real configuration, and documents what actually exists. The scope is exhaustive:
- Executive architecture overview — what the product does, main user flows, core business logic, and a system diagram
- Full file and component inventory — every directory, every significant file, entry points, dead code, legacy paths
- Data model and schema documentation — tables, fields, types, constraints, indexes, relationships, migration history, integrity issues
- Complete API inventory — every endpoint with method, path, request/response schemas, auth requirements, side effects, and source file locations
- Auth, roles, permissions, and security model — session flows, permission enforcement points, secrets usage, PII exposure risks, trust boundaries
- Infrastructure and deployment — hosting, CI/CD, DNS, environment variables, secrets references, containers, rollback procedures, disaster recovery
- Frontend and backend architecture — routing, state management, service layers, caching, background processing, error handling
- Dependencies and third-party services — every library, SDK, and external service with an explanation of why it's used and what breaks if it's removed
- Operations runbook — how to start locally, migrate databases, deploy, read logs, debug common failures, restart services
- Troubleshooting and failure modes — likely breakpoints, race conditions, performance bottlenecks, scaling limitations
- Tech debt analysis and improvement roadmap — immediate fixes, short-term cleanup, medium-term refactors, security and reliability improvements
- New team onboarding package — what to read first, what never to change casually, how to safely extend features, suggested onboarding order
Honest About What It Doesn't Know
This is the part that matters most. The prompt explicitly instructs the agent: do not invent missing details. If something cannot be confirmed from the actual code and configuration, it must be marked as one of three things:
UNVERIFIED — found a reference but couldn't confirm it's active or correct
INFERRED — deduced from context but not explicitly documented or tested
NOT FOUND — expected this to exist but couldn't locate it
This is critical. A handoff document that sounds confident about everything is more dangerous than having no document at all—it creates false trust. Our audit is explicit about uncertainty, which means the receiving team knows exactly where to focus their own verification effort. When they see INFERRED next to a claim about the caching layer, they know to test it themselves before relying on it.
The prompt also enforces a strict rule: if there are contradictions between documentation and implementation, the agent must prioritise what the code actually does and explicitly call out the mismatch. Stale docs are worse than no docs. The audit surfaces them instead of perpetuating them.
Concrete Deliverables
The audit doesn't produce a single massive document. It generates a structured handoff package of individual markdown files, each serving a specific purpose:
ARCHITECTURE_OVERVIEW.md— the system at a glanceSYSTEM_INVENTORY.md— complete file and component inventoryAPI_REFERENCE.md— every endpoint, fully documentedDATABASE_SCHEMA.md— data model, relationships, integrity analysisOPERATIONS_RUNBOOK.md— how to operate the system day-to-daySECURITY_REVIEW.md— auth model, vulnerabilities, recommendationsTECH_DEBT_AND_RECOMMENDATIONS.md— prioritised improvement roadmapNEW_TEAM_ONBOARDING.md— the fast-start guide for incoming engineersDEV_TEAM_HANDOFF_SUMMARY.md— the executive fast-read version
Where possible, it also generates Mermaid diagrams—architecture overviews, entity-relationship diagrams, service dependency maps, and route maps. Real artefacts a team can use immediately.
The Phased Approach
We learned early that throwing the entire audit at an AI agent in one pass leads to truncation and laziness in the later sections. The prompt is designed to run in five explicit phases:
- Discovery — inventory the entire system: repo structure, services, frameworks, databases, deployment targets, third-party integrations, unknowns
- Documentation — deep-dive into frontend, backend, data model, APIs, auth, and infrastructure
- Handoff docs — generate the structured markdown files in a
/docsor/handoffdirectory - Risk audit — security, performance, reliability, maintainability, scalability, and operational risk assessment
- Onboarding — create concise onboarding documentation for the new team
At the end of each phase, the agent summarises findings, lists open questions, flags unverified assumptions, and catalogues every file it inspected. This creates an auditable trail of the audit itself—you can see exactly what the agent looked at and what it might have missed.
The phased approach also prevents a common failure mode with AI agents: context exhaustion. A single massive prompt often results in thorough early sections and increasingly shallow later ones. By breaking the work into discrete phases, each section gets the agent's full attention.
The prompt also instructs the agent to inspect the live deployed environment where accessible—running services, open ports, environment configuration, process managers, logs, reverse proxy configuration, database connections, webhook endpoints, and DNS routing. This is where the audit goes beyond what any static analysis tool can do. It's not just reading code—it's understanding the running system. It documents secret names and usage without ever exposing actual values.
