Production Code Audit Skill
Overview
This skill enables the agent to autonomously analyze the Sherwood codebase (Golang backend, React/TS frontend) to identify architectural flaws, security vulnerabilities, performance bottlenecks, and code quality issues. The goal is to elevate the codebase from a functional prototype to a robust, enterprise-grade production system.
When to Use This Skill
- •When the user asks to "audit the codebase".
- •When preparing for a major release or deployment.
- •When the user asks to "make this production-ready".
- •When identifying technical debt or refactoring opportunities.
- •When ensuring compliance with security and performance standards.
The Process
Phase 1: Autonomous Discovery
- •Map the Codebase:
- •Use
find_by_nameandlist_dirto understand the project structure. - •Identify key directories:
backend/,frontend/,docs/,.github/workflows/.
- •Use
- •Analyze Dependencies:
- •Review
go.modfor backend dependencies. - •Review
package.jsonfor frontend dependencies.
- •Review
- •Understand Architecture:
- •Read
docs/DESIGN.mdto understand the intended architecture. - •Trace the flow of data from API endpoints to database queries.
- •Read
Phase 2: Comprehensive Audit
1. Architecture & Design
- •Separation of Concerns: Ensure business logic is decoupled from API handlers and database access.
- •Circular Dependencies: Identify and flag any circular imports in Go packages.
- •God Objects: Detect large files (>500 lines) or structs with too many responsibilities.
- •Configuration: Verify that no configuration is hardcoded; use environment variables or config files.
2. Security
- •Secret Management: Scan for hardcoded API keys, passwords, or tokens.
- •Input Validation: Check for missing validation on API request structs (using
go-playground/validator). - •SQL Injection: Ensure all database queries use parameterized statements (
sqlx,gorm, or standarddatabase/sqlplaceholders). - •Authentication/Authorization: Verify that sensitive endpoints are protected by middleware.
- •CORS: Check for overly permissive CORS policies in the backend.
3. Performance
- •Database Queries: Identify N+1 query problems and missing indexes on foreign keys.
- •Concurrency: Check for proper usage of Goroutines and Channels; avoid race conditions.
- •Frontend Optimization: Look for large bundle sizes, unoptimized images, and excessive re-renders in React components.
- •Caching: Identify opportunities for caching frequently accessed data (e.g., Redis or in-memory).
4. Code Quality & Standards
- •Error Handling: Ensure all errors are explicitly checked and handled (no
_for errors). - •Logging: Verify that structured logging is used (e.g.,
zap,logrus) with appropriate levels. - •Comments: Check for Go-style docstrings on exported functions and types.
- •Linting: Run
golangci-lintor check for common linting errors. - •Testing:
- •verify test coverage is >80%.
- •check for the presence of integration tests.
- •identify flaky tests or tests with no assertions.
5. Production Readiness
- •CI/CD: Verify GitHub Actions workflows for testing, linting, and deployment.
- •Documentation: Ensure
README.md,DESIGN.md, and API docs are up-to-date. - •Health Checks: Check for the existence of
/healthor/statusendpoints. - •Graceful Shutdown: Ensure the application handles termination signals (SIGINT, SIGTERM) gracefully.
- •Dependabot: Verify
.github/dependabot.ymlexists and only includes packages relevant to the repo (e.g.,gomod,github-actions).
Phase 3: Reporting
- •Generate Report:
- •Create a new file in
docs/audits/audit_report_YYYY-MM-DD.md. - •Summarize findings by category (Critical, High, Medium, Low).
- •Provide specific file paths and line numbers for issues.
- •Create a new file in
- •Action Plan:
- •Propose a prioritized list of remediation steps.
- •Estimate the effort required for each fix.
Phase 4: Remediation (Interactive)
- •Ask the user which issues they would like to address immediately.
- •Use
replace_file_contentormulti_replace_file_contentto apply fixes. - •Verification: Run tests after fixes to ensure no regressions.
Production Audit Checklist
Security
- • No hardcoded secrets (API keys, DB creds) in code.
- • Input validation applied to all public API endpoints.
- • Parameterized SQL queries used everywhere.
- • CORS configured correctly (allow specific origins).
- • HTTPS enforcement (headers, config).
Performance
- • Database indexes on all foreign keys and frequently queried columns.
- • No obvious N+1 query patterns in loops.
- • React components utilize
useMemoanduseCallbackappropriately. - • Static assets are optimized/compressed.
Code Quality
- •
gofmtapplied to all Go files. - • No ignored errors (
_assignments for error returns). - • Exported functions have comments.
- • Test coverage is adequate (>80%).
- • No "magic numbers" or hardcoded strings; use constants.
reliability
- • Structured logging implemented.
- • Graceful shutdown logic in place.
- • Health check endpoint exists.
- • CI/CD pipeline runs tests on every push.
- • Dependabot configured accurately for active ecosystems (no unused checks).
Example Usage
User: "Run a production audit on the backend."
Agent:
- •Scans
backend/directory. - •Checks
go.modand validation logic. - •Identifies missing error checks in
backend/api/handlers.go. - •Flags a potential N+1 query in
backend/services/order_service.go. - •Creates
docs/audits/audit_report_2023-10-27.mdwith findings. - •Asks user: "I found 3 critical issues. Should I fix the missing error checks first?"