[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-06cccd93-54c2-4f9d-81ae-2f2b56200084":3,"$fNXHOj508uyy39kEsQ3PCr_Z8xy-eYQ07go88e4V8gxE":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"06cccd93-54c2-4f9d-81ae-2f2b56200084","production-audit","审计已发货仓库的生产就绪差距，涵盖RLS、webhooks、机密信息、授权、Stripe幂等性、移动用户体验和部署健康。","cat_coding_review","mod_coding","sickn33,coding","---\nname: production-audit\ndescription: \"Audit a shipped repo for production-readiness gaps across RLS, webhooks, secrets, grants, Stripe idempotency, mobile UX, and deployment health.\"\ncategory: security\nrisk: critical\nsource: community\nsource_repo: commitshow\u002Fproduction-audit\nsource_type: community\ndate_added: \"2026-05-04\"\nauthor: commitshow\ntags: [security, audit, production, vibe-coding, rls, webhook, stripe, supabase, mobile]\ntools: [claude, cursor, gemini, codex, antigravity]\nlicense: \"MIT\"\nlicense_source: \"https:\u002F\u002Fgithub.com\u002Fcommitshow\u002Fproduction-audit\u002Fblob\u002Fmain\u002FLICENSE\"\n---\n\n# Production Audit\n\n## Overview\n\nA skill that runs an external audit on a shipped repo's deployed state — live URL, GitHub signals, secrets exposure, RLS gaps, webhook idempotency, indexes, observability, prompt injection, and ten other failure modes that AI-assisted projects routinely miss.\n\nThis is **complementary** to in-session security skills (`security-review`, OWASP-style, VibeSec, Trail of Bits). Those scan the editor buffer at write-time. This scans the deployed product after you commit. Different timing, different inputs, different findings. Run both for serious launches.\n\nThe skill wraps the [commit.show](https:\u002F\u002Fcommit.show) audit engine via the public CLI (`npx commitshow@0.3.23 audit . --json`). Stable JSON envelope (`schema_version: \"1\"`, additive-only). Writes a `.commitshow\u002Faudit.{md,json}` sidecar so future agent sessions can read prior state without re-running the engine.\n\n## When to Use This Skill\n\n- Use when the user asks \"is this production-ready\", \"what would break in prod\", \"score my project\", \"what did I miss\", \"audit my repo\", \"ready to ship\".\n- Use right after merging a feature branch to `main` (helpful as a pre-deploy gate).\n- Use before a public launch \u002F Show HN post \u002F investor demo.\n- Use when `git log` shows >20 commits since the last `.commitshow\u002Faudit.md` was written.\n\n### Skip when\n\n- During active in-session coding — use `security-review` \u002F OWASP-style for line-level patterns. This skill is for post-merge \u002F pre-ship review.\n- For library \u002F scaffold-form repos — the engine handles **app form** best; libraries get a partial-substitute score.\n- If `.commitshow\u002Faudit.json` already exists and is \u003C 1 hour old, read that instead of re-running. Audit is rate-limited (anonymous: 20\u002FIP\u002Fday · 5\u002Frepo\u002Fday · 2000\u002Fday global).\n- Inside a private \u002F non-GitHub repo — the audit pulls public GitHub signals, so private repos return a `not_found` error.\n\n## How It Works\n\n### Step 1: Run the audit\n\nFrom the repo root. The CLI is pinned to an exact reviewed version so future npm releases are not selected silently. Because `npx` downloads and runs npm package code locally with the current user's permissions, run it only after the user explicitly approves this external execution and only in a repository where local files and environment variables are safe for that process to access. The sidecar directory is created up-front, and stderr is split off so install\u002Fdeprecation warnings can't corrupt the JSON envelope:\n\n```bash\nmkdir -p .commitshow\nnpx commitshow@0.3.23 audit . --json \\\n  > .commitshow\u002Faudit.json \\\n  2> .commitshow\u002Faudit.stderr.log\n```\n\nThis also writes a human-readable `.commitshow\u002Faudit.md` next to it. Subsequent invocations should diff against the prior `audit.json` if it exists, so you can lead with \"+5 since yesterday's audit\" instead of just an absolute number.\n\nIf the user pointed at a remote URL instead of `.`, swap `.