app-store-optimization/skills/production-code-audit/SKILL.md

---
name: production-code-audit
description: "Systematically audit codebase for production readiness covering architecture, security, performance, testing, and enterprise-level quality standards"
---

# Production Code Audit

## Overview

Conduct systematic codebase audits to ensure production-grade quality meeting enterprise standards. This skill provides a structured approach to evaluate code architecture, security, performance, testing coverage, and deployment readiness.

## When to Use This Skill

- Use when preparing codebase for production deployment
- Use when conducting enterprise-level quality audits
- Use when evaluating technical debt
- Use when performing pre-acquisition due diligence
- Use when transitioning from prototype to production
- Use when establishing quality baselines
- Use when ensuring corporate coding standards compliance

## How It Works

### Step 1: Architecture Review

Examine overall structure:
- Project organization and modularity
- Separation of concerns
- Design pattern usage
- Dependency management
- Circular dependency detection

### Step 2: Code Quality Analysis

Assess code maintainability:
- Function complexity (cyclomatic complexity < 10)
- Code duplication (DRY principle)
- Naming conventions consistency
- SOLID principles adherence
- Error handling patterns

### Step 3: Security Audit

Check for vulnerabilities:
- SQL injection risks
- XSS vulnerabilities
- Authentication/authorization issues
- Hardcoded secrets
- Input validation gaps
- OWASP Top 10 compliance

### Step 4: Performance Check

Identify bottlenecks:
- N+1 query problems
- Missing database indexes
- Inefficient algorithms
- Large bundle sizes
- Missing caching strategies

### Step 5: Testing Assessment

Evaluate test quality:
- Test coverage percentage
- Critical path testing
- Edge case coverage
- Flaky test identification
- CI/CD pipeline status

### Step 6: Production Readiness

Verify deployment preparedness:
- Environment configuration
- Logging and monitoring setup
- Error tracking integration
- Health check endpoints
- Documentation completeness

## Examples

### Example 1: Quick Audit Checklist

```markdown
## Production Readiness Audit

### Architecture (Grade: B+)
- ✅ Clean separation of concerns
- ✅ Proper dependency injection
- ❌ CRITICAL: Circular dependency in OrderService ↔ PaymentService
- ⚠️ HIGH: UserService has 35 methods (god class)

### Security (Grade: C)
- ❌ CRITICAL: SQL injection in UserRepository.findByEmail()
- ❌ CRITICAL: Hardcoded database password in config
- ❌ HIGH: Admin routes missing authentication
- ⚠️ MEDIUM: Weak password hashing (MD5)

### Performance (Grade: B-)
- ❌ HIGH: N+1 query in OrderService.getOrdersWithItems()
- ⚠️ MEDIUM: Missing Redis caching
- ⚠️ MEDIUM: Bundle size 850KB (target: <200KB)

### Testing (Grade: C+)
- ⚠️ Coverage: 42% (target: 80%+)
- ❌ Payment processing: 0% coverage
- ❌ Authentication: 35% coverage

### Recommendations:
1. Fix critical security issues (1 week)
2. Add authentication to admin routes (2 days)
3. Fix N+1 queries (3 days)
4. Increase test coverage (2 weeks)
```

### Example 2: Security Issue Report

```markdown
## Critical Security Issue

**Severity:** CRITICAL
**File:** `src/repositories/UserRepository.ts`
**Line:** 78

**Issue:** SQL Injection Vulnerability

**Vulnerable Code:**
\`\`\`typescript
// ❌ DANGEROUS
async findByEmail(email: string) {
  const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
  return await this.db.query(query);
}
\`\`\`

**Fix:**
\`\`\`typescript
// ✅ SAFE
async findByEmail(email: string) {
  const query = 'SELECT * FROM users WHERE email = $1';
  return await this.db.query(query, [email]);
}
\`\`\`

**Impact:** Database compromise, data breach
**Priority:** Fix immediately before production
```

### Example 3: Performance Optimization

```markdown
## Performance Issue

**File:** `src/services/DashboardService.ts`
**Impact:** 3.2s response time (target: <200ms)

**Problem:**
\`\`\`typescript
// ❌ Sequential queries (3.2s)
async getDashboard(userId: string) {
  const user = await db.user.findUnique({ where: { id: userId } }); // 200ms
  const orders = await db.order.findMany({ where: { userId } }); // 800ms
  const products = await db.product.findMany({ where: { userId } }); // 1200ms
  return { user, orders, products };
}
\`\`\`

**Solution:**
\`\`\`typescript
// ✅ Parallel queries (1.2s - 62% faster)
async getDashboard(userId: string) {
  const [user, orders, products] = await Promise.all([
    db.user.findUnique({ where: { id: userId } }),
    db.order.findMany({ where: { userId } }),
    db.product.findMany({ where: { userId } })
  ]);
  return { user, orders, products };
}
\`\`\`

**Result:** 3.2s → 1.2s (62% improvement)
```

