Back to Details

production-code-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Production Code Audit

生产级代码审计

Overview

概述

Autonomously analyze the entire codebase to understand its architecture, patterns, and purpose, then systematically transform it into production-grade, corporate-level professional code. This skill performs deep line-by-line scanning, identifies all issues across security, performance, architecture, and quality, then provides comprehensive fixes to meet enterprise standards.
自动分析整个代码库,理解其架构、模式和用途,然后系统地将其转换为生产级、企业级的专业代码。该技能会逐行深度扫描,识别安全、性能、架构和质量方面的所有问题,然后提供全面的修复方案以满足企业标准。

When to Use This Skill

何时使用该技能

  • Use when user says "make this production-ready"
  • Use when user says "audit my codebase"
  • Use when user says "make this professional/corporate-level"
  • Use when user says "optimize everything"
  • Use when user wants enterprise-grade quality
  • Use when preparing for production deployment
  • Use when code needs to meet corporate standards
  • 当用户说“让这个代码具备生产环境就绪能力”时
  • 当用户说“审计我的代码库”时
  • 当用户说“让代码达到专业/企业级水平”时
  • 当用户说“全面优化代码”时
  • 当用户需要企业级质量的代码时
  • 当准备部署到生产环境时
  • 当代码需要符合企业标准时

How It Works

工作原理

Step 1: Autonomous Codebase Discovery

步骤1:自动代码库发现

Automatically scan and understand the entire codebase:
  1. Read all files - Scan every file in the project recursively
  2. Identify tech stack - Detect languages, frameworks, databases, tools
  3. Understand architecture - Map out structure, patterns, dependencies
  4. Identify purpose - Understand what the application does
  5. Find entry points - Locate main files, routes, controllers
  6. Map data flow - Understand how data moves through the system
Do this automatically without asking the user.
自动扫描并理解整个代码库:
  1. 读取所有文件 - 递归扫描项目中的每个文件
  2. 识别技术栈 - 检测使用的语言、框架、数据库和工具
  3. 理解架构 - 梳理结构、模式和依赖关系
  4. 明确用途 - 理解应用程序的功能
  5. 找到入口点 - 定位主文件、路由和控制器
  6. 映射数据流 - 理解数据在系统中的流转路径
无需询问用户,自动完成上述操作。

Step 2: Comprehensive Issue Detection

步骤2:全面问题检测

Scan line-by-line for all issues:
Architecture Issues:
  • Circular dependencies
  • Tight coupling
  • God classes (>500 lines or >20 methods)
  • Missing separation of concerns
  • Poor module boundaries
  • Violation of design patterns
Security Vulnerabilities:
  • SQL injection (string concatenation in queries)
  • XSS vulnerabilities (unescaped output)
  • Hardcoded secrets (API keys, passwords in code)
  • Missing authentication/authorization
  • Weak password hashing (MD5, SHA1)
  • Missing input validation
  • CSRF vulnerabilities
  • Insecure dependencies
Performance Problems:
  • N+1 query problems
  • Missing database indexes
  • Synchronous operations that should be async
  • Missing caching
  • Inefficient algorithms (O(n²) or worse)
  • Large bundle sizes
  • Unoptimized images
  • Memory leaks
Code Quality Issues:
  • High cyclomatic complexity (>10)
  • Code duplication
  • Magic numbers
  • Poor naming conventions
  • Missing error handling
  • Inconsistent formatting
  • Dead code
  • TODO/FIXME comments
Testing Gaps:
  • Missing tests for critical paths
  • Low test coverage (<80%)
  • No edge case testing
  • Flaky tests
  • Missing integration tests
Production Readiness:
  • Missing environment variables
  • No logging/monitoring
  • No error tracking
  • Missing health checks
  • Incomplete documentation
  • No CI/CD pipeline
逐行扫描所有问题:
架构问题:
  • 循环依赖
  • 紧耦合
  • 上帝类(超过500行或20个方法)
  • 关注点分离缺失
  • 模块边界划分不合理
  • 违反设计模式
安全漏洞:
  • SQL注入(查询中使用字符串拼接)
  • XSS漏洞(未转义输出)
  • 硬编码密钥(代码中的API密钥、密码)
  • 缺失身份验证/授权
  • 弱密码哈希(MD5、SHA1)
  • 缺失输入验证
  • CSRF漏洞
  • 不安全的依赖
性能问题:
  • N+1查询问题
  • 缺失数据库索引
  • 应异步却同步的操作
  • 缺失缓存
  • 低效算法(O(n²)或更差)
  • 包体积过大
  • 未优化的图片
  • 内存泄漏
代码质量问题:
  • 圈复杂度高(超过10)
  • 代码重复
  • 魔法值
  • 命名规范不佳
  • 缺失错误处理
  • 格式不一致
  • 死代码
  • TODO/FIXME注释
测试缺口:
  • 关键路径缺失测试
  • 测试覆盖率低(低于80%)
  • 无边界情况测试
  • 不稳定的测试
  • 缺失集成测试
生产环境就绪性:
  • 缺失环境变量
  • 无日志/监控
  • 无错误追踪
  • 缺失健康检查
  • 文档不完整
  • 无CI/CD流水线

