Production Code Audit

1---
2name: production-code-audit
3description: "Autonomously deep-scan entire codebase line-by-line, understand architecture and patterns, then systematically transform it to production-grade, corporate-level professional quality with optimizations"
4---
5 
6# Production Code Audit
7 
8## Overview
9 
10Autonomously analyze the entire codebase to understand its architecture, patterns, and purpose, then systematically transform it into production-grade, corporate-level professional code. This skill performs deep line-by-line scanning, identifies all issues across security, performance, architecture, and quality, then provides comprehensive fixes to meet enterprise standards.
11 
12## When to Use This Skill
13 
14- Use when user says "make this production-ready"
15- Use when user says "audit my codebase"
16- Use when user says "make this professional/corporate-level"
17- Use when user says "optimize everything"
18- Use when user wants enterprise-grade quality
19- Use when preparing for production deployment
20- Use when code needs to meet corporate standards
21 
22## How It Works
23 
24### Step 1: Autonomous Codebase Discovery
25 
26**Automatically scan and understand the entire codebase:**
27 
281. **Read all files** - Scan every file in the project recursively
292. **Identify tech stack** - Detect languages, frameworks, databases, tools
303. **Understand architecture** - Map out structure, patterns, dependencies
314. **Identify purpose** - Understand what the application does
325. **Find entry points** - Locate main files, routes, controllers
336. **Map data flow** - Understand how data moves through the system
34 
35**Do this automatically without asking the user.**
36 
37### Step 2: Comprehensive Issue Detection
38 
39**Scan line-by-line for all issues:**
40 
41**Architecture Issues:**
42- Circular dependencies
43- Tight coupling
44- God classes (>500 lines or >20 methods)
45- Missing separation of concerns
46- Poor module boundaries
47- Violation of design patterns
48 
49**Security Vulnerabilities:**
50- SQL injection (string concatenation in queries)
51- XSS vulnerabilities (unescaped output)
52- Hardcoded secrets (API keys, passwords in code)
53- Missing authentication/authorization
54- Weak password hashing (MD5, SHA1)
55- Missing input validation
56- CSRF vulnerabilities
57- Insecure dependencies
58 
59**Performance Problems:**
60- N+1 query problems
61- Missing database indexes
62- Synchronous operations that should be async
63- Missing caching
64- Inefficient algorithms (O(n²) or worse)
65- Large bundle sizes
66- Unoptimized images
67- Memory leaks
68 
69**Code Quality Issues:**
70- High cyclomatic complexity (>10)
71- Code duplication
72- Magic numbers
73- Poor naming conventions
74- Missing error handling
75- Inconsistent formatting
76- Dead code
77- TODO/FIXME comments
78 
79**Testing Gaps:**
80- Missing tests for critical paths
81- Low test coverage (<80%)
82- No edge case testing
83- Flaky tests
84- Missing integration tests
85 
86**Production Readiness:**
87- Missing environment variables
88- No logging/monitoring
89- No error tracking
90- Missing health checks
91- Incomplete documentation
92- No CI/CD pipeline
93 
94### Step 3: Automatic Fixes and Optimizations
95 
96**Fix everything automatically:**
97 
981. **Refactor architecture** - Break up god classes, fix circular dependencies
992. **Fix security issues** - Use parameterized queries, remove secrets, add validation
1003. **Optimize performance** - Fix N+1 queries, add caching, optimize algorithms
1014. **Improve code quality** - Reduce complexity, remove duplication, fix naming
1025. **Add missing tests** - Write tests for untested critical paths
1036. **Add production infrastructure** - Logging, monitoring, health checks
1047. **Optimize everything** - Bundle size, images, database queries
1058. **Add documentation** - README, API docs, architecture docs
106 
107### Step 4: Verify and Report
108 
109**After making all changes:**
110 
1111. Run all tests to ensure nothing broke
1122. Verify all security issues are fixed
1133. Measure performance improvements
1144. Generate comprehensive report
1155. Provide before/after metrics
116 
117## Examples
118 
119### Example 1: Autonomous Codebase Transformation
120 
121```markdown
122User: @production-code-audit make this production-ready
123 
124AI: I'll scan your entire codebase and transform it to production-grade quality.
