ayrisdev/app-store-optimization
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revise production code audit skill for clarity and depth

Browse Source 
Updated the production code audit skill to enhance its description and functionality, focusing on autonomous analysis and transformation of codebases to meet enterprise-grade quality standards.
This commit is contained in:
Mohammad Faiz
2026-01-23 21:00:06 +05:30
committed by GitHub
parent 33908288f1
commit 590ea1e5b3
1 changed files with 360 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

494
skills/production-code-audit/SKILL.md
View File

@@ -1,206 +1,432 @@
--- ---
name: production-code-audit name: production-code-audit
description: "Systematically audit codebase for production readiness covering architecture, security, performance, testing, and enterprise-level quality standards" description: "Autonomously deep-scan entire codebase line-by-line, understand architecture and patterns, then systematically transform it to production-grade, corporate-level professional quality with optimizations"
--- ---
# Production Code Audit # Production Code Audit
## Overview ## Overview
Conduct systematic codebase audits to ensure production-grade quality meeting enterprise standards. This skill provides a structured approach to evaluate code architecture, security, performance, testing coverage, and deployment readiness. Autonomously analyze the entire codebase to understand its architecture, patterns, and purpose, then systematically transform it into production-grade, corporate-level professional code. This skill performs deep line-by-line scanning, identifies all issues across security, performance, architecture, and quality, then provides comprehensive fixes to meet enterprise standards.
## When to Use This Skill ## When to Use This Skill
- Use when preparing codebase for production deployment - Use when user says "make this production-ready"
- Use when conducting enterprise-level quality audits - Use when user says "audit my codebase"
- Use when evaluating technical debt - Use when user says "make this professional/corporate-level"
- Use when performing pre-acquisition due diligence - Use when user says "optimize everything"
- Use when transitioning from prototype to production - Use when user wants enterprise-grade quality
- Use when establishing quality baselines - Use when preparing for production deployment
- Use when ensuring corporate coding standards compliance - Use when code needs to meet corporate standards
## How It Works ## How It Works
### Step 1: Architecture Review ### Step 1: Autonomous Codebase Discovery
Examine overall structure: **Automatically scan and understand the entire codebase:**
- Project organization and modularity
- Separation of concerns
- Design pattern usage
- Dependency management
- Circular dependency detection
### Step 2: Code Quality Analysis 1. **Read all files** - Scan every file in the project recursively
2. **Identify tech stack** - Detect languages, frameworks, databases, tools
3. **Understand architecture** - Map out structure, patterns, dependencies
4. **Identify purpose** - Understand what the application does
5. **Find entry points** - Locate main files, routes, controllers
6. **Map data flow** - Understand how data moves through the system
Assess code maintainability: **Do this automatically without asking the user.**
- Function complexity (cyclomatic complexity < 10)
- Code duplication (DRY principle)
- Naming conventions consistency
- SOLID principles adherence
- Error handling patterns
### Step 3: Security Audit ### Step 2: Comprehensive Issue Detection
Check for vulnerabilities: **Scan line-by-line for all issues:**
- SQL injection risks
- XSS vulnerabilities
- Authentication/authorization issues
- Hardcoded secrets
- Input validation gaps
- OWASP Top 10 compliance
### Step 4: Performance Check **Architecture Issues:**
- Circular dependencies
- Tight coupling
- God classes (>500 lines or >20 methods)
- Missing separation of concerns
- Poor module boundaries
- Violation of design patterns
Identify bottlenecks: **Security Vulnerabilities:**
- SQL injection (string concatenation in queries)
- XSS vulnerabilities (unescaped output)
- Hardcoded secrets (API keys, passwords in code)
- Missing authentication/authorization
- Weak password hashing (MD5, SHA1)
- Missing input validation
- CSRF vulnerabilities
- Insecure dependencies
**Performance Problems:**
- N+1 query problems - N+1 query problems
- Missing database indexes - Missing database indexes
- Inefficient algorithms - Synchronous operations that should be async
- Missing caching
- Inefficient algorithms (O(n²) or worse)
- Large bundle sizes - Large bundle sizes
- Missing caching strategies - Unoptimized images
- Memory leaks
### Step 5: Testing Assessment **Code Quality Issues:**
- High cyclomatic complexity (>10)
- Code duplication
- Magic numbers
- Poor naming conventions
- Missing error handling
- Inconsistent formatting
- Dead code
- TODO/FIXME comments
Evaluate test quality: **Testing Gaps:**
- Test coverage percentage - Missing tests for critical paths
- Critical path testing - Low test coverage (<80%)
- Edge case coverage - No edge case testing
- Flaky test identification - Flaky tests
- CI/CD pipeline status - Missing integration tests
### Step 6: Production Readiness **Production Readiness:**
- Missing environment variables
- No logging/monitoring
- No error tracking
- Missing health checks
- Incomplete documentation
- No CI/CD pipeline
Verify deployment preparedness: ### Step 3: Automatic Fixes and Optimizations
- Environment configuration
- Logging and monitoring setup **Fix everything automatically:**
- Error tracking integration
- Health check endpoints 1. **Refactor architecture** - Break up god classes, fix circular dependencies
- Documentation completeness 2. **Fix security issues** - Use parameterized queries, remove secrets, add validation