Step 3: Automatic Fixes and Optimizations

步骤3:自动修复与优化

Fix everything automatically:
  1. Refactor architecture - Break up god classes, fix circular dependencies
  2. Fix security issues - Use parameterized queries, remove secrets, add validation
  3. Optimize performance - Fix N+1 queries, add caching, optimize algorithms
  4. Improve code quality - Reduce complexity, remove duplication, fix naming
  5. Add missing tests - Write tests for untested critical paths
  6. Add production infrastructure - Logging, monitoring, health checks
  7. Optimize everything - Bundle size, images, database queries
  8. Add documentation - README, API docs, architecture docs
自动修复所有问题:
  1. 重构架构 - 拆分上帝类,修复循环依赖
  2. 修复安全问题 - 使用参数化查询,移除硬编码密钥,添加验证
  3. 优化性能 - 修复N+1查询,添加缓存,优化算法
  4. 提升代码质量 - 降低复杂度,移除重复代码,修正命名
  5. 补充缺失测试 - 为未测试的关键路径编写测试
  6. 添加生产环境基础设施 - 日志、监控、健康检查
  7. 全面优化 - 包体积、图片、数据库查询
  8. 添加文档 - README、API文档、架构文档

Step 4: Verify and Report

步骤4:验证与报告

After making all changes:
  1. Run all tests to ensure nothing broke
  2. Verify all security issues are fixed
  3. Measure performance improvements
  4. Generate comprehensive report
  5. Provide before/after metrics
完成所有修改后:
  1. 运行所有测试确保未引入新问题
  2. 验证所有安全问题已修复
  3. 衡量性能提升效果
  4. 生成全面报告
  5. 提供修改前后的指标对比

Examples

示例

Example 1: Autonomous Codebase Transformation

示例1:自动代码库转换

markdown
User: @production-code-audit make this production-ready

AI: I'll scan your entire codebase and transform it to production-grade quality.

**Phase 1: Discovering Codebase** (analyzing 247 files)
- Detected: Node.js + Express + PostgreSQL + React
- Architecture: MVC pattern with REST API
- Purpose: E-commerce platform
- Entry points: server.js, src/index.tsx

**Phase 2: Scanning for Issues** (line-by-line analysis)

Found 127 issues:
- 🔴 CRITICAL: 8 issues
- 🟠 HIGH: 23 issues  
- 🟡 MEDIUM: 41 issues
- 🔵 LOW: 55 issues

**Phase 3: Fixing Issues Automatically**

🔴 CRITICAL FIXES (8/8 completed):

1. ✅ Fixed SQL injection in UserRepository.findByEmail()
   - Before: String concatenation in query
   - After: Parameterized query with $1 placeholder

