Skip to content
ACN Claude Toolkit

acn-base-sdlc — Agents

Three agents ship in acn-base-sdlc. Agents are invoked via the Agent tool — either by Claude when the conversation matches the agent’s description, or by other skills as a delegation step (e.g., the review skill can hand off to code-reviewer).

code-reviewer

Section titled “code-reviewer”
  • When invoked: proactively after code changes, or by another skill needing an independent review pass
  • Model: Sonnet
  • Tools: Read, Grep, Glob, Bash (no Write/Edit — read-only by design)
  • Workflow: git diff → review checklist (correctness, quality, security, testing, performance) → output graded by Critical / Warning / Suggestion with specific code-example fixes per issue

Source: plugins/acn-base-sdlc/agents/code-reviewer.md

debugger

Section titled “debugger”
  • When invoked: any error, test failure, or unexpected behavior
  • Model: Sonnet
  • Tools: Read, Edit, Bash, Grep, Glob
  • Workflow: gather (error message, stack trace, recent diff, repro steps) → form hypotheses → investigate (debug logging, value checks, execution trace) → minimal fix targeting root cause → verify (failing scenario + related tests + side-effect check)
  • Output: Root Cause / Location / Fix / Verification / Prevention

Source: plugins/acn-base-sdlc/agents/debugger.md

security-auditor

Section titled “security-auditor”
  • When invoked: security-sensitive code review or pre-release sweeps
  • Model: Sonnet
  • Tools: Read, Grep, Glob, Bash (read-only — no Write/Edit)
  • OWASP Top 10 (2021) coverage: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Data Integrity Failures, A09 Logging Failures, A10 SSRF
  • Output severity bands: Critical / High / Medium / Low / Best Practice — each finding tagged with location, OWASP category, remediation, and reference

Source: plugins/acn-base-sdlc/agents/security-auditor.md

How agents differ from skills

Section titled “How agents differ from skills”

Skills are workflow recipes Claude can invoke or auto-match. Agents are scoped sub-conversations with distinct tool grants and (often) distinct models. The code-reviewer and security-auditor are deliberately read-only — they cannot edit code, only flag issues. The debugger can edit because fixing is part of its mandate.