## Best Practices

### ✅ Do This

- **Prioritize Issues** - Critical → High → Medium → Low
- **Provide Solutions** - Show how to fix, not just what's wrong
- **Measure Impact** - Quantify improvements with metrics
- **Grade Components** - Use A-F grades for clarity
- **Set Timelines** - Realistic estimates for fixes
- **Focus on Critical** - Security and data loss issues first
- **Document Findings** - Create clear audit reports
- **Verify Fixes** - Re-audit after changes

### ❌ Don't Do This

- **Don't Overwhelm** - Prioritize, don't dump 500 issues
- **Don't Be Vague** - Show specific code examples
- **Don't Skip Context** - Consider project stage and requirements
- **Don't Ignore Security** - Security issues are always critical
- **Don't Forget Testing** - Untested code isn't production-ready
- **Don't Skip Documentation** - Code without docs isn't maintainable

## Common Pitfalls

### Problem: Too Many Issues
**Symptoms:** Team paralyzed by 200+ issues
**Solution:** Focus on critical/high priority only, create sprints

### Problem: False Positives
**Symptoms:** Flagging non-issues
**Solution:** Understand context, verify manually, ask developers

### Problem: No Follow-Up
**Symptoms:** Audit report ignored
**Solution:** Create GitHub issues, assign owners, track in standups

## Production Audit Checklist

### Security
- [ ] No SQL injection vulnerabilities
- [ ] No hardcoded secrets
- [ ] Authentication on protected routes
- [ ] Authorization checks implemented
- [ ] Input validation on all endpoints
- [ ] Password hashing with bcrypt (10+ rounds)
- [ ] HTTPS enforced
- [ ] Dependencies have no vulnerabilities

### Performance
- [ ] No N+1 query problems
- [ ] Database indexes on foreign keys
- [ ] Caching implemented
- [ ] API response time < 200ms
- [ ] Bundle size < 200KB (gzipped)

### Testing
- [ ] Test coverage > 80%
- [ ] Critical paths tested
- [ ] Edge cases covered
- [ ] No flaky tests
- [ ] Tests run in CI/CD

### Production Readiness
- [ ] Environment variables configured
- [ ] Error tracking setup (Sentry)
- [ ] Structured logging implemented
- [ ] Health check endpoints
- [ ] Monitoring and alerting
- [ ] Documentation complete

## Audit Report Template

```markdown
# Production Audit Report

**Project:** [Name]
**Date:** [Date]
**Overall Grade:** [A-F]

## Executive Summary
[2-3 sentences on overall status]

**Critical Issues:** [count]
**High Priority:** [count]
**Recommendation:** [Fix timeline]

## Findings by Category

### Architecture (Grade: [A-F])
- Issue 1: [Description]
- Issue 2: [Description]

### Security (Grade: [A-F])
- Issue 1: [Description + Fix]
- Issue 2: [Description + Fix]

### Performance (Grade: [A-F])
- Issue 1: [Description + Fix]

### Testing (Grade: [A-F])
- Coverage: [%]
- Issues: [List]

## Priority Actions
1. [Critical issue] - [Timeline]
2. [High priority] - [Timeline]
3. [High priority] - [Timeline]

## Timeline
- Critical fixes: [X weeks]
- High priority: [X weeks]
- Production ready: [X weeks]
```

## Related Skills

- `@code-review-checklist` - Code review guidelines
- `@api-security-best-practices` - API security patterns
- `@web-performance-optimization` - Performance optimization
- `@systematic-debugging` - Debug production issues
- `@senior-architect` - Architecture patterns

## Additional Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Google Engineering Practices](https://google.github.io/eng-practices/)
- [SonarQube Quality Gates](https://docs.sonarqube.org/latest/user-guide/quality-gates/)
- [Clean Code by Robert C. Martin](https://www.amazon.com/Clean-Code-Handbook-Software-Craftsmanship/dp/0132350882)

---

**Pro Tip:** Schedule regular audits (quarterly) to maintain code quality. Prevention is cheaper than fixing production bugs!