Why This Matters
This isn't just a developer convenience tool. It solves real business problems:
- Acquisitions and due diligence — understand exactly what you're buying before you sign
- Team transitions — when a dev agency hands off to an in-house team, or when key engineers leave
- Disaster recovery planning — know how to rebuild the system if everything goes wrong
- Compliance and auditing — produce documentation that satisfies technical audit requirements
- Investor confidence — demonstrate that your technical assets are well-understood and well-documented
- Reducing bus factor — ensure no single person is the only one who understands how things work
The quality bar we set is explicit in the prompt: this should read like documentation prepared by a strong staff engineer doing a serious transition package. Precise, exhaustive, implementation-grounded, and honest about uncertainty. At the end, the agent delivers the top 20 files a new developer should read first, the top 10 architectural risks, the top 10 highest-value improvements, and a one-page explanation of how the entire system works. Everything a new team lead needs to hit the ground running.
Use It
We're sharing the complete prompt publicly because we believe better handoffs make the entire industry stronger. Fewer abandoned systems, fewer failed transitions, fewer engineers burning out trying to understand code nobody documented. Use it with any AI coding agent that has access to your codebase—Claude with computer access, Cursor, an agent in your IDE, or any tool that can read files and run commands.
→ View the full prompt on Google Docs
Or expand the section below to read and copy the entire prompt directly:
View the Complete System Audit Prompt
TECHNICAL AUDIT PROMPT I need you to perform a complete technical inventory and handoff audit of this entire project so a new engineering team could fully understand, operate, maintain, debug, secure, extend, and rebuild it if necessary. Your task is to inspect the actual running project, codebase, configuration, deployment setup, connected services, data model, APIs, auth, infrastructure, build chain, and operational tooling. Do not give me a shallow summary. I want a true engineering handoff package based on what actually exists in the system right now. OBJECTIVE Produce a complete, accurate, implementation-grounded documentation set for this project, including: 1. Executive architecture overview 2. Detailed technical architecture 3. Full file and component inventory 4. Data model and schema documentation 5. API inventory and endpoint documentation 6. Auth, roles, permissions, and security model 7. Infrastructure, deployment, hosting, domains, env vars, secrets references, and runtime services 8. Frontend architecture 9. Backend architecture 10. Third party services, SDKs, packages, libraries, tools, and dependencies 11. Background jobs, queues, cron jobs, webhooks, and async processes 12. Observability, logging, analytics, and monitoring 13. Failure points, risks, tech debt, and known weak spots 14. Local development and deployment instructions 15. Maintenance and troubleshooting guide 16. Upgrade and extension guidance 17. Recommended refactor priorities 18. A clear "how this whole system works" explanation for a new dev team APPROACH You must inspect the code and environment directly. Do not invent missing details. If something cannot be confirmed, clearly mark it as: - UNVERIFIED - INFERRED - NOT FOUND For every major claim, point to the exact file(s), config(s), code section(s), table(s), endpoint(s), or service(s) that support it. If there are contradictions between docs and implementation, prioritize implementation and call out the mismatch. OUTPUT FORMAT Create the output as a structured handoff package with these sections: A. SYSTEM SUMMARY - What the product does - Main user flows - Core business logic - High level system diagram in text form B. ARCHITECTURE OVERVIEW - Frontend stack - Backend stack - Database(s) - Auth - Hosting / infra - External integrations - Realtime systems if any - Storage systems - Messaging / queues if any C. REPOSITORY + FILE INVENTORY - Top level folder tree - What each major directory does - Important files and why they matter - Dead code, duplicate code, legacy code, experimental code - Entry points for app, API, workers, scripts, admin tools D. FRONTEND DOCUMENTATION - App structure - Routing - Pages and views - Shared components - State management - Data fetching strategy - Forms - Styling system - Asset pipeline - Error handling - Auth flow on frontend - Performance considerations E. BACKEND DOCUMENTATION - Service architecture - Controllers / routes / handlers - Business logic modules - Services layer - Database access layer - Caching layer - Background processing - Validation and error handling - Internal utilities - Configuration flow F. DATA MODEL / SCHEMA - All databases and schemas - Tables / collections - Fields, types, constraints, indexes - Relationships - Derived fields - Migration history - Seed data - Data lifecycle - Risky schema areas - Missing constraints or integrity issues G. API INVENTORY For every API endpoint or callable service: - Method - Path - Purpose - Request params - Body schema - Response schema - Auth requirements - Roles/permissions - Side effects - Source file location - Consumer(s) of endpoint - Known issues / risks Also include: - Internal APIs - External APIs used - Webhooks in and out - Realtime channels - SDK interfaces if any H. AUTH + SECURITY - Authentication system - Session / token flow - User roles - Permission enforcement points - Sensitive data handling - Secrets usage - Input validation - File upload security - CORS / CSP / headers - Rate limiting - Abuse risks - PII exposure risks - Trust boundaries - Security weaknesses and