app-store-optimization/skills/production-code-audit/SKILL.md

name, description

name	description
production-code-audit	Systematically audit codebase for production readiness covering architecture, security, performance, testing, and enterprise-level quality standards

Production Code Audit

Overview

Conduct systematic codebase audits to ensure production-grade quality meeting enterprise standards. This skill provides a structured approach to evaluate code architecture, security, performance, testing coverage, and deployment readiness.

When to Use This Skill

• Use when preparing codebase for production deployment
• Use when conducting enterprise-level quality audits
• Use when evaluating technical debt
• Use when performing pre-acquisition due diligence
• Use when transitioning from prototype to production
• Use when establishing quality baselines
• Use when ensuring corporate coding standards compliance

How It Works

Step 1: Architecture Review

Examine overall structure:

• Project organization and modularity
• Separation of concerns
• Design pattern usage
• Dependency management
• Circular dependency detection

Step 2: Code Quality Analysis

Assess code maintainability:

• Function complexity (cyclomatic complexity < 10)
• Code duplication (DRY principle)
• Naming conventions consistency
• SOLID principles adherence
• Error handling patterns

Step 3: Security Audit

Check for vulnerabilities:

• SQL injection risks
• XSS vulnerabilities
• Authentication/authorization issues
• Hardcoded secrets
• Input validation gaps
• OWASP Top 10 compliance

Step 4: Performance Check

Identify bottlenecks:

• N+1 query problems
• Missing database indexes
• Inefficient algorithms
• Large bundle sizes
• Missing caching strategies

Step 5: Testing Assessment

Evaluate test quality:

• Test coverage percentage
• Critical path testing
• Edge case coverage
• Flaky test identification
• CI/CD pipeline status

Step 6: Production Readiness

Verify deployment preparedness:

• Environment configuration
• Logging and monitoring setup
• Error tracking integration
• Health check endpoints
• Documentation completeness

Examples

Example 1: Quick Audit Checklist

## Production Readiness Audit

### Architecture (Grade: B+)
- ✅ Clean separation of concerns
- ✅ Proper dependency injection
- ❌ CRITICAL: Circular dependency in OrderService ↔ PaymentService
- ⚠️ HIGH: UserService has 35 methods (god class)

### Security (Grade: C)
- ❌ CRITICAL: SQL injection in UserRepository.findByEmail()
- ❌ CRITICAL: Hardcoded database password in config
- ❌ HIGH: Admin routes missing authentication
- ⚠️ MEDIUM: Weak password hashing (MD5)

### Performance (Grade: B-)
- ❌ HIGH: N+1 query in OrderService.getOrdersWithItems()
- ⚠️ MEDIUM: Missing Redis caching
- ⚠️ MEDIUM: Bundle size 850KB (target: <200KB)

### Testing (Grade: C+)
- ⚠️ Coverage: 42% (target: 80%+)
- ❌ Payment processing: 0% coverage
- ❌ Authentication: 35% coverage

### Recommendations:
1. Fix critical security issues (1 week)
2. Add authentication to admin routes (2 days)
3. Fix N+1 queries (3 days)
4. Increase test coverage (2 weeks)

Example 2: Security Issue Report

## Critical Security Issue

**Severity:** CRITICAL
**File:** `src/repositories/UserRepository.ts`
**Line:** 78

**Issue:** SQL Injection Vulnerability

**Vulnerable Code:**
\`\`\`typescript
// ❌ DANGEROUS
async findByEmail(email: string) {
  const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
  return await this.db.query(query);
}
\`\`\`

**Fix:**
\`\`\`typescript
// ✅ SAFE
async findByEmail(email: string) {
  const query = 'SELECT * FROM users WHERE email = $1';
  return await this.db.query(query, [email]);
}
\`\`\`

**Impact:** Database compromise, data breach
**Priority:** Fix immediately before production

Example 3: Performance Optimization

## Performance Issue

**File:** `src/services/DashboardService.ts`
**Impact:** 3.2s response time (target: <200ms)

**Problem:**
\`\`\`typescript
// ❌ Sequential queries (3.2s)
async getDashboard(userId: string) {
  const user = await db.user.findUnique({ where: { id: userId } }); // 200ms
  const orders = await db.order.findMany({ where: { userId } }); // 800ms
  const products = await db.product.findMany({ where: { userId } }); // 1200ms
  return { user, orders, products };
}
\`\`\`