3. **Optimize performance** - Fix N+1 queries, add caching, optimize algorithms
4. **Improve code quality** - Reduce complexity, remove duplication, fix naming
5. **Add missing tests** - Write tests for untested critical paths
6. **Add production infrastructure** - Logging, monitoring, health checks
7. **Optimize everything** - Bundle size, images, database queries
8. **Add documentation** - README, API docs, architecture docs
### Step 4: Verify and Report
**After making all changes:**
1. Run all tests to ensure nothing broke
2. Verify all security issues are fixed
3. Measure performance improvements
4. Generate comprehensive report
5. Provide before/after metrics
## Examples ## Examples
### Example 1: Quick Audit Checklist ### Example 1: Autonomous Codebase Transformation
```markdown ```markdown
## Production Readiness Audit User: @production-code-audit make this production-ready
### Architecture (Grade: B+) AI: I'll scan your entire codebase and transform it to production-grade quality.
- ✅ Clean separation of concerns
- ✅ Proper dependency injection
- ❌ CRITICAL: Circular dependency in OrderService ↔ PaymentService
- ⚠️ HIGH: UserService has 35 methods (god class)
### Security (Grade: C) **Phase 1: Discovering Codebase** (analyzing 247 files)
- ❌ CRITICAL: SQL injection in UserRepository.findByEmail() - Detected: Node.js + Express + PostgreSQL + React
- ❌ CRITICAL: Hardcoded database password in config - Architecture: MVC pattern with REST API
- ❌ HIGH: Admin routes missing authentication - Purpose: E-commerce platform
- ⚠️ MEDIUM: Weak password hashing (MD5) - Entry points: server.js, src/index.tsx
### Performance (Grade: B-) **Phase 2: Scanning for Issues** (line-by-line analysis)
- ❌ HIGH: N+1 query in OrderService.getOrdersWithItems()
- ⚠️ MEDIUM: Missing Redis caching
- ⚠️ MEDIUM: Bundle size 850KB (target: <200KB)
### Testing (Grade: C+) Found 127 issues:
- ⚠️ Coverage: 42% (target: 80%+) - 🔴 CRITICAL: 8 issues
- ❌ Payment processing: 0% coverage - 🟠 HIGH: 23 issues
- ❌ Authentication: 35% coverage - 🟡 MEDIUM: 41 issues
- 🔵 LOW: 55 issues
### Recommendations: **Phase 3: Fixing Issues Automatically**
1. Fix critical security issues (1 week)
2. Add authentication to admin routes (2 days) 🔴 CRITICAL FIXES (8/8 completed):
3. Fix N+1 queries (3 days)
4. Increase test coverage (2 weeks) 1. ✅ Fixed SQL injection in UserRepository.findByEmail()
- Before: String concatenation in query
- After: Parameterized query with $1 placeholder
2. ✅ Removed hardcoded database password from config/database.ts
- Before: password: 'SuperSecret123!'
- After: password: process.env.DB_PASSWORD
3. ✅ Added authentication to admin routes
- Before: No auth middleware
- After: authenticateToken + requireRole('admin')
4. ✅ Fixed weak password hashing (MD5 → bcrypt)
- Before: crypto.createHash('md5')
- After: bcrypt.hash(password, 12)
5. ✅ Fixed circular dependency: OrderService ↔ PaymentService
- Before: Direct imports causing cycle
- After: Event-based decoupling with EventBus
6. ✅ Added input validation to all API endpoints
- Before: No validation
- After: Zod schemas validating all inputs
7. ✅ Fixed authentication bypass in auth middleware
- Before: next() called on missing token
- After: Returns 401 error
8. ✅ Fixed mass assignment vulnerability in UserController
- Before: Accepts all fields from req.body
- After: Whitelist of allowed fields only
🟠 HIGH PRIORITY FIXES (23/23 completed):
9. ✅ Fixed N+1 query in OrderService.getOrdersWithItems()
- Before: Loop with individual queries (2.8s)
- After: Single query with joins (45ms)
- Performance: 98% improvement
10. ✅ Refactored UserService god class (850 lines → 4 focused services)
- UserAuthenticationService (login, logout, password)
- UserProfileService (CRUD operations)
- UserNotificationService (email, SMS)
- UserPermissionService (roles, permissions)
11. ✅ Added Redis caching for product queries
- Before: Database query every request
- After: Cache with 1-hour TTL
- Performance: 95% faster
12. ✅ Optimized bundle size
- Before: 850KB (gzipped: 280KB)
- After: 380KB (gzipped: 120KB)
- Improvement: 55% reduction
13. ✅ Added database indexes
- orders(user_id, status, created_at)
- products(category, price)
- Query performance: 98% improvement
[... 11 more high-priority fixes ...]