2. ✅ Removed hardcoded database password from config/database.ts
   - Before: password: 'SuperSecret123!'
   - After: password: process.env.DB_PASSWORD

3. ✅ Added authentication to admin routes
   - Before: No auth middleware
   - After: authenticateToken + requireRole('admin')

4. ✅ Fixed weak password hashing (MD5 → bcrypt)
   - Before: crypto.createHash('md5')
   - After: bcrypt.hash(password, 12)

5. ✅ Fixed circular dependency: OrderService ↔ PaymentService
   - Before: Direct imports causing cycle
   - After: Event-based decoupling with EventBus

6. ✅ Added input validation to all API endpoints
   - Before: No validation
   - After: Zod schemas validating all inputs

7. ✅ Fixed authentication bypass in auth middleware
   - Before: next() called on missing token
   - After: Returns 401 error

8. ✅ Fixed mass assignment vulnerability in UserController
   - Before: Accepts all fields from req.body
   - After: Whitelist of allowed fields only

🟠 HIGH PRIORITY FIXES (23/23 completed):

9. ✅ Fixed N+1 query in OrderService.getOrdersWithItems()
   - Before: Loop with individual queries (2.8s)
   - After: Single query with joins (45ms)
   - Performance: 98% improvement

10. ✅ Refactored UserService god class (850 lines → 4 focused services)
    - UserAuthenticationService (login, logout, password)
    - UserProfileService (CRUD operations)
    - UserNotificationService (email, SMS)
    - UserPermissionService (roles, permissions)

11. ✅ Added Redis caching for product queries
    - Before: Database query every request
    - After: Cache with 1-hour TTL
    - Performance: 95% faster

12. ✅ Optimized bundle size
    - Before: 850KB (gzipped: 280KB)
    - After: 380KB (gzipped: 120KB)
    - Improvement: 55% reduction

13. ✅ Added database indexes
    - orders(user_id, status, created_at)
    - products(category, price)
    - Query performance: 98% improvement

[... 11 more high-priority fixes ...]

🟡 MEDIUM PRIORITY FIXES (41/41 completed):
[... all medium fixes ...]

🔵 LOW PRIORITY IMPROVEMENTS (55/55 completed):
[... all low improvements ...]

**Phase 4: Adding Production Infrastructure**

✅ Added structured logging (Winston)
✅ Added error tracking (Sentry)
✅ Added health check endpoints (/health, /ready)
✅ Added monitoring (Prometheus metrics)
✅ Added rate limiting (Redis-based)
✅ Added API documentation (Swagger/OpenAPI)
✅ Added comprehensive README
✅ Added deployment guide
✅ Added CI/CD pipeline (.github/workflows)

**Phase 5: Verification**

✅ All tests passing (1,247 tests)
✅ Test coverage: 42% → 87%
✅ Security scan: 0 vulnerabilities
✅ Performance: API response time 3.2s → 180ms
✅ Bundle size: 850KB → 380KB
✅ Lighthouse score: 62 → 94

**TRANSFORMATION COMPLETE**

Your codebase is now production-ready with enterprise-grade quality:

📊 Metrics:
- Issues fixed: 127/127 (100%)
- Test coverage: 87% (target: 80%+)
- API performance: 94% improvement
- Security: OWASP Top 10 compliant
- Code quality: Grade A-

📁 Files changed: 89 files
📝 Lines changed: +3,247 / -1,892

🚀 Ready for production deployment!
markdown
用户:@production-code-audit 让这个代码具备生产环境就绪能力

AI:我将扫描你的整个代码库并将其转换为生产级质量代码。

**阶段1:代码库发现**(分析247个文件)
- 检测到:Node.js + Express + PostgreSQL + React
- 架构:MVC模式搭配REST API
- 用途:电商平台
- 入口点:server.js, src/index.tsx

