Production Audit
Run a local, evidence-based production-readiness pass on your repo or deploy URL before customers, demos, or investors hit real traffic.
Overview
Production Audit is an agent skill most often used in Ship (also Operate) that performs a local-evidence production readiness review without external repo uploads.
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill production-auditWhat is this skill?
- Local-evidence audit—no sending the repo to an external audit SaaS
- Explicit When Not to Use: active implementation line security → use security-review first
- Covers pre-deploy, post-merge, deployed URL, release branch, PR, or checkout evidence
- Engineering triage lens for “what breaks in prod?”—not formal compliance certification
- Maintainer-safe community rewrite: production-readiness framing without unpinned third-party execution
Adoption & trust: 1.2k installs on skills.sh; 210k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
CI is green but you cannot list what will break in production, what is misconfigured, or what must be fixed before launch.
Who is it for?
Solo builders with a near-launch SaaS or API who can point the agent at a branch, PR, or deployed URL for a structured readiness pass.
Skip if: Pure libraries or docs-only repos unless packaging readiness is the goal, formal compliance audits, or mid-implementation secure coding (use security-review).
When should I use this skill?
User asks if the app is production-ready, what breaks in prod, what was missed, to audit the repo, or ready to ship—with branch, PR, or deployed URL evidence.
What do I get? / Deliverables
You get a production-readiness triage grounded in repo and deploy evidence—gaps, risks, and fix order—before you ship or demo.
- Production readiness findings and risk ordering
- Pre-launch / post-merge gap list
- Triage notes separating ship blockers from follow-ups
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
The skill answers “ready to ship?” and pre-launch risk—first encounter on the journey is Ship launch prep, not line-level coding. Launch subphase covers pre-deploy reviews, rollout timing, and gap analysis when CI is green but production still surprises you.
Where it fits
48 hours before public launch, scan release branch and staging URL for config and runtime risks CI does not cover.
Post-feature merge pass focused on prod exposure (secrets, auth, env) as part of release triage—not line-by-line new code.
After first prod incident, re-audit what observability and runbooks were missing from the initial ship gate.
Before a paid pilot, sanity-check whether the prototype deploy is demo-safe under real traffic assumptions.
How it compares
Use for holistic ship-readiness triage on your machine, not as a substitute for security-review during active implementation.
Common Questions / FAQ
Who is production-audit for?
Indie developers and small teams shipping web apps or APIs with Claude Code who want a launch checklist mindset without shipping source code to a third-party auditor.
When should I use production-audit?
Use it in Ship launch before customer rollout or investor demos, after merge for post-deploy risk, and in Operate when asking what production gaps remain on a live URL or release branch.
Is production-audit safe to install?
It is designed for local evidence gathering rather than external audit services; review the Security Audits panel on this page and limit secrets in prompts.
Workflow Chain
Then invoke: security review
SKILL.md
READMESKILL.md - Production Audit
# Production Audit Use this skill when the user asks whether an application is ready to ship, what could break in production, or what must be fixed before a launch. This is a maintainer-safe rewrite of the stale community production-audit idea: it keeps the useful production-readiness lens and removes unpinned external execution and third-party data sharing. ## When to Use - The user asks "is this production-ready", "what would break in prod", "what did we miss", "audit this repo", or "ready to ship?" - A feature was merged and needs a pre-deploy or post-merge risk pass. - A public launch, demo, customer rollout, or investor walkthrough is close. - CI is green but the user wants production risk, not only test status. - A deployed URL, release branch, PR, or current checkout is available for evidence gathering. ## When Not to Use - During active implementation when the right lens is line-level secure coding; use `security-review` first. - For pure libraries, templates, docs-only repos, or scaffolds unless the user wants packaging/release readiness rather than application readiness. - When the user asks for a formal compliance audit. This skill is engineering triage, not legal, financial, medical, or regulatory certification. - When the only available evidence is a product idea with no repo, deployment, CI, or runtime surface. ## How It Works Build the audit from local and user-authorized evidence. Do not run unpinned remote code, upload repository contents to third-party services, or call external scanners unless the user explicitly approves that specific tool and data flow. Use this order: 1. Establish the release surface. 2. Read recent changes and current branch state. 3. Inspect runtime, auth, data, payment, background-job, AI, and deployment boundaries that actually exist in the repo. 4. Check CI, tests, migrations, environment documentation, and rollback path. 5. Produce a short ship/block recommendation with specific fixes. ## Evidence Checklist Start with cheap, local signals: ```text git status --short --branch git log --oneline --decorate -20 git diff --stat origin/main...HEAD ``` Then inspect the project-specific surface: - Package scripts, CI workflows, release scripts, Docker files, and deployment manifests. - API routes, webhooks, auth middleware, background workers, cron jobs, and database migrations. - Environment variable documentation and startup checks. - Observability hooks, error reporting, logs, health checks, and dashboards. - Rollback, seed, migration, and backfill instructions. - E2E coverage for the user paths that matter most. If a deployed URL is in scope, use browser or HTTP checks only against that URL and avoid credentialed actions unless the user supplies a safe test account. ## Risk Lenses ### Security And Auth - Are public routes, API routes, and admin routes clearly separated? - Are auth and authorization enforced server-side? - Are secrets kept out of client bundles, logs, example output, and checked-in files? - Are rate limits, CSRF protections, CORS policy, and upload validation present where the app needs them? - Does the AI or agent surface defend against prompt injection, tool abuse, and untrusted content crossing into privileged actions? ### Data Integrity - Do migrations run forward cleanly and have a rollback or recovery plan? - Are destructive migrations, backfills, and data imports staged safely? - Do database policies, grants, and service-role boundaries match the app's tenancy model? - Are retries idempotent for writes, jobs, and webhook handlers? ### Payments And Webhooks - Are webhook signatures verified before parsing trusted payload fields? - Is each payment, subscription, or fu