🟡 MEDIUM PRIORITY FIXES (41/41 completed):
[... all medium fixes ...]
🔵 LOW PRIORITY IMPROVEMENTS (55/55 completed):
[... all low improvements ...]
**Phase 4: Adding Production Infrastructure**
✅ Added structured logging (Winston)
✅ Added error tracking (Sentry)
✅ Added health check endpoints (/health, /ready)
✅ Added monitoring (Prometheus metrics)
✅ Added rate limiting (Redis-based)
✅ Added API documentation (Swagger/OpenAPI)
✅ Added comprehensive README
✅ Added deployment guide
✅ Added CI/CD pipeline (.github/workflows)
**Phase 5: Verification**
✅ All tests passing (1,247 tests)
✅ Test coverage: 42% → 87%
✅ Security scan: 0 vulnerabilities
✅ Performance: API response time 3.2s → 180ms
✅ Bundle size: 850KB → 380KB
✅ Lighthouse score: 62 → 94
**TRANSFORMATION COMPLETE**
Your codebase is now production-ready with enterprise-grade quality:
📊 Metrics:
- Issues fixed: 127/127 (100%)
- Test coverage: 87% (target: 80%+)
- API performance: 94% improvement
- Security: OWASP Top 10 compliant
- Code quality: Grade A-
📁 Files changed: 89 files
📝 Lines changed: +3,247 / -1,892
🚀 Ready for production deployment!
``` ```
### Example 2: Security Issue Report ### Example 2: Automatic Security Hardening
```markdown ```markdown
## Critical Security Issue User: @production-code-audit secure this codebase
**Severity:** CRITICAL AI: Scanning for security vulnerabilities...
**File:** `src/repositories/UserRepository.ts`
**Line:** 78
**Issue:** SQL Injection Vulnerability **Security Scan Complete**
**Vulnerable Code:** Found 15 security issues:
- 🔴 CRITICAL: 5
- 🟠 HIGH: 7
- 🟡 MEDIUM: 3
**Fixing all security issues automatically...**
🔴 CRITICAL (5/5 fixed):
1. ✅ SQL Injection in UserRepository
\`\`\`typescript \`\`\`typescript
// ❌ DANGEROUS // Before (VULNERABLE)
async findByEmail(email: string) {
const query = \`SELECT * FROM users WHERE email = '\${email}'\`; const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
return await this.db.query(query);
}
\`\`\`
**Fix:** // After (SECURE)
\`\`\`typescript
// ✅ SAFE
async findByEmail(email: string) {
const query = 'SELECT * FROM users WHERE email = $1'; const query = 'SELECT * FROM users WHERE email = $1';
return await this.db.query(query, [email]); await db.query(query, [email]);
}
\`\`\` \`\`\`
**Impact:** Database compromise, data breach 2. ✅ Hardcoded Secrets Removed
**Priority:** Fix immediately before production \`\`\`typescript
// Before (INSECURE)
const JWT_SECRET = 'my-secret-key-123';
// After (SECURE)
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error('JWT_SECRET required');
\`\`\`
3. ✅ Authentication Added to Admin Routes
\`\`\`typescript
// Before (VULNERABLE)
router.delete('/api/admin/users/:id', deleteUser);
// After (SECURE)
router.delete('/api/admin/users/:id',
authenticateToken,
requireRole('admin'),
deleteUser
);
\`\`\`
4. ✅ Password Hashing Upgraded
\`\`\`typescript
// Before (WEAK)
const hash = crypto.createHash('md5').update(password).digest('hex');
// After (STRONG)
const hash = await bcrypt.hash(password, 12);
\`\`\`
5. ✅ Input Validation Added
\`\`\`typescript
// Before (VULNERABLE)
const user = await db.user.create({ data: req.body });
// After (SECURE)
const schema = z.object({
email: z.string().email(),
password: z.string().min(12),
name: z.string().min(2).max(100)
});
const validated = schema.parse(req.body);
const user = await db.user.create({ data: validated });
\`\`\`
**Security Status:**
- ✅ OWASP Top 10: Compliant
- ✅ SQL Injection: Protected
- ✅ XSS: Protected
- ✅ CSRF: Protected
- ✅ Authentication: Secure
- ✅ Secrets: Environment variables
- ✅ Dependencies: No vulnerabilities
🔒 Codebase is now secure and production-ready!
