techdebt

---
name: techdebt
description: "Technical debt detection and remediation. Run at session end to find duplicated code, dead imports, security issues, and complexity hotspots. Triggers: 'find tech debt', 'scan for issues', 'check code quality', 'wrap up session', 'ready to commit', 'before merge', 'code review prep'. Always uses parallel subagents for fast analysis."
---

# Tech Debt Scanner

Automated technical debt detection using parallel subagents. Designed to run at session end to catch issues while context is fresh.

## Quick Start

```bash
# Session end - scan changes since last commit (default)
/techdebt

# Deep scan - analyze entire codebase
/techdebt --deep

# Specific categories
/techdebt --duplicates    # Only duplication
/techdebt --security      # Only security issues
/techdebt --complexity    # Only complexity hotspots
/techdebt --deadcode      # Only dead code

# Auto-fix mode (interactive)
/techdebt --fix
```

## Architecture

**Always uses parallel subagents** for fast analysis:

```
Main Agent (orchestrator)
    │
    ├─> Subagent 1: Duplication Scanner
    ├─> Subagent 2: Security Scanner
    ├─> Subagent 3: Complexity Scanner
    └─> Subagent 4: Dead Code Scanner

    ↓ All run in parallel (2-15s depending on scope)

Main Agent: Consolidate findings → Rank by severity → Generate report
```

**Benefits:**
- 🚀 Parallel execution - all scans run simultaneously
- 🧹 Clean main context - no pollution from analysis work
- 💪 Scalable - handles large codebases efficiently
- 🎯 Fast - even small diffs benefit from parallelization

## Workflow

### Step 1: Determine Scope

**Default (no flags):**
- Scan files changed since last commit: `git diff --name-only HEAD`
- Fast session-end workflow (~2-3 seconds)
- Perfect for "wrap up" scenarios

**Deep scan (`--deep` flag):**
- Scan entire codebase
- Comprehensive analysis (~10-15 seconds for medium projects)
- Use when refactoring or preparing major releases

**Specific category (e.g., `--duplicates`):**
- Run only specified scanner
- Fastest option for targeted analysis

### Step 2: Spawn Parallel Subagents

Launch 4 subagents simultaneously (or subset if category specified):

**Subagent 1: Duplication Scanner**
- Task: Find duplicated code blocks using AST similarity
- Tools: `ast-grep`, structural search, token analysis
- Output: List of duplicate code blocks with similarity scores

**Subagent 2: Security Scanner**
- Task: Detect security vulnerabilities and anti-patterns
- Checks: Hardcoded secrets, SQL injection, XSS, insecure crypto
- Output: Security findings with severity and remediation guidance

**Subagent 3: Complexity Scanner**
- Task: Identify overly complex functions and methods
- Metrics: Cyclomatic complexity, nested depth, function length
- Output: Complexity hotspots with refactoring suggestions

**Subagent 4: Dead Code Scanner**
- Task: Find unused imports, variables, and unreachable code
- Checks: Unused imports, dead branches, orphaned functions
- Output: Dead code list with safe removal instructions

**Subagent instructions template:**
```
Scan {scope} for {category} issues.

Scope: {file_list or "entire codebase"}
Language: {detected from file extensions}
Focus: {category-specific patterns}

Output format:
- File path + line number
- Issue description
- Severity (P0-P3)
- Suggested fix (if available)

Use appropriate tools:
- Duplication: ast-grep for structural similarity
- Security: pattern matching + known vulnerability patterns
- Complexity: cyclomatic complexity calculation
- Dead Code: static analysis for unused symbols
```

### Step 3: Consolidate Findings

Main agent collects results from all subagents and:

1. **Deduplicate** - Remove duplicate findings across categories
2. **Rank by severity:**
   - **P0 (Critical):** Security vulnerabilities, blocking issues
   - **P1 (High):** Major duplication, high complexity
   - **P2 (Medium):** Minor duplication, moderate complexity
   - **P3 (Low):** Dead code, style issues
3. **Group by file** - Organize findings by affected file
4. **Calculate debt score** - Overall technical debt metric