**Solution:**
\`\`\`typescript
// ✅ Parallel queries (1.2s - 62% faster)
async getDashboard(userId: string) {
  const [user, orders, products] = await Promise.all([
    db.user.findUnique({ where: { id: userId } }),
    db.order.findMany({ where: { userId } }),
    db.product.findMany({ where: { userId } })
  ]);
  return { user, orders, products };
}
\`\`\`

**Result:** 3.2s → 1.2s (62% improvement)

Best Practices

✅ Do This

• Prioritize Issues - Critical → High → Medium → Low
• Provide Solutions - Show how to fix, not just what's wrong
• Measure Impact - Quantify improvements with metrics
• Grade Components - Use A-F grades for clarity
• Set Timelines - Realistic estimates for fixes
• Focus on Critical - Security and data loss issues first
• Document Findings - Create clear audit reports
• Verify Fixes - Re-audit after changes

❌ Don't Do This

• Don't Overwhelm - Prioritize, don't dump 500 issues
• Don't Be Vague - Show specific code examples
• Don't Skip Context - Consider project stage and requirements
• Don't Ignore Security - Security issues are always critical
• Don't Forget Testing - Untested code isn't production-ready
• Don't Skip Documentation - Code without docs isn't maintainable

Common Pitfalls

Problem: Too Many Issues

Symptoms: Team paralyzed by 200+ issues Solution: Focus on critical/high priority only, create sprints

Problem: False Positives

Symptoms: Flagging non-issues Solution: Understand context, verify manually, ask developers

Problem: No Follow-Up

Symptoms: Audit report ignored Solution: Create GitHub issues, assign owners, track in standups

Production Audit Checklist

Security

• No SQL injection vulnerabilities
• No hardcoded secrets
• Authentication on protected routes
• Authorization checks implemented
• Input validation on all endpoints
• Password hashing with bcrypt (10+ rounds)
• HTTPS enforced
• Dependencies have no vulnerabilities

Performance

• No N+1 query problems
• Database indexes on foreign keys
• Caching implemented
• API response time < 200ms
• Bundle size < 200KB (gzipped)

Testing

• Test coverage > 80%
• Critical paths tested
• Edge cases covered
• No flaky tests
• Tests run in CI/CD

Production Readiness

• Environment variables configured
• Error tracking setup (Sentry)
• Structured logging implemented
• Health check endpoints
• Monitoring and alerting
• Documentation complete

Audit Report Template

# Production Audit Report

**Project:** [Name]
**Date:** [Date]
**Overall Grade:** [A-F]

## Executive Summary
[2-3 sentences on overall status]

**Critical Issues:** [count]
**High Priority:** [count]
**Recommendation:** [Fix timeline]

## Findings by Category

### Architecture (Grade: [A-F])
- Issue 1: [Description]
- Issue 2: [Description]

### Security (Grade: [A-F])
- Issue 1: [Description + Fix]
- Issue 2: [Description + Fix]

### Performance (Grade: [A-F])
- Issue 1: [Description + Fix]

### Testing (Grade: [A-F])
- Coverage: [%]
- Issues: [List]

## Priority Actions
1. [Critical issue] - [Timeline]
2. [High priority] - [Timeline]
3. [High priority] - [Timeline]

## Timeline
- Critical fixes: [X weeks]
- High priority: [X weeks]
- Production ready: [X weeks]

Related Skills

• @code-review-checklist - Code review guidelines
• @api-security-best-practices - API security patterns
• @web-performance-optimization - Performance optimization
• @systematic-debugging - Debug production issues
• @senior-architect - Architecture patterns

Additional Resources

• OWASP Top 10
• Google Engineering Practices
• SonarQube Quality Gates
• Clean Code by Robert C. Martin

---

Pro Tip: Schedule regular audits (quarterly) to maintain code quality. Prevention is cheaper than fixing production bugs!