` for the URL — keep the same `mkdir -p` + version pin + stderr split:\n\n```bash\nmkdir -p .commitshow\nnpx commitshow@0.3.23 audit github.com\u002Fowner\u002Frepo --json \\\n  > .commitshow\u002Faudit.json \\\n  2> .commitshow\u002Faudit.stderr.log\n```\n\n### Step 2: Parse the envelope\n\nThe JSON envelope is stable (`schema_version: \"1\"`, additive-only). Read these fields:\n\n| Field | Meaning |\n|---|---|\n| `score.total` | 0-100 production-readiness score |\n| `score.delta_since_last` | change vs. parent snapshot · positive = improving |\n| `score.band` | `strong` (80+) · `mid` (60-79) · `early` (\u003C60) |\n| `concerns[]` | top issues, ordered by impact · each has `axis` + `bullet` |\n| `strengths[]` | top 3 things that work · for context only |\n| `standing` | optional · only when the project is auditioning on commit.show |\n| `snapshot.created_at` \u002F `trigger_type` | when the audit ran |\n\nConcerns are sorted by decision-impact, not severity. Position 1 is the bullet to lead with.\n\n### Step 3: Surface to the user\n\nLead with score + trajectory in **one sentence**, then the top concerns. Do not dump the full JSON. Format:\n\n```\nScore: 82\u002F100 (+5 since yesterday) · band: strong\n\nTop concerns:\n  ↓ [Security] No API rate limiting on \u002Fauth — IP cap missing\n  ↓ [Infrastructure] webhook handler at api\u002Fstripe.ts — signature verified, but no\n    idempotency-key check (replay attack window open)\n\nWant me to fix the webhook idempotency gap first?\n```\n\nRules:\n- Use the exact bullet from `concerns[].bullet` — the audit engine already wrote action-oriented copy.\n- Don't list strengths unless the user explicitly asks. They're not actionable in this context.\n- Always end with a follow-up question that names a specific concern. Don't ask \"what do you want to do?\" — ask \"fix X first?\".\n- If `score.delta_since_last` is negative or null, lead with the absolute score only.\n\n### Step 4: If the user picks a concern, scope a fix\n\nFor the chosen concern:\n1. Read the file(s) cited in the bullet.\n2. Confirm the gap matches the description (the engine occasionally over-flags when the issue is mitigated elsewhere).\n3. Propose a minimal patch — single-file when possible.\n4. **Don't apply without explicit approval.** Show the diff first. The user is deciding what to ship; you're a lens.\n\nAfter applying a fix, suggest re-running with `--refresh` (same canonical form as Step 1, so `audit.json` stays the source of truth for delta calculations):\n\n```bash\nmkdir -p .commitshow\nnpx commitshow@0.3.23 audit . --json --refresh \\\n  > .commitshow\u002Faudit.json \\\n  2> .commitshow\u002Faudit.stderr.log\n```\n\n## Examples\n\n### Example 1: User asks \"is this production-ready?\"\n\n```bash\nmkdir -p .commitshow\nnpx commitshow@0.3.23 audit . --json \\\n  > .commitshow\u002Faudit.json \\\n  2> .commitshow\u002Faudit.stderr.log\n```\n\nThen surface:\n\n```\nScore: 67\u002F100 · band: mid\n\nTop concerns:\n  ↓ [Security] members table uses column-level GRANT but paid_audits_credit\n    column lacks SELECT grant — silent 42501 on every read\n  ↓ [Infrastructure] stripe.checkout.sessions.create called without\n    idempotencyKey — duplicate-charge surface\n\nWant me to fix the column GRANT first? Single SQL line.\n```\n\n### Example 2: Cross-check a specific concern\n\nUser: \"show me where the webhook idempotency gap is\"\n\n```bash\ncat .commitshow\u002Faudit.json | jq '.concerns[] | select(.axis==\"Infrastructure\")'\n```\n\nFind the file path in the bullet, read it, confirm the gap matches.\n\n## Best Practices\n\n- ✅ Always cite the exact bullet from `concerns[].bullet` — they're already action-oriented\n- ✅ Lead with score + delta in a single sentence, then concerns\n- ✅ End with a specific follow-up question naming a concern\n- ✅ Read prior `.commitshow\u002Faudit.json` before re-running (within 1h)\n- ✅ Use `--refresh` after the user merges a fix so the next audit reflects it\n- ❌ Don't dump full JSON to the user\n- ❌ Don't list strengths unless the user explicitly asks\n- ❌ Don't apply fixes without approval — show diff first\n- ❌ Don't fault private repos for not auditing — explain why and suggest making public\n\n## Limitations\n\n- This skill does not replace environment-specific validation, testing, or expert review.