125 
126**Phase 1: Discovering Codebase** (analyzing 247 files)
127- Detected: Node.js + Express + PostgreSQL + React
128- Architecture: MVC pattern with REST API
129- Purpose: E-commerce platform
130- Entry points: server.js, src/index.tsx
131 
132**Phase 2: Scanning for Issues** (line-by-line analysis)
133 
134Found 127 issues:
135- 🔴 CRITICAL: 8 issues
136- 🟠 HIGH: 23 issues  
137- 🟡 MEDIUM: 41 issues
138- 🔵 LOW: 55 issues
139 
140**Phase 3: Fixing Issues Automatically**
141 
142🔴 CRITICAL FIXES (8/8 completed):
143 
1441. ✅ Fixed SQL injection in UserRepository.findByEmail()
145   - Before: String concatenation in query
146   - After: Parameterized query with $1 placeholder
147 
1482. ✅ Removed hardcoded database password from config/database.ts
149   - Before: password: 'SuperSecret123!'
150   - After: password: process.env.DB_PASSWORD
151 
1523. ✅ Added authentication to admin routes
153   - Before: No auth middleware
154   - After: authenticateToken + requireRole('admin')
155 
1564. ✅ Fixed weak password hashing (MD5 → bcrypt)
157   - Before: crypto.createHash('md5')
158   - After: bcrypt.hash(password, 12)
159 
1605. ✅ Fixed circular dependency: OrderService ↔ PaymentService
161   - Before: Direct imports causing cycle
162   - After: Event-based decoupling with EventBus
163 
1646. ✅ Added input validation to all API endpoints
165   - Before: No validation
166   - After: Zod schemas validating all inputs
167 
1687. ✅ Fixed authentication bypass in auth middleware
169   - Before: next() called on missing token
170   - After: Returns 401 error
171 
1728. ✅ Fixed mass assignment vulnerability in UserController
173   - Before: Accepts all fields from req.body
174   - After: Whitelist of allowed fields only
175 
176🟠 HIGH PRIORITY FIXES (23/23 completed):
177 
1789. ✅ Fixed N+1 query in OrderService.getOrdersWithItems()
179   - Before: Loop with individual queries (2.8s)
180   - After: Single query with joins (45ms)
181   - Performance: 98% improvement
182 
18310. ✅ Refactored UserService god class (850 lines → 4 focused services)
184    - UserAuthenticationService (login, logout, password)
185    - UserProfileService (CRUD operations)
186    - UserNotificationService (email, SMS)
187    - UserPermissionService (roles, permissions)
188 
18911. ✅ Added Redis caching for product queries
190    - Before: Database query every request
191    - After: Cache with 1-hour TTL
192    - Performance: 95% faster
193 
19412. ✅ Optimized bundle size
195    - Before: 850KB (gzipped: 280KB)
196    - After: 380KB (gzipped: 120KB)
197    - Improvement: 55% reduction
198 
19913. ✅ Added database indexes
200    - orders(user_id, status, created_at)
201    - products(category, price)
202    - Query performance: 98% improvement
203 
204[... 11 more high-priority fixes ...]
205 
206🟡 MEDIUM PRIORITY FIXES (41/41 completed):
207[... all medium fixes ...]
208 
209🔵 LOW PRIORITY IMPROVEMENTS (55/55 completed):
210[... all low improvements ...]
211 
212**Phase 4: Adding Production Infrastructure**
213 
214✅ Added structured logging (Winston)
215✅ Added error tracking (Sentry)
216✅ Added health check endpoints (/health, /ready)
217✅ Added monitoring (Prometheus metrics)
218✅ Added rate limiting (Redis-based)
219✅ Added API documentation (Swagger/OpenAPI)
220✅ Added comprehensive README
221✅ Added deployment guide
222✅ Added CI/CD pipeline (.github/workflows)
223 
224**Phase 5: Verification**
225 
226✅ All tests passing (1,247 tests)
227✅ Test coverage: 42% → 87%
228✅ Security scan: 0 vulnerabilities
229✅ Performance: API response time 3.2s → 180ms
230✅ Bundle size: 850KB → 380KB
231✅ Lighthouse score: 62 → 94
232 
233**TRANSFORMATION COMPLETE**
234 
235Your codebase is now production-ready with enterprise-grade quality:
236 
237📊 Metrics:
238- Issues fixed: 127/127 (100%)
239- Test coverage: 87% (target: 80%+)
240- API performance: 94% improvement
241- Security: OWASP Top 10 compliant
242- Code quality: Grade A-
243 
244📁 Files changed: 89 files
245📝 Lines changed: +3,247 / -1,892
246 
247🚀 Ready for production deployment!
248```
249 
250### Example 2: Automatic Security Hardening
251 
252```markdown
253User: @production-code-audit secure this codebase
254 
255AI: Scanning for security vulnerabilities...