``` ```
### Example 3: Performance Optimization ### Example 3: Performance Optimization
```markdown ```markdown
## Performance Issue User: @production-code-audit optimize performance
**File:** `src/services/DashboardService.ts` AI: Analyzing performance bottlenecks...
**Impact:** 3.2s response time (target: <200ms)
**Problem:** **Performance Analysis Complete**
\`\`\`typescript
// ❌ Sequential queries (3.2s)
async getDashboard(userId: string) {
const user = await db.user.findUnique({ where: { id: userId } }); // 200ms
const orders = await db.order.findMany({ where: { userId } }); // 800ms
const products = await db.product.findMany({ where: { userId } }); // 1200ms
return { user, orders, products };
}
\`\`\`
**Solution:** Current metrics:
\`\`\`typescript - API response time: 3.2s (target: <200ms)
// ✅ Parallel queries (1.2s - 62% faster) - Page load time: 8.5s (target: <2s)
async getDashboard(userId: string) { - Bundle size: 850KB (target: <200KB)
const [user, orders, products] = await Promise.all([
db.user.findUnique({ where: { id: userId } }),
db.order.findMany({ where: { userId } }),
db.product.findMany({ where: { userId } })
]);
return { user, orders, products };
}
\`\`\`
**Result:** 3.2s → 1.2s (62% improvement) **Optimizing automatically...**
✅ Fixed N+1 queries (3.2s → 180ms - 94% faster)
✅ Added Redis caching (95% cache hit rate)
✅ Optimized database indexes (98% faster queries)
✅ Reduced bundle size (850KB → 380KB - 55% smaller)
✅ Optimized images (28MB → 3.2MB - 89% smaller)
✅ Implemented code splitting
✅ Added lazy loading
✅ Parallelized async operations
**Performance Results:**
| Metric | Before | After | Improvement |
|--------|--------|-------|-------------|
| API Response | 3.2s | 180ms | 94% |
| Page Load | 8.5s | 1.8s | 79% |
| Bundle Size | 850KB | 380KB | 55% |
| Image Size | 28MB | 3.2MB | 89% |
| Lighthouse | 42 | 94 | +52 points |
🚀 Performance optimized to production standards!
``` ```
## Best Practices ## Best Practices
### ✅ Do This ### ✅ Do This
- **Prioritize Issues** - Critical → High → Medium → Low - **Scan Everything** - Read all files, understand entire codebase
- **Provide Solutions** - Show how to fix, not just what's wrong - **Fix Automatically** - Don't just report, actually fix issues
- **Measure Impact** - Quantify improvements with metrics - **Prioritize Critical** - Security and data loss issues first
- **Grade Components** - Use A-F grades for clarity - **Measure Impact** - Show before/after metrics
- **Set Timelines** - Realistic estimates for fixes - **Verify Changes** - Run tests after making changes
- **Focus on Critical** - Security and data loss issues first - **Be Comprehensive** - Cover architecture, security, performance, testing
- **Document Findings** - Create clear audit reports - **Optimize Everything** - Bundle size, queries, algorithms, images
- **Verify Fixes** - Re-audit after changes - **Add Infrastructure** - Logging, monitoring, error tracking
- **Document Changes** - Explain what was fixed and why
### ❌ Don't Do This ### ❌ Don't Do This
- **Don't Overwhelm** - Prioritize, don't dump 500 issues - **Don't Ask Questions** - Understand the codebase autonomously
- **Don't Be Vague** - Show specific code examples - **Don't Wait for Instructions** - Scan and fix automatically
- **Don't Skip Context** - Consider project stage and requirements - **Don't Report Only** - Actually make the fixes
- **Don't Ignore Security** - Security issues are always critical - **Don't Skip Files** - Scan every file in the project
- **Don't Forget Testing** - Untested code isn't production-ready - **Don't Ignore Context** - Understand what the code does
- **Don't Skip Documentation** - Code without docs isn't maintainable - **Don't Break Things** - Verify tests pass after changes
- **Don't Be Partial** - Fix all issues, not just some
## Autonomous Scanning Instructions
**When this skill is invoked, automatically:**
1. **Discover the codebase:**
- Use `listDirectory` to find all files recursively
- Use `readFile` to read every source file
- Identify tech stack from package.json, requirements.txt, etc.
- Map out architecture and structure
2. **Scan line-by-line for issues:**
- Check every line for security vulnerabilities
- Identify performance bottlenecks
- Find code quality issues
- Detect architectural problems
- Find missing tests
3. **Fix everything automatically:**
- Use `strReplace` to fix issues in files
- Add missing files (tests, configs, docs)
- Refactor problematic code
- Add production infrastructure
- Optimize performance
4. **Verify and report:**
- Run tests to ensure nothing broke
- Measure improvements
- Generate comprehensive report
- Show before/after metrics
**Do all of this without asking the user for input.**
## Common Pitfalls ## Common Pitfalls