\n- The audit engine is calibrated for **deployed apps** with a live URL. CLI \u002F library \u002F scaffold form gets a partial-substitute score (max ~45\u002F50 on the audit pillar) — fair but not flattering.\n- Behind a corporate firewall blocking `*.supabase.co`, the API call fails. There is no offline mode — the audit relies on the public engine.\n- Cold audit takes 60-90s. Cached audits (within 7 days) return instantly. `--refresh` force-bypasses cache (counts against rate limits).\n\n## Security & Safety Notes\n\n- The skill executes `npx commitshow@0.3.23 audit ...`, which downloads and runs that exact npm package version locally, then calls the public API at `https:\u002F\u002Fapi.commit.show` (proxied to Supabase Edge Functions). Do not replace the exact version with `latest` or a semver range during normal use.\n- Treat the CLI as external code with local process privileges. It must not be run in repositories containing secrets or sensitive uncommitted files unless the user has explicitly accepted that risk. No credentials are intentionally sent to the API, but the local process can access files and environment variables available to the current user.\n- The CLI writes `.commitshow\u002Faudit.{md,json}` in the current working directory. These files are safe to commit (no secrets) but conventionally gitignored as transient artifacts.\n- The audit engine **only reads** public GitHub signals. It does not modify the user's repo or push commits.\n- All per-finding fix proposals must be shown as diffs and approved by the user before any edit. Never apply without explicit confirmation.\n\n## Common Pitfalls\n\n- **Problem:** Audit returns `not_found` for a private repo\n  **Solution:** The engine pulls public GitHub signals only. Either make the repo public or use `--no-network` for local-only deterministic checks.\n\n- **Problem:** Rate limit hit (`429`)\n  **Solution:** Wait until next day (limits reset 00:00 UTC) or sign in at commit.show for higher per-repo caps.\n\n- **Problem:** Score seems too low for a polished library \u002F CLI\n  **Solution:** The engine biases toward app form. CLI \u002F library \u002F scaffold gets a partial substitute score capped around 45\u002F50 on the audit pillar. Calibration acknowledged trade-off.\n\n- **Problem:** `concerns[]` is empty after re-running\n  **Solution:** Re-audit may have hit cache. Use `--refresh` to force-bypass.\n\n## Related Skills\n\n- `@security-review` — In-session line-level security patterns. Run alongside this skill, not in place of.\n- `@vibesec` — Editor-buffer security review for vibe-coded projects. Different lens.\n- `@owasp-security` — OWASP Top 10 coverage during coding. Companion.\n- `@trail-of-bits-skills` — CodeQL \u002F Semgrep static analysis. Different layer.\n\n## Additional Resources\n\n- Canonical repo: \u003Chttps:\u002F\u002Fgithub.com\u002Fcommitshow\u002Fproduction-audit>\n- Audit engine source: \u003Chttps:\u002F\u002Fgithub.com\u002Fcommitshow\u002Fcommitshow\u002Fblob\u002Fmain\u002Fsupabase\u002Ffunctions\u002Fanalyze-project\u002Findex.ts>\n- 14-frame failure framework documented in the engine source above.\n- JSON schema: stable at `schema_version: \"1\"` · additive-only changes.\n- CLI: \u003Chttps:\u002F\u002Fgithub.com\u002Fcommitshow\u002Fcli>\n- Public REST API: `https:\u002F\u002Fapi.commit.show\u002Faudit?repo=...&format=json`\n- skills.sh listing: \u003Chttps:\u002F\u002Fskills.sh\u002Fcommitshow\u002Fproduction-audit>\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,225,402,"2026-05-16 13:35:09",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"b06a2446-58ce-4653-ba4d-587ee87d02cd","1.0.0","production-audit.zip",4727,"uploads\u002Fskills\u002F06cccd93-54c2-4f9d-81ae-2f2b56200084\u002Fproduction-audit.zip","d5557549b4c787dd46f4cda3a04930d16e0ab9b109daaaf0850d1f566201a0f5","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10930}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]