### Step 4: Generate Report

Create actionable report with:

```markdown
# Tech Debt Report

**Scope:** {X files changed | Entire codebase}
**Scan Time:** {duration}
**Debt Score:** {0-100, lower is better}

## Summary

| Category | Findings | P0 | P1 | P2 | P3 |
|----------|----------|----|----|----|----|
| Duplication | X | - | X | X | - |
| Security | X | X | - | - | - |
| Complexity | X | - | X | X | - |
| Dead Code | X | - | - | X | X |

## Critical Issues (P0)

### {file_path}:{line}
**Category:** {Security}
**Issue:** Hardcoded API key detected
**Impact:** Credential exposure risk
**Fix:** Move to environment variable

## High Priority (P1)

### {file_path}:{line}
**Category:** {Duplication}
**Issue:** 45-line block duplicated across 3 files
**Impact:** Maintenance burden, inconsistency risk
**Fix:** Extract to shared utility function

[... continue for all findings ...]

## Recommendations

1. Address all P0 issues before merge
2. Consider refactoring high-complexity functions
3. Remove dead code to reduce maintenance burden

## Auto-Fix Available

Run `/techdebt --fix` to interactively apply safe automated fixes.
```

### Step 5: Auto-Fix Mode (Optional)

If `--fix` flag provided:

1. **Identify safe fixes:**
   - Dead import removal (safe)
   - Simple duplication extraction (review required)
   - Formatting fixes (safe)

2. **Interactive prompts:**
   ```
   Fix: Remove unused import 'requests' from utils.py:5
   [Y]es / [N]o / [A]ll / [Q]uit
   ```

3. **Apply changes:**
   - Edit files with confirmed fixes
   - Show git diff of changes
   - Prompt for commit

**Safety rules:**
- Never auto-fix security issues (require manual review)
- Never auto-fix complexity (requires design decisions)
- Only auto-fix with explicit user confirmation

## Detection Patterns

### Duplication

**AST Similarity Detection:**
- Use `ast-grep` for structural pattern matching
- Detect code blocks with >80% structural similarity
- Ignore trivial differences (variable names, whitespace)

**Token-based Analysis:**
- Compare token sequences for exact duplicates
- Minimum threshold: 6 consecutive lines
- Group similar duplicates across files

**Thresholds:**
- P1: 30+ lines duplicated in 3+ locations
- P2: 15+ lines duplicated in 2+ locations
- P3: 6+ lines duplicated in 2 locations

### Security

**Pattern Detection:**

| Pattern | Severity | Example |
|---------|----------|---------|
| Hardcoded secrets | P0 | `API_KEY = "sk-..."` |
| SQL injection risk | P0 | `f"SELECT * FROM users WHERE id={user_id}"` |
| Insecure crypto | P0 | `hashlib.md5()`, `random.random()` for tokens |
| Path traversal | P0 | `open(user_input)` without validation |
| XSS vulnerability | P0 | Unescaped user input in HTML |
| Eval/exec usage | P1 | `eval(user_input)` |
| Weak passwords | P2 | Hardcoded default passwords |

**Language-specific checks:**
- Python: `pickle` usage, `yaml.load()` without SafeLoader
- JavaScript: `eval()`, `innerHTML` with user data
- SQL: String concatenation in queries

### Complexity

**Metrics:**

| Metric | P1 Threshold | P2 Threshold |
|--------|--------------|--------------|
| Cyclomatic Complexity | >15 | >10 |
| Function Length | >100 lines | >50 lines |
| Nested Depth | >5 levels | >4 levels |
| Number of Parameters | >7 | >5 |

**Refactoring suggestions:**
- Extract method for long functions
- Introduce parameter object for many parameters
- Simplify conditionals with guard clauses
- Break up deeply nested logic