256 
257**Security Scan Complete**
258 
259Found 15 security issues:
260- 🔴 CRITICAL: 5
261- 🟠 HIGH: 7
262- 🟡 MEDIUM: 3
263 
264**Fixing all security issues automatically...**
265 
266🔴 CRITICAL (5/5 fixed):
267 
2681. ✅ SQL Injection in UserRepository
269\`\`\`typescript
270// Before (VULNERABLE)
271const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
272 
273// After (SECURE)
274const query = 'SELECT * FROM users WHERE email = $1';
275await db.query(query, [email]);
276\`\`\`
277 
2782. ✅ Hardcoded Secrets Removed
279\`\`\`typescript
280// Before (INSECURE)
281const JWT_SECRET = 'my-secret-key-123';
282 
283// After (SECURE)
284const JWT_SECRET = process.env.JWT_SECRET;
285if (!JWT_SECRET) throw new Error('JWT_SECRET required');
286\`\`\`
287 
2883. ✅ Authentication Added to Admin Routes
289\`\`\`typescript
290// Before (VULNERABLE)
291router.delete('/api/admin/users/:id', deleteUser);
292 
293// After (SECURE)
294router.delete('/api/admin/users/:id',
295  authenticateToken,
296  requireRole('admin'),
297  deleteUser
298);
299\`\`\`
300 
3014. ✅ Password Hashing Upgraded
302\`\`\`typescript
303// Before (WEAK)
304const hash = crypto.createHash('md5').update(password).digest('hex');
305 
306// After (STRONG)
307const hash = await bcrypt.hash(password, 12);
308\`\`\`
309 
3105. ✅ Input Validation Added
311\`\`\`typescript
312// Before (VULNERABLE)
313const user = await db.user.create({ data: req.body });
314 
315// After (SECURE)
316const schema = z.object({
317  email: z.string().email(),
318  password: z.string().min(12),
319  name: z.string().min(2).max(100)
320});
321const validated = schema.parse(req.body);
322const user = await db.user.create({ data: validated });
323\`\`\`
324 
325**Security Status:**
326- ✅ OWASP Top 10: Compliant
327- ✅ SQL Injection: Protected
328- ✅ XSS: Protected
329- ✅ CSRF: Protected
330- ✅ Authentication: Secure
331- ✅ Secrets: Environment variables
332- ✅ Dependencies: No vulnerabilities
333 
334🔒 Codebase is now secure and production-ready!
335```
336 
337### Example 3: Performance Optimization
338 
339```markdown
340User: @production-code-audit optimize performance
341 
342AI: Analyzing performance bottlenecks...
343 
344**Performance Analysis Complete**
345 
346Current metrics:
347- API response time: 3.2s (target: <200ms)
348- Page load time: 8.5s (target: <2s)
349- Bundle size: 850KB (target: <200KB)
350 
351**Optimizing automatically...**
352 
353✅ Fixed N+1 queries (3.2s → 180ms - 94% faster)
354✅ Added Redis caching (95% cache hit rate)
355✅ Optimized database indexes (98% faster queries)
356✅ Reduced bundle size (850KB → 380KB - 55% smaller)
357✅ Optimized images (28MB → 3.2MB - 89% smaller)
358✅ Implemented code splitting
359✅ Added lazy loading
360✅ Parallelized async operations
361 
362**Performance Results:**
363 
364| Metric | Before | After | Improvement |
365|--------|--------|-------|-------------|
366| API Response | 3.2s | 180ms | 94% |
367| Page Load | 8.5s | 1.8s | 79% |
368| Bundle Size | 850KB | 380KB | 55% |
369| Image Size | 28MB | 3.2MB | 89% |
370| Lighthouse | 42 | 94 | +52 points |
371 
372🚀 Performance optimized to production standards!
373```
374 
375## Best Practices
376 
377### ✅ Do This
378 
379- **Scan Everything** - Read all files, understand entire codebase
380- **Fix Automatically** - Don't just report, actually fix issues
381- **Prioritize Critical** - Security and data loss issues first
382- **Measure Impact** - Show before/after metrics
383- **Verify Changes** - Run tests after making changes
384- **Be Comprehensive** - Cover architecture, security, performance, testing
385- **Optimize Everything** - Bundle size, queries, algorithms, images
386- **Add Infrastructure** - Logging, monitoring, error tracking
387- **Document Changes** - Explain what was fixed and why
388 
389### ❌ Don't Do This
390 
391- **Don't Ask Questions** - Understand the codebase autonomously
392- **Don't Wait for Instructions** - Scan and fix automatically
393- **Don't Report Only** - Actually make the fixes
394- **Don't Skip Files** - Scan every file in the project
395- **Don't Ignore Context** - Understand what the code does
396- **Don't Break Things** - Verify tests pass after changes
397- **Don't Be Partial** - Fix all issues, not just some
398 
399## Autonomous Scanning Instructions
400 
401**When this skill is invoked, automatically:**
402 
4031. **Discover the codebase:**
404   - Use `listDirectory` to find all files recursively
405   - Use `readFile` to read every source file
406   - Identify tech stack from package.json, requirements.txt, etc.