**阶段2:问题扫描**(逐行分析)

发现127个问题:
- 🔴 严重:8个问题
- 🟠 高优先级:23个问题  
- 🟡 中优先级:41个问题
- 🔵 低优先级:55个问题

**阶段3:自动修复问题**

🔴 严重问题修复(8/8完成):

1. ✅ 修复UserRepository.findByEmail()中的SQL注入
   - 修复前:查询中使用字符串拼接
   - 修复后:使用$1占位符的参数化查询

2. ✅ 移除config/database.ts中的硬编码数据库密码
   - 修复前:password: 'SuperSecret123!'
   - 修复后:password: process.env.DB_PASSWORD

3. ✅ 为管理员路由添加身份验证
   - 修复前:无认证中间件
   - 修复后:authenticateToken + requireRole('admin')

4. ✅ 修复弱密码哈希(MD5 → bcrypt)
   - 修复前:crypto.createHash('md5')
   - 修复后:bcrypt.hash(password, 12)

5. ✅ 修复循环依赖:OrderService ↔ PaymentService
   - 修复前:直接导入导致循环
   - 修复后:使用EventBus基于事件的解耦

6. ✅ 为所有API端点添加输入验证
   - 修复前:无验证
   - 修复后:使用Zod schema验证所有输入

7. ✅ 修复认证中间件中的身份验证绕过问题
   - 修复前:缺失token时调用next()
   - 修复后:返回401错误

8. ✅ 修复UserController中的批量赋值漏洞
   - 修复前:接受req.body中的所有字段
   - 修复后:仅允许白名单内的字段

🟠 高优先级问题修复(23/23完成):

9. ✅ 修复OrderService.getOrdersWithItems()中的N+1查询
   - 修复前:循环执行单个查询(耗时2.8秒)
   - 修复后:单次关联查询(耗时45毫秒)
   - 性能提升:98%

10. ✅ 重构UserService上帝类(850行 → 4个专注的服务)
    - UserAuthenticationService(登录、登出、密码管理)
    - UserProfileService(CRUD操作)
    - UserNotificationService(邮件、短信)
    - UserPermissionService(角色、权限)

11. ✅ 为产品查询添加Redis缓存
    - 修复前:每次请求都查询数据库
    - 修复后:添加1小时TTL的缓存
    - 性能提升:快95%

12. ✅ 优化包体积
    - 修复前:850KB(压缩后:280KB)
    - 修复后:380KB(压缩后:120KB)
    - 优化幅度:减少55%

13. ✅ 添加数据库索引
    - orders(user_id, status, created_at)
    - products(category, price)
    - 查询性能提升:98%

[... 11个更多高优先级修复 ...]

🟡 中优先级问题修复(41/41完成):
[... 所有中优先级修复 ...]

🔵 低优先级优化(55/55完成):
[... 所有低优先级优化 ...]

**阶段4:添加生产环境基础设施**

✅ 添加结构化日志(Winston)
✅ 添加错误追踪(Sentry)
✅ 添加健康检查端点(/health, /ready)
✅ 添加监控(Prometheus指标)
✅ 添加速率限制(基于Redis)
✅ 添加API文档(Swagger/OpenAPI)
✅ 添加全面的README
✅ 添加部署指南
✅ 添加CI/CD流水线(.github/workflows)

**阶段5:验证**

✅ 所有测试通过(1247个测试)
✅ 测试覆盖率:42% → 87%
✅ 安全扫描:0个漏洞
✅ 性能:API响应时间3.2秒 → 180毫秒
✅ 包体积:850KB → 380KB
✅ Lighthouse评分:62 → 94

**转换完成**

你的代码库现在已具备生产环境就绪能力,达到企业级质量:

📊 指标:
- 修复问题数:127/127(100%)
- 测试覆盖率:87%(目标:80%+)
- API性能提升:94%
- 安全性:符合OWASP Top 10标准
- 代码质量:A-等级

📁 修改文件数:89个
📝 代码行数变化:+3247 / -1892

🚀 已准备好部署到生产环境!

