FBT Partner — Developer Reference

IDENTITY

Project name*Root path*Primary branchStack hint (optional)Project goal (optional)

DEPTH & TONE

Depth

Tone

Output format

LENSES (6/17)

DELIVERABLES (7/13)

SCOPE

Exclude globs (comma-separated)

QUALITY SCORE

72/ 100

Identity0/20

Coverage18/20

Depth14/20

Deliverables20/20

Hygiene20/20

Live preview6 lenses · 7 deliverables · 1.9k tokens

# PROJECT LENS — <project>

Respond with clear, professional output. Brief context is welcome; padding is not.

## 0 · Mission
Perform a **STANDARD** codebase reconnaissance of `<project>` across 6 lenses and produce the deliverables listed in §3.

## 1 · Scope
- Root: `.`
- Primary branch: `main`
- Include tests: yes
- Include docs: yes
- Include node_modules/vendor: no
- Exclude globs: `node_modules`, `.next`, `.turbo`, `dist`, `build`, `coverage`, `.git`

## 2 · Depth & budget
- **Rigor:** Read every entry point and every module index. Follow imports one hop deep when needed.
- **Timebox:** Target: 30-60 minutes of tool time. Balance coverage and depth.
- **File budget:** Read ~100-200 files. Use `grep` to locate, `read` to confirm.

## 3 · Deliverables (in this exact order)
1. **Executive summary** — 5-bullet summary for non-technical stakeholders.
2. **Annotated file tree** — Tree view (depth 3) with a 1-line role annotation per folder/file.
3. **Mermaid architecture diagram** — Component-level architecture as a mermaid graph TD.
4. **Tech stack table** — Markdown table: layer / tool / version / role / notes.
5. **Risk register** — Ordered list of risks with severity (S/M/L), likelihood, and fix cost.
6. **Top 10 findings** — The ten most important observations across every selected lens.
7. **Prioritized action plan** — Sequenced plan: now / next / later, with owners and effort.

## 4 · Lenses
### 1. Architecture Map — STRUCTURAL

**Focus:** Map the system into layers, bounded contexts, and component relationships.

**Instructions:**
- Identify the top-level layers (presentation / application / domain / infrastructure) or the closest equivalent.
- List every major module/package and the responsibility of each.
- Describe cross-layer dependencies and flag any cycles or layering violations.
- Identify the entry points (pages, jobs, CLIs, consumers) and trace the main request paths.

**Signals to look for:**
- folder structure at depth 1-3
- index/barrel files
- framework conventions (app/, src/, lib/, modules/, apps/, packages/)
- build config (tsconfig paths, nx/turbo workspaces, cargo workspaces, gradle modules)

**Default deliverables:** mermaid-architecture, layer-table, entry-point-list

### 2. Tech Stack Inventory — STRUCTURAL

**Focus:** Enumerate every language, framework, library, tool, and runtime in use — with versions.

**Instructions:**
- List every runtime, language, and framework.
- Read every manifest (package.json, pyproject.toml, Cargo.toml, go.mod, *.csproj, Gemfile, composer.json) and capture versions.
- Group dependencies by role (runtime / build / test / lint / infra).
- Flag any duplicated or conflicting versions across workspace packages.

**Signals to look for:**
- package.json + lockfile
- pyproject.toml / requirements*.txt
- Cargo.toml / Cargo.lock
- Dockerfile / compose.yaml base images
- .nvmrc / .tool-versions / .python-version

**Default deliverables:** tech-stack-table, version-drift-report

### 3. Feature Inventory — STRUCTURAL

**Focus:** Enumerate user-facing features, their entry points, and the modules that implement them.

**Instructions:**
- For each route / page / command, describe the feature it delivers in one sentence.
- Link each feature to the primary files that implement it (UI + API + domain).
- Tag each feature: shipped / behind-flag / WIP / deprecated (derive from code, flags, TODOs).

**Signals to look for:**
- route files (app/**/page.tsx, pages/**/*, router config)
- controller / handler files
- feature flag strings
- i18n keys grouped by feature

**Default deliverables:** feature-inventory-table, feature-to-file-map

### 4. Security Posture — QUALITY

**Focus:** Assess authN/Z, secret handling, input validation, and OWASP top-10 exposure.

**Instructions:**
- Map the auth model: identity source, session mechanism, token format, expiry, rotation.
- Check every endpoint against the auth posture matrix and flag IDOR risk.
- Grep for hard-coded secrets, .env leakage into client bundles, and secrets in git history.
- Review input validation coverage: which endpoints validate, which trust the client.
- Check cookie flags (httpOnly, Secure, SameSite), CORS config, CSP headers, CSRF protection.
- Flag direct SQL concatenation, unsanitized HTML rendering, open redirects, and SSRF surface.

**Signals to look for:**
- middleware / guards
- env access patterns
- cookie config
- fetch/axios/httpx call sites
- template rendering (dangerouslySetInnerHTML, v-html, Markup.escape)

**Default deliverables:** risk-register, security-findings-table

### 5. Performance Hotspots — QUALITY

**Focus:** Identify bundle bloat, slow queries, N+1s, unbounded loops, and cold-start issues.

**Instructions:**
- Estimate client bundle size drivers (large deps, barrel imports, duplicated deps).
- Scan for N+1 query patterns (loop over entities + .find/.query inside).
- Flag unbounded .map/.filter on potentially large lists rendered without virtualization.
- Identify missing caching layers (HTTP, in-memory, CDN, DB query cache).
- Note any Server Components / RSC / streaming opportunities if the stack supports it.

**Signals to look for:**
- import statements (wide vs. deep)
- loops around async calls
- database query sites
- React render lists without keys or virtualization
- cache-related config or absence thereof

**Default deliverables:** performance-findings-table, quick-wins-list

### 6. Accessibility Audit — QUALITY

**Focus:** Audit against WCAG 2.2 AA: keyboard, ARIA, focus, contrast, motion, forms.

**Instructions:**
- Grep for outline:none / outline:0 without a replacement focus ring (hard fail).
- Check that every interactive element has a keyboard handler and visible focus state.
- Validate form labeling (every input has a <label> or aria-labelledby).
- Check color contrast of theme tokens used for text (>= 4.5:1 normal, 3:1 large).
- Flag missing alt text on images, missing landmarks, heading-level jumps.
- Flag any onClick on non-button/non-link without role/tabIndex/keyboard handler.

**Signals to look for:**
- outline: none
- onClick on div/span
- <img> without alt
- <label> usage vs. input count
- theme color tokens

**Default deliverables:** a11y-findings-table, wcag-checklist

## 5 · Output contract
Output format: a single Markdown document, one top-level `# PROJECT LENS REPORT — <project>` heading, one `## <Deliverable>` heading per deliverable, in the order listed below.

## 6 · Standards
Operating standards while executing this analysis:
- NO-INVENT: do not fabricate file paths, symbols, or versions. If uncertain, say so.
- CITE-FILES: every claim that references project state must cite the file(s) and, when possible, line ranges.
- DECLARE-ASSUMPTIONS: list every assumption at the top of the report before presenting findings.
- READ-FIRST: complete reading before writing the report. Do not interleave exploration and conclusions.
- NO SIDE-EFFECTS: do not modify any file, do not run migrations, do not push branches.

## 7 · Exit criteria
Consider the analysis complete when:
- Every deliverable in §3 is present in the report.
- Every lens in §4 has at least one finding or an explicit "no findings" note.
- Every assumption made during analysis is listed under §0 of the final report.
- No deliverable contains placeholder text like TODO, TBD, or <fill in>.

Begin by listing the files you intend to read in the first pass, then proceed.