### Dead Code

**Detection methods:**
- Unused imports (language-specific linters)
- Unreachable code (after return/break/continue)
- Unused variables (written but never read)
- Orphaned functions (never called in codebase)

**Safe removal criteria:**
- No external references found
- Not part of public API
- Not dynamically imported/called

## Language Support

**Tier 1 (Full support):**
- Python: `ast-grep`, `radon`, `pylint`
- JavaScript/TypeScript: `ast-grep`, `eslint`, `jscpd`
- Go: `gocyclo`, `golangci-lint`
- Rust: `clippy`, `cargo-audit`

**Tier 2 (Basic support):**
- Java, C#, Ruby, PHP: Pattern-based detection only

**Language detection:**
- Auto-detect from file extensions
- Use appropriate tools per language
- Fallback to universal patterns if specific tools unavailable

## Integration Patterns

### Session End Automation

Add to your workflow:

```markdown
## Session Wrap-Up Checklist

- [ ] Run `/techdebt` to scan changes
- [ ] Address any P0 issues found
- [ ] Create tasks for P1/P2 items
- [ ] Commit clean code
```

### Pre-Commit Hook

Create `.claude/hooks/pre-commit.sh`:

```bash
#!/bin/bash
# Auto-run tech debt scan before commits

echo "🔍 Scanning for tech debt..."
claude skill techdebt --quiet

if [ $? -eq 1 ]; then
  echo "❌ P0 issues detected. Fix before committing."
  exit 1
fi

echo "✅ No critical issues found"
```

### CI/CD Integration

Run deep scan on pull requests:

```yaml
# .github/workflows/techdebt.yml
name: Tech Debt Check
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run tech debt scan
        run: claude skill techdebt --deep --ci
```

## Advanced Usage

### Baseline Tracking

Track debt over time:

```bash
# Initial baseline
/techdebt --deep --save-baseline

# Compare against baseline
/techdebt --compare-baseline
# Output: "Debt increased by 15% since baseline"
```

Baseline stored in `.claude/techdebt-baseline.json`:

```json
{
  "timestamp": "2026-02-03T10:00:00Z",
  "commit": "a28f0fb",
  "score": 42,
  "findings": {
    "duplication": 8,
    "security": 0,
    "complexity": 12,
    "deadcode": 5
  }
}
```

### Custom Patterns

Add project-specific patterns in `.claude/techdebt-rules.json`:

```json
{
  "security": [
    {
      "pattern": "TODO.*security",
      "severity": "P0",
      "message": "Security TODO must be resolved"
    }
  ],
  "complexity": {
    "cyclomatic_threshold": 12,
    "function_length_threshold": 80
  }
}
```

### Report Formats

```bash
/techdebt --format=json     # JSON output for tooling
/techdebt --format=markdown # Markdown report (default)
/techdebt --format=sarif    # SARIF for IDE integration
```

## Troubleshooting

**Issue: Scan times out**
- Solution: Use `--deep` only on smaller modules, or increase timeout
- Consider: Break large codebases into smaller scan chunks

**Issue: Too many false positives**
- Solution: Adjust thresholds in `.claude/techdebt-rules.json`
- Consider: Use `--ignore-patterns` flag to exclude test files

**Issue: Missing dependencies (ast-grep, etc.)**
- Solution: Install tools via `npm install -g @ast-grep/cli` or skip category
- Fallback: Pattern-based detection still works without specialized tools

## Best Practices

1. **Run at every session end** - Catch debt while context is fresh
2. **Address P0 immediately** - Don't commit critical issues
3. **Create tasks for P1/P2** - Track technical debt in backlog
4. **Use baselines for trends** - Monitor debt accumulation over time
5. **Automate in CI/CD** - Prevent debt from merging
6. **Educate team** - Share findings, discuss refactoring strategies

## References

See also:
- [Anthropic's Agent Skills](https://github.com/anthropics/skills) - Subagent patterns
- [references/patterns.md](references/patterns.md) - Language-specific debt patterns
- [references/severity-guide.md](references/severity-guide.md) - How to rank findings