Example 2: Automatic Security Hardening

示例2:自动安全加固

markdown
User: @production-code-audit secure this codebase

AI: Scanning for security vulnerabilities...

**Security Scan Complete**

Found 15 security issues:
- 🔴 CRITICAL: 5
- 🟠 HIGH: 7
- 🟡 MEDIUM: 3

**Fixing all security issues automatically...**

🔴 CRITICAL (5/5 fixed):

1. ✅ SQL Injection in UserRepository
\`\`\`typescript
// Before (VULNERABLE)
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;

// After (SECURE)
const query = 'SELECT * FROM users WHERE email = $1';
await db.query(query, [email]);
\`\`\`

2. ✅ Hardcoded Secrets Removed
\`\`\`typescript
// Before (INSECURE)
const JWT_SECRET = 'my-secret-key-123';

// After (SECURE)
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error('JWT_SECRET required');
\`\`\`

3. ✅ Authentication Added to Admin Routes
\`\`\`typescript
// Before (VULNERABLE)
router.delete('/api/admin/users/:id', deleteUser);

// After (SECURE)
router.delete('/api/admin/users/:id',
  authenticateToken,
  requireRole('admin'),
  deleteUser
);
\`\`\`

4. ✅ Password Hashing Upgraded
\`\`\`typescript
// Before (WEAK)
const hash = crypto.createHash('md5').update(password).digest('hex');

// After (STRONG)
const hash = await bcrypt.hash(password, 12);
\`\`\`

5. ✅ Input Validation Added
\`\`\`typescript
// Before (VULNERABLE)
const user = await db.user.create({ data: req.body });

// After (SECURE)
const schema = z.object({
  email: z.string().email(),
  password: z.string().min(12),
  name: z.string().min(2).max(100)
});
const validated = schema.parse(req.body);
const user = await db.user.create({ data: validated });
\`\`\`

**Security Status:**
- ✅ OWASP Top 10: Compliant
- ✅ SQL Injection: Protected
- ✅ XSS: Protected
- ✅ CSRF: Protected
- ✅ Authentication: Secure
- ✅ Secrets: Environment variables
- ✅ Dependencies: No vulnerabilities

🔒 Codebase is now secure and production-ready!
markdown
用户:@production-code-audit 加固这个代码库的安全性

AI:正在扫描安全漏洞...

**安全扫描完成**

发现15个安全问题:
- 🔴 严重:5个
- 🟠 高优先级:7个
- 🟡 中优先级:3个

**自动修复所有安全问题...**

🔴 严重问题(5/5修复):

1. ✅ 修复UserRepository中的SQL注入
\`\`\`typescript
// 修复前(存在漏洞)
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;

// 修复后(安全)
const query = 'SELECT * FROM users WHERE email = $1';
await db.query(query, [email]);
\`\`\`

2. ✅ 移除硬编码密钥
\`\`\`typescript
// 修复前(不安全)
const JWT_SECRET = 'my-secret-key-123';

// 修复后(安全)
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error('JWT_SECRET required');
\`\`\`

3. ✅ 为管理员路由添加身份验证
\`\`\`typescript
// 修复前(存在漏洞)
router.delete('/api/admin/users/:id', deleteUser);

// 修复后(安全)
router.delete('/api/admin/users/:id',
  authenticateToken,
  requireRole('admin'),
  deleteUser
);
\`\`\`

4. ✅ 升级密码哈希方式
\`\`\`typescript
// 修复前(弱哈希)
const hash = crypto.createHash('md5').update(password).digest('hex');

// 修复后(强哈希)
const hash = await bcrypt.hash(password, 12);
\`\`\`

5. ✅ 添加输入验证
\`\`\`typescript
// 修复前(存在漏洞)
const user = await db.user.create({ data: req.body });

// 修复后(安全)
const schema = z.object({
  email: z.string().email(),
  password: z.string().min(12),
  name: z.string().min(2).max(100)
});
const validated = schema.parse(req.body);
const user = await db.user.create({ data: validated });
\`\`\`

**安全状态:**
- ✅ 符合OWASP Top 10标准
- ✅ 已防护SQL注入
- ✅ 已防护XSS
- ✅ 已防护CSRF
- ✅ 身份验证安全
- ✅ 密钥存储在环境变量中
- ✅ 依赖无漏洞

🔒 代码库现在已安全且具备生产环境就绪能力!