recommended fixes I. INFRASTRUCTURE + DEPLOYMENT - Hosting providers - Runtime environments - Build pipeline - CI/CD - DNS / domains / subdomains - Environment variables by purpose - Secret references without exposing secret values - Storage buckets - CDN / cache - Process manager - Containers / services - Database hosting - Scheduled jobs - Deployment steps - Rollback process - Disaster recovery concerns J. DEPENDENCIES + TOOLS - Core frameworks - Libraries - SDKs - Dev tools - Build tools - Testing tools - Analytics tools - Monitoring tools - AI or model providers - Payment or auth providers - Why each is used - What breaks if removed K. OPERATIONS RUNBOOK - How to start locally - Required env vars - Install steps - Migrate database - Seed database - Start frontend - Start backend - Start workers - Run tests - Build for production - Deploy - Read logs - Debug common failures - Restart services - Safe maintenance checklist L. TROUBLESHOOTING + FAILURE MODES - Most likely breakpoints - Common error sources - Debug paths - External dependency failure impact - Data corruption risk areas - Race conditions - Realtime failure risks - Performance bottlenecks - Scaling limitations M. TECH DEBT + IMPROVEMENT PLAN - Immediate fixes - Short term cleanup - Medium term refactors - High value upgrades - Security improvements - Reliability improvements - Developer experience improvements - Documentation gaps N. HANDOFF FOR NEW DEV TEAM - What they should read first - What they should never change casually - Where to safely extend features - How to test changes safely - How to service production - Suggested onboarding order for a new engineer O. APPENDICES - Folder tree - Route map - Environment variable catalog - DB schema summary - Endpoint summary table - Dependency summary table - Service/component map - Glossary of project-specific terms DELIVERABLE REQUIREMENTS 1. Write this to markdown files in a /docs or /handoff folder. 2. Also create: - ARCHITECTURE_OVERVIEW.md - SYSTEM_INVENTORY.md - API_REFERENCE.md - DATABASE_SCHEMA.md - OPERATIONS_RUNBOOK.md - SECURITY_REVIEW.md - TECH_DEBT_AND_RECOMMENDATIONS.md - NEW_TEAM_ONBOARDING.md 3. Also create one concise file: - DEV_TEAM_HANDOFF_SUMMARY.md This should be the fast-read version for executives and incoming tech leads. 4. If possible, generate: - a diagram in Mermaid - a route map - an ERD in Mermaid - a service dependency map 5. Include concrete references to source files throughout. 6. Do not stop at package.json or high-level guesses. Trace actual usage through the codebase. 7. If this is a monorepo or multi-service system, document each app/service separately and then explain how they connect. 8. If parts of the system are missing, stale, broken, or unclear, explicitly identify them. AUDIT INSTRUCTIONS Please inspect all of the following where present: - repository structure - package manifests - lockfiles - tsconfig / jsconfig - env examples - docker files - compose files - nginx / proxy config - server config - cloud config - migrations - ORM schema - SQL files - seed scripts - frontend routes - API routes - middleware - auth logic - queue / worker logic - cron jobs - webhook handlers - analytics - tests - scripts folder - admin tools - deployment scripts - README files - comments that reveal intent - dead or legacy code paths QUALITY BAR I want this to read like documentation prepared by a strong staff engineer doing a serious transition package. Be precise. Be exhaustive. Be implementation-grounded. Be honest about uncertainty. At the end, give me: 1. The top 20 files a new dev should read first 2. The top 10 architectural risks 3. The top 10 highest-value improvements 4. A one-page explanation of how the whole system works --- PHASED EXECUTION (recommended) A better approach is to run this in phases so the agent does not get lazy or truncate. Phase 1: Discover and inventory the entire system. Output: - repo tree - major services - frameworks - databases - deployment targets - third party integrations - unknowns and missing pieces Phase 2: Document frontend, backend, data model, APIs, auth, and infrastructure in detail. Phase 3: Create handoff docs in /docs or /handoff. Phase 4: Perform a risk audit: - security - performance - reliability - maintainability - scalability - operational risk Phase 5: Create concise onboarding docs for a new dev team. At the end of each phase: - summarize findings - list open questions - list unverified assumptions - list exact files inspected --- LIVE SYSTEM INSPECTION Also inspect the deployed environment and operational setup where accessible: - running services - open ports - environment configuration - build and runtime commands - scheduled jobs - process manager - logs - reverse proxy - database connections - storage references - webhook endpoints - DNS/domain routing Do not expose secret values. Only document secret names, usage, and where they are required. --- Do not optimize for brevity. Optimize for completeness, accuracy, and usefulness to a replacement engineering team.
The next time you need to hand off a system, onboard a new team, perform due diligence on a potential acquisition, or just understand what you're actually running in production—don't spend a month on it. Point an AI agent at the codebase, give it this prompt, and let it do the archaeology for you.
The documentation it produces won't be perfect. No automated audit replaces deep institutional knowledge. But it will be comprehensive, structured, honest about its limitations, and ready in hours instead of weeks. That's not just a time saving—it's the difference between a new team that's productive on day one and a new team that's still confused on month three.
That's the starting point your new team actually needs. And now it takes an afternoon instead of a quarter.