About
Audit a shipped repo for production-readiness gaps across RLS, webhooks, secrets, grants, Stripe idempotency, mobile UX, and deployment health.
name: production-audit description: "Audit a shipped repo for production-readiness gaps across RLS, webhooks, secrets, grants, Stripe idempotency, mobile UX, and deployment health." category: security risk: critical source: community source_repo: commitshow/production-audit source_type: community date_added: "2026-05-04" author: commitshow tags: [security, audit, production, vibe-coding, rls, webhook, stripe, supabase, mobile] tools: [claude, cursor, gemini, codex, antigravity] license: "MIT" license_source: "https://github.com/commitshow/production-audit/blob/main/LICENSE"
Production Audit
Overview
A skill that runs an external audit on a shipped repo's deployed state — live URL, GitHub signals, secrets exposure, RLS gaps, webhook idempotency, indexes, observability, prompt injection, and ten other failure modes that AI-assisted projects routinely miss.
This is complementary to in-session security skills (security-review, OWASP-style, VibeSec, Trail of Bits). Those scan the editor buffer at write-time. This scans the deployed product after you commit. Different timing, different inputs, different findings. Run both for serious launches.
The skill wraps the commit.show audit engine via the public CLI (npx commitshow@0.3.23 audit . --json). Stable JSON envelope (schema_version: "1", additive-only). Writes a .commitshow/audit.{md,json} sidecar so future agent sessions can read prior state without re-running the engine.
When to Use This Skill
- Use when the user asks "is this production-ready", "what would break in prod", "score my project", "what did I miss", "audit my repo", "ready to ship".
- Use right after merging a feature branch to
main(helpful as a pre-deploy gate). - Use before a public launch / Show HN post / investor demo.
- Use when
git logshows >20 commits since the last.commitshow/audit.mdwas written.
Skip when
- During active in-session coding — use
security-review/ OWASP-style for line-level patterns. This skill is for post-merge / pre-ship review. - For library / scaffold-form repos — the engine handles app form best; libraries get a partial-substitute score.
- If
.commitshow/audit.jsonalready exists and is < 1 hour old, read that instead of re-running. Audit is rate-limited (anonymous: 20/IP/day · 5/repo/day · 2000/day global). - Inside a private / non-GitHub repo — the audit pulls public GitHub signals, so private repos return a
not_founderror.
How It Works
Step 1: Run the audit
From the repo root. The CLI is pinned to an exact reviewed version so future npm releases are not selected silently. Because npx downloads and runs npm package code locally with the current user's permissions, run it only after the user explicitly approves this external execution and only in a repository where local files and environment variables are safe for that process to access. The sidecar directory is created up-front, and stderr is split off so install/deprecation warnings can't corrupt the JSON envelope:
mkdir -p .commitshow
npx commitshow@0.3.23 audit . --json \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
This also writes a human-readable .commitshow/audit.md next to it. Subsequent invocations should diff against the prior audit.json if it exists, so you can lead with "+5 since yesterday's audit" instead of just an absolute number.
If the user pointed at a remote URL instead of ., swap . for the URL — keep the same mkdir -p + version pin + stderr split:
mkdir -p .commitshow
npx commitshow@0.3.23 audit github.com/owner/repo --json \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
Step 2: Parse the envelope
The JSON envelope is stable (schema_version: "1", additive-only). Read these fields:
| Field | Meaning |
|---|---|
| score.total | 0-100 production-readiness score |
| score.delta_since_last | change vs. parent snapshot · positive = improving |
| score.band | strong (80+) · mid (60-79) · early (<60) |
| concerns[] | top issues, ordered by impact · each has axis + bullet |
| strengths[] | top 3 things that work · for context only |
| standing | optional · only when the project is auditioning on commit.show |
| snapshot.created_at / trigger_type | when the audit ran |
Concerns are sorted by decision-impact, not severity. Position 1 is the bullet to lead with.
Step 3: Surface to the user
Lead with score + trajectory in one sentence, then the top concerns. Do not dump the full JSON. Format:
Score: 82/100 (+5 since yesterday) · band: strong
Top concerns:
↓ [Security] No API rate limiting on /auth — IP cap missing
↓ [Infrastructure] webhook handler at api/stripe.ts — signature verified, but no
idempotency-key check (replay attack window open)
Want me to fix the webhook idempotency gap first?
Rules:
- Use the exact bullet from
concerns[].bullet— the audit engine already wrote a