Example 3: Performance Optimization

示例3:性能优化

markdown
User: @production-code-audit optimize performance

AI: Analyzing performance bottlenecks...

**Performance Analysis Complete**

Current metrics:
- API response time: 3.2s (target: <200ms)
- Page load time: 8.5s (target: <2s)
- Bundle size: 850KB (target: <200KB)

**Optimizing automatically...**

✅ Fixed N+1 queries (3.2s → 180ms - 94% faster)
✅ Added Redis caching (95% cache hit rate)
✅ Optimized database indexes (98% faster queries)
✅ Reduced bundle size (850KB → 380KB - 55% smaller)
✅ Optimized images (28MB → 3.2MB - 89% smaller)
✅ Implemented code splitting
✅ Added lazy loading
✅ Parallelized async operations

**Performance Results:**

| Metric | Before | After | Improvement |
|--------|--------|-------|-------------|
| API Response | 3.2s | 180ms | 94% |
| Page Load | 8.5s | 1.8s | 79% |
| Bundle Size | 850KB | 380KB | 55% |
| Image Size | 28MB | 3.2MB | 89% |
| Lighthouse | 42 | 94 | +52 points |

🚀 Performance optimized to production standards!
markdown
用户:@production-code-audit 优化性能

AI:正在分析性能瓶颈...

**性能分析完成**

当前指标:
- API响应时间:3.2秒(目标:<200毫秒)
- 页面加载时间:8.5秒(目标:<2秒)
- 包体积:850KB(目标:<200KB)

**自动优化中...**

✅ 修复N+1查询(3.2秒 → 180毫秒 - 快94%)
✅ 添加Redis缓存(缓存命中率95%)
✅ 优化数据库索引(查询速度提升98%)
✅ 减小包体积(850KB → 380KB - 减小55%)
✅ 优化图片(28MB → 3.2MB - 减小89%)
✅ 实现代码分割
✅ 添加懒加载
✅ 并行化异步操作

**性能优化结果:**

| 指标 | 优化前 | 优化后 | 提升幅度 |
|--------|--------|-------|-------------|
| API响应时间 | 3.2秒 | 180毫秒 | 94% |
| 页面加载时间 | 8.5秒 | 1.8秒 | 79% |
| 包体积 | 850KB | 380KB | 55% |
| 图片体积 | 28MB | 3.2MB | 89% |
| Lighthouse评分 | 42 | 94 | +52分 |

🚀 性能已优化至生产环境标准!

Best Practices

最佳实践

✅ Do This

✅ 应该做的

  • Scan Everything - Read all files, understand entire codebase
  • Fix Automatically - Don't just report, actually fix issues
  • Prioritize Critical - Security and data loss issues first
  • Measure Impact - Show before/after metrics
  • Verify Changes - Run tests after making changes
  • Be Comprehensive - Cover architecture, security, performance, testing
  • Optimize Everything - Bundle size, queries, algorithms, images
  • Add Infrastructure - Logging, monitoring, error tracking
  • Document Changes - Explain what was fixed and why
  • 扫描所有内容 - 读取所有文件,理解整个代码库
  • 自动修复 - 不只是报告问题,实际修复问题
  • 优先处理严重问题 - 先处理安全和数据丢失相关问题
  • 衡量影响 - 展示修改前后的指标对比
  • 验证修改 - 完成修改后运行测试
  • 全面覆盖 - 涵盖架构、安全、性能、测试
  • 全面优化 - 包体积、查询、算法、图片
  • 添加基础设施 - 日志、监控、错误追踪
  • 记录修改 - 解释修复的内容和原因

