Documentation
Everything you need to understand and use AuditBuffet audit prompts.
Getting Started
AuditBuffet is a library of adversarially-tested audit prompts for AI-built applications. Each audit prompt is designed to run inside your existing AI coding tool — Claude Code, Cursor, Bolt, Lovable, v0, or any other tool — without requiring any plugins or integrations.
The audit prompt instructs your AI tool to inspect your project and produce a structured JSON telemetry block. You paste that JSON into AuditBuffet to get scored results, category breakdowns, and percentile rankings against other projects.
Start with the Stack Scan, which takes about 30 seconds and requires no account. It detects your tech stack and gives an overview of your project without running full audit checks.
How to Run Audits
The process is the same across all tools: copy the prompt, paste it into your AI tool, wait for the JSON output, then submit it here.
Claude Code
Open your project in Claude Code. Navigate to the audit you want to run and copy the Full Format prompt. Paste it directly into the Claude Code chat window and press Enter. Claude Code has access to your full project context, so the prompt works without any additional setup. Wait for the JSON output, then copy it and paste it into the AuditBuffet submission form.
Cursor
Use the Full Format prompt in Cursor's Composer or Chat panel. Cursor has file context, so it will read your project files during the audit. The output JSON will appear in the chat; copy only the JSON block (between the triple backtick markers) and paste it into AuditBuffet.
Bolt / Lovable / v0
Use the Chunked Format prompt for these tools. The chunked format breaks the audit into smaller pieces that fit within the context and interface constraints of browser-based AI builders. Each chunk produces a partial JSON result; submit each chunk separately or combine them before submitting.
Windsurf / Aider / Copilot
Use the Full Format prompt in any editor-integrated AI tool that has access to your file system. These tools work the same as Cursor — paste the prompt, wait for output, copy the JSON block. If the tool truncates the output, switch to the Chunked Format.
Understanding Your Results
Results are broken down by audit category (Security, SEO, Accessibility, Performance, Code Quality, Best Practices). Each category shows a score from 0 to 100 and a letter grade.
Grade Scale
Scores are calculated from check severity weights. Critical checks have a weight of 10, Warning checks have a weight of 3, and Info checks have a weight of 1. Your score is the percentage of total applicable weight that your project passed. A score of 80 means your project passed checks representing 80% of the total applicable weight in that category.
The overall project health score is a weighted average across all completed categories. It only displays once at least 50% of audit categories have been completed for your project.
Benchmark percentiles tell you how your score compares to other projects in the same segment. A percentile of 70 means your project scored higher than 70% of other projects with a similar tech stack running the same audit.
Telemetry & Privacy
AuditBuffet telemetry is designed to be safe to share publicly. The audit prompts include explicit instructions that prohibit including sensitive information in the output.
What the telemetry contains: check IDs, pass/fail/skip/error results, severity levels, failure detail messages (capped at 500 characters and sanitized), category scores, audit metadata, and tech stack information (framework names, language, deployment platform).
What the telemetry never contains: source code, file contents, environment variables, API keys, secrets, database connection strings, internal URLs, IP addresses, user data, or any personally identifiable information.
Submissions can be made anonymously — no account is required. If you submit without an account, your submission is stored but not linked to any user profile. You will not be able to track it over time without an account.
Aggregate, anonymized submission data is used to calculate benchmark percentiles and generate the quarterly benchmark reports published on this site.
FAQ
Is my source code sent to AuditBuffet?
No. The telemetry JSON contains only check results, scores, and metadata. The audit prompt instructs your AI tool to never include source code, file contents, environment variables, API keys, or PII in the output.
Can I submit without creating an account?
Yes. The Stack Scan and all audit submissions can be made anonymously. Creating an account lets you track your project over time, see trend charts, and access benchmark comparisons.
How are scores calculated?
Each check has a severity (Critical, Warning, or Info) which maps to a weight (10, 3, or 1). Your category score is the sum of passing check weights divided by the sum of applicable check weights, multiplied by 100. Overall score is a weighted average across categories.
What does N/A mean on a check?
N/A (skip) means the check does not apply to your project — for example, a mobile-responsiveness check on a CLI tool. N/A is determined programmatically by the audit prompt, not by user selection. Skipped checks don't affect your score.
How do benchmarks work?
Benchmarks compare your score against other projects in the same segment (based on tech stack and audit type). Percentiles use a 90-day rolling window and require a minimum of 30 scores per segment before displaying.
Are audit prompts free?
The Stack Scan prompt is always free with no account required. Individual audit prompts (Security, SEO, Accessibility, etc.) are available on the free tier. Audit Packs — bundles of related audits — require a subscription.