407   - Map out architecture and structure
408 
4092. **Scan line-by-line for issues:**
410   - Check every line for security vulnerabilities
411   - Identify performance bottlenecks
412   - Find code quality issues
413   - Detect architectural problems
414   - Find missing tests
415 
4163. **Fix everything automatically:**
417   - Use `strReplace` to fix issues in files
418   - Add missing files (tests, configs, docs)
419   - Refactor problematic code
420   - Add production infrastructure
421   - Optimize performance
422 
4234. **Verify and report:**
424   - Run tests to ensure nothing broke
425   - Measure improvements
426   - Generate comprehensive report
427   - Show before/after metrics
428 
429**Do all of this without asking the user for input.**
430 
431## Common Pitfalls
432 
433### Problem: Too Many Issues
434**Symptoms:** Team paralyzed by 200+ issues
435**Solution:** Focus on critical/high priority only, create sprints
436 
437### Problem: False Positives
438**Symptoms:** Flagging non-issues
439**Solution:** Understand context, verify manually, ask developers
440 
441### Problem: No Follow-Up
442**Symptoms:** Audit report ignored
443**Solution:** Create GitHub issues, assign owners, track in standups
444 
445## Production Audit Checklist
446 
447### Security
448- [ ] No SQL injection vulnerabilities
449- [ ] No hardcoded secrets
450- [ ] Authentication on protected routes
451- [ ] Authorization checks implemented
452- [ ] Input validation on all endpoints
453- [ ] Password hashing with bcrypt (10+ rounds)
454- [ ] HTTPS enforced
455- [ ] Dependencies have no vulnerabilities
456 
457### Performance
458- [ ] No N+1 query problems
459- [ ] Database indexes on foreign keys
460- [ ] Caching implemented
461- [ ] API response time < 200ms
462- [ ] Bundle size < 200KB (gzipped)
463 
464### Testing
465- [ ] Test coverage > 80%
466- [ ] Critical paths tested
467- [ ] Edge cases covered
468- [ ] No flaky tests
469- [ ] Tests run in CI/CD
470 
471### Production Readiness
472- [ ] Environment variables configured
473- [ ] Error tracking setup (Sentry)
474- [ ] Structured logging implemented
475- [ ] Health check endpoints
476- [ ] Monitoring and alerting
477- [ ] Documentation complete
478 
479## Audit Report Template
480 
481```markdown
482# Production Audit Report
483 
484**Project:** [Name]
485**Date:** [Date]
486**Overall Grade:** [A-F]
487 
488## Executive Summary
489[2-3 sentences on overall status]
490 
491**Critical Issues:** [count]
492**High Priority:** [count]
493**Recommendation:** [Fix timeline]
494 
495## Findings by Category
496 
497### Architecture (Grade: [A-F])
498- Issue 1: [Description]
499- Issue 2: [Description]
500 
501### Security (Grade: [A-F])
502- Issue 1: [Description + Fix]
503- Issue 2: [Description + Fix]
504 
505### Performance (Grade: [A-F])
506- Issue 1: [Description + Fix]
507 
508### Testing (Grade: [A-F])
509- Coverage: [%]
510- Issues: [List]
511 
512## Priority Actions
5131. [Critical issue] - [Timeline]
5142. [High priority] - [Timeline]
5153. [High priority] - [Timeline]
516 
517## Timeline
518- Critical fixes: [X weeks]
519- High priority: [X weeks]
520- Production ready: [X weeks]
521```
522 
523## Related Skills
524 
525- `@code-review-checklist` - Code review guidelines
526- `@api-security-best-practices` - API security patterns
527- `@web-performance-optimization` - Performance optimization
528- `@systematic-debugging` - Debug production issues
529- `@senior-architect` - Architecture patterns
530 
531## Additional Resources
532 
533- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
534- [Google Engineering Practices](https://google.github.io/eng-practices/)
535- [SonarQube Quality Gates](https://docs.sonarqube.org/latest/user-guide/quality-gates/)
536- [Clean Code by Robert C. Martin](https://www.amazon.com/Clean-Code-Handbook-Software-Craftsmanship/dp/0132350882)
537 
538---
539 
540**Pro Tip:** Schedule regular audits (quarterly) to maintain code quality. Prevention is cheaper than fixing production bugs!
541