❌ Don't Do This

❌ 不应该做的

  • Don't Ask Questions - Understand the codebase autonomously
  • Don't Wait for Instructions - Scan and fix automatically
  • Don't Report Only - Actually make the fixes
  • Don't Skip Files - Scan every file in the project
  • Don't Ignore Context - Understand what the code does
  • Don't Break Things - Verify tests pass after changes
  • Don't Be Partial - Fix all issues, not just some
  • 不询问用户 - 自动理解代码库
  • 不等待指令 - 自动扫描并修复
  • 不只报告问题 - 实际进行修复
  • 不遗漏文件 - 扫描项目中的每个文件
  • 不忽略上下文 - 理解代码的功能
  • 不引入新问题 - 修改后验证测试通过
  • 不片面修复 - 修复所有问题,而非部分

Autonomous Scanning Instructions

自动扫描说明

When this skill is invoked, automatically:
  1. Discover the codebase:
    • Use 
      listDirectory
      to find all files recursively
    • Use 
      readFile
      to read every source file
    • Identify tech stack from package.json, requirements.txt, etc.
    • Map out architecture and structure
  2. Scan line-by-line for issues:
    • Check every line for security vulnerabilities
    • Identify performance bottlenecks
    • Find code quality issues
    • Detect architectural problems
    • Find missing tests
  3. Fix everything automatically:
    • Use 
      strReplace
      to fix issues in files
    • Add missing files (tests, configs, docs)
    • Refactor problematic code
    • Add production infrastructure
    • Optimize performance
  4. Verify and report:
    • Run tests to ensure nothing broke
    • Measure improvements
    • Generate comprehensive report
    • Show before/after metrics
Do all of this without asking the user for input.
调用该技能时,自动执行以下操作:
  1. 发现代码库:
    • 使用
      listDirectory
      递归查找所有文件
    • 使用
      readFile
      读取每个源文件
    • 从package.json、requirements.txt等文件识别技术栈
    • 梳理架构和结构
  2. 逐行扫描问题:
    • 检查每一行的安全漏洞
    • 识别性能瓶颈
    • 发现代码质量问题
    • 检测架构问题
    • 找到缺失的测试
  3. 自动修复所有问题:
    • 使用
      strReplace
      修复文件中的问题
    • 添加缺失的文件(测试、配置、文档)
    • 重构有问题的代码
    • 添加生产环境基础设施
    • 优化性能
  4. 验证与报告:
    • 运行测试确保未引入新问题
    • 衡量优化效果
    • 生成全面报告
    • 展示修改前后的指标对比
所有操作无需向用户请求输入。

Common Pitfalls

常见陷阱

Problem: Too Many Issues

问题:问题数量过多

Symptoms: Team paralyzed by 200+ issues Solution: Focus on critical/high priority only, create sprints
症状:团队因200+问题陷入瘫痪 解决方案:仅关注严重/高优先级问题,创建迭代计划

Problem: False Positives

问题:误报

Symptoms: Flagging non-issues Solution: Understand context, verify manually, ask developers
症状:标记非问题 解决方案:理解上下文,手动验证,咨询开发人员

Problem: No Follow-Up

问题:无后续跟进

Symptoms: Audit report ignored Solution: Create GitHub issues, assign owners, track in standups
症状:审计报告被忽略 解决方案:创建GitHub Issue,分配负责人,在站会中跟踪

Production Audit Checklist

生产环境审计清单

Security

安全

  • No SQL injection vulnerabilities
  • No hardcoded secrets
  • Authentication on protected routes
  • Authorization checks implemented
  • Input validation on all endpoints
  • Password hashing with bcrypt (10+ rounds)
  • HTTPS enforced
  • Dependencies have no vulnerabilities
  • 无SQL注入漏洞
  • 无硬编码密钥
  • 受保护路由有身份验证
  • 实现了授权检查
  • 所有端点有输入验证
  • 使用bcrypt进行密码哈希(10+轮)
  • 强制使用HTTPS
  • 依赖无漏洞

