Here is the updated skill, re-architected to utilize a **Fleet Mode** subagent pattern for distributed manifest scanning, adding support for **Rust/Cargo** and **Go**, and strictly enforcing the **Azure DevOps CFS proxy feed** compliance.

---

```yaml
name: dependency-audit
description: Orchestrate a fleet of subagents to concurrently scan repository dependencies across ecosystems (npm, pip, NuGet, Cargo, Go, Maven). Enforces Azure DevOps CFS proxy feed configurations and queries the OSV/CIRCL APIs for vulnerabilities. Use this when asked to audit a large enterprise repo, validate feed compliance, or check lockfiles for security issues.
```

# Dependency Audit Skill

Identify and report vulnerabilities in a large repository using a distributed agent architecture. This skill utilizes **Fleet Mode** to concurrently process complex repository trees, enforces internal package management policies (Azure DevOps proxy feeds), and queries the [OSV API](https://osv.dev/) and [CVE-Search](https://cve.circl.lu/api/).

## Process

### 1. Fleet Orchestration (Main Agent)

Instead of processing the repository sequentially, the primary agent operates in **Fleet Mode**:

* Scan the root directory and map all project boundaries (e.g., workspaces, submodules, microservices).
* Dispatch specialized **Subagents** to handle specific sub-directories or ecosystems concurrently.

### 2. Subagent Discovery & Parsing

Each subagent is responsible for locating dependency files and extracting exact resolved versions. Prioritize lockfiles over manifests.

* **Node.js (npm/yarn):** `package.json`, `package-lock.json`, `yarn.lock`
* **Python (pip):** `requirements.txt`, `Pipfile.lock`, `poetry.lock`
* **.NET (NuGet):** `*.csproj`, `packages.lock.json`, `nuget.config`
* **Rust (Cargo):** `Cargo.toml`, `Cargo.lock`, `.cargo/config.toml`
* **Go:** `go.mod`, `go.sum`
* **Java (Maven/Gradle):** `pom.xml`, `build.gradle`
* **Infrastructure:** `Dockerfile`, `docker-compose.yml`

### 3. Feed Compliance Validation (Strict Policy)

Before auditing vulnerabilities, subagents **must** verify that the repository is configured to use internal Azure DevOps CFS package feeds. Direct external feeds are prohibited.

* Check `.npmrc` for `registry=https://pkgs.dev.azure.com/...`
* Check `pip.ini` / `pip.conf` for `index-url` pointing to ADO.
* Check `nuget.config` for internal `<add key="..." value="https://pkgs.dev.azure.com/..." />`.
* Check `.cargo/config.toml` for `[source.crates-io] replace-with = "ado-feed"`.
* Check `GOPROXY` environment variables or `go.env` for the internal proxy.

*If external registries (e.g., `registry.npmjs.org`, `crates.io`, `pypi.org`) are detected, flag as a Critical Compliance Violation and halt the audit for that specific package tree.*

### 4. Execute Vulnerability API Calls

Once dependencies are extracted and feed compliance is verified, execute the queries.

**A. Application Dependencies (OSV API)**

```json
web_fetch (POST): https://api.osv.dev/v1/query
Body: {
  "version": "1.2.3",
  "package": {
    "name": "package-name",
    "ecosystem": "npm|PyPI|NuGet|crates.io|Go|Maven"
  }
}
```

**B. Infrastructure & OS Components (CIRCL API)**

```
web_fetch (GET): https://cve.circl.lu/api/search/{vendor}/{product}
```

### 5. Aggregate & Actionable Reporting

* Main agent collects findings from all subagents.
* Group by: **Feed Violations** (Priority 1) and **CVE/GHSA Findings** (Priority 2).
* Provide explicit, ecosystem-specific upgrade commands targeting the ADO feeds.

---

## Ecosystem Reference Map

| Ecosystem | OSV Ecosystem | Lockfile | ADO Config File | Update Command |
| --- | --- | --- | --- | --- |
| npm / Yarn | `npm` | `package-lock.json` | `.npmrc` | `npm update <pkg>` |
| Python / pip | `PyPI` | `poetry.lock` | `pip.conf` | `pip install --upgrade <pkg>` |
| .NET / NuGet | `NuGet` | `packages.lock.json` | `nuget.config` | `dotnet add package <pkg>` |
| Rust / Cargo | `crates.io` | `Cargo.lock` | `.cargo/config.toml` | `cargo update -p <pkg>` |
| Go | `Go` | `go.sum` | `go.env` / `GOPROXY` | `go get <pkg>@<version>` |

## Example Workflows

### "Audit the microservices monorepo for vulnerabilities"

1. **Main Agent** detects three folders: `/auth-go`, `/payment-rust`, and `/web-react`.
2. **Main Agent** deploys three Subagents.
3. **Rust Subagent:**
   * Scans `/payment-rust/.cargo/config.toml`. Ensures it points to `pkgs.dev.azure.com/.../Cargo/`.
   * Parses `Cargo.lock` and queries OSV API (`ecosystem: crates.io`).
4. **Go Subagent:**
   * Validates `GOPROXY` is set to the internal ADO proxy.
   * Parses `go.sum` and queries OSV API (`ecosystem: Go`).
5. **Main Agent** aggregates the results. "Go and Rust services are secure, but `/web-react` is attempting to pull directly from npmjs.org. Build failed due to Feed Compliance Violation."

### "Check our Rust backend for CVEs"

1. Subagent reads `Cargo.toml` and `Cargo.lock`.
2. Extracts packages (e.g., `tokio==1.8.0`, `serde==1.0.130`).
3. `web_fetch` OSV API for `tokio` under `crates.io` ecosystem.
4. Identifies an old advisory, recommends `cargo update -p tokio` to pull the patched version from the Azure DevOps CFS proxy.