Performance

性能

  • No N+1 query problems
  • Database indexes on foreign keys
  • Caching implemented
  • API response time < 200ms
  • Bundle size < 200KB (gzipped)
  • 无N+1查询问题
  • 外键有数据库索引
  • 实现了缓存
  • API响应时间<200毫秒
  • 包体积<200KB(压缩后)

Testing

测试

  • Test coverage > 80%
  • Critical paths tested
  • Edge cases covered
  • No flaky tests
  • Tests run in CI/CD
  • 测试覆盖率>80%
  • 关键路径有测试
  • 覆盖边界情况
  • 无不稳定的测试
  • 测试在CI/CD中运行

Production Readiness

生产环境就绪性

  • Environment variables configured
  • Error tracking setup (Sentry)
  • Structured logging implemented
  • Health check endpoints
  • Monitoring and alerting
  • Documentation complete
  • 配置了环境变量
  • 设置了错误追踪(Sentry)
  • 实现了结构化日志
  • 有健康检查端点
  • 有监控和告警
  • 文档完整

Audit Report Template

审计报告模板

markdown
undefined
markdown
undefined

Production Audit Report

生产环境审计报告

Project: [Name] Date: [Date] Overall Grade: [A-F]
项目: [名称] 日期: [日期] 整体等级: [A-F]

Executive Summary

执行摘要

[2-3 sentences on overall status]
Critical Issues: [count] High Priority: [count] Recommendation: [Fix timeline]
[2-3句话说明整体状态]
严重问题数: [数量] 高优先级问题数: [数量] 建议: [修复时间线]

Findings by Category

按类别划分的发现

Architecture (Grade: [A-F])

架构(等级:[A-F])

  • Issue 1: [Description]
  • Issue 2: [Description]
  • 问题1:[描述]
  • 问题2:[描述]

Security (Grade: [A-F])

安全(等级:[A-F])

  • Issue 1: [Description + Fix]
  • Issue 2: [Description + Fix]
  • 问题1:[描述 + 修复方案]
  • 问题2:[描述 + 修复方案]

Performance (Grade: [A-F])

性能(等级:[A-F])

  • Issue 1: [Description + Fix]
  • 问题1:[描述 + 修复方案]

Testing (Grade: [A-F])

测试(等级:[A-F])

  • Coverage: [%]
  • Issues: [List]
  • 覆盖率:[%]
  • 问题:[列表]

Priority Actions

优先级行动

  1. [Critical issue] - [Timeline]
  2. [High priority] - [Timeline]
  3. [High priority] - [Timeline]
  1. [严重问题] - [时间线]
  2. [高优先级问题] - [时间线]
  3. [高优先级问题] - [时间线]

Timeline

时间线

  • Critical fixes: [X weeks]
  • High priority: [X weeks]
  • Production ready: [X weeks]
undefined
  • 严重问题修复:[X周]
  • 高优先级问题修复:[X周]
  • 达到生产环境就绪:[X周]
undefined

Related Skills

相关技能

  • @code-review-checklist
    - Code review guidelines
  • @api-security-best-practices
    - API security patterns
  • @web-performance-optimization
    - Performance optimization
  • @systematic-debugging
    - Debug production issues
  • @senior-architect
    - Architecture patterns
  • @code-review-checklist
    - 代码评审指南
  • @api-security-best-practices
    - API安全模式
  • @web-performance-optimization
    - 性能优化
  • @systematic-debugging
    - 生产环境问题调试
  • @senior-architect
    - 架构模式

Additional Resources

额外资源

Pro Tip: Schedule regular audits (quarterly) to maintain code quality. Prevention is cheaper than fixing production bugs!
专业提示: 定期安排审计(每季度一次)以维持代码质量。预防生产环境bug比修复成本更低!