aravhawk/prod-ready
skills/prod-ready/SKILL.md
Production-readiness audit covering linting, security, edge cases, and deployment checks. Only trigger when the user explicitly says "run prod-ready workflow" — do not run proactively.
development
Updated Apr 22, 2026
$ install --global
skillsauthnpx skillsauth add aravhawk/claude-code-utils prod-readyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 8:35 AM52.5s1 file scanned
SKILL.md
- name:
- prod-ready
- description:
- Production-readiness audit covering linting, security, edge cases, and deployment checks. Only trigger when the user explicitly says "run prod-ready workflow" — do not run proactively.
PRODUCTION READY
Perform a production-readiness audit before deployment. Verify the codebase meets security, reliability, and quality standards.
PHASE 1: RUN OFFICIAL LINTING & BUILD CHECKS
Run all available project tooling. Every check must pass before deployment.
Detect project type and run ALL applicable commands:
JavaScript/TypeScript projects:
pnpm lint # ESLint / project linter
pnpm typecheck # or: tsc --noEmit
pnpm test # full test suite
pnpm build # production build must succeed
pnpm audit # dependency vulnerabilities
Python projects:
ruff check . # or: pylint src/ OR flake8
mypy . # type checking
pytest # full test suite
pip-audit # dependency vulnerabilities
Go projects:
go vet ./...
golangci-lint run
go test ./...
Rust projects:
cargo clippy -- -D warnings
cargo test
cargo audit
If a command doesn't exist (e.g., no typecheck script), skip it and note that in the report.
All checks must pass. If any fail, document the failures - they must be addressed before deployment.
PHASE 2: SECURITY AUDIT
2.1 Sensitive Files in Repository
Check for files that should NEVER be committed:
# Files that shouldn't be in git
git ls-files | rg -i '\.(env|pem|key|p12|pfx|sqlite|db)$' | rg -v '\.example|\.sample|\.template'
# Credentials and secrets files
git ls-files | rg -i 'credentials|secrets|private.*key|id_rsa|\.keystore'
# Check .gitignore covers common sensitive patterns
cat .gitignore 2>/dev/null | rg -q '\.env' || echo "WARNING: .env not in .gitignore"
Any sensitive files found = BLOCKER. They must be removed and rotated.
2.2 Hardcoded Secrets
Scan for secrets that should be environment variables:
# API keys and tokens (look for actual values, not variable names)
rg -i '(api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token)\s*[=:]\s*["\047][A-Za-z0-9_\-]{16,}' -g '!*.lock' -g '!node_modules' -g '!*.md'
# AWS keys pattern
rg 'AKIA[0-9A-Z]{16}' -g '!*.lock' -g '!node_modules'
# Private keys embedded in code
rg 'BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY' -g '!*.lock' -g '!node_modules'
# Connection strings with credentials
rg -i '(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@' -g '!*.lock' -g '!node_modules' -g '!*.md'
2.3 Dangerous Code Patterns
# eval/exec with potential user input
rg '\b(eval|exec)\s*\(' --type ts --type js --type py
# SQL injection risks (string concatenation in queries)
rg -i '(query|execute)\s*\(\s*[`"\047].*\+|\$\{' --type ts --type js --type py
# Command injection risks
rg -i '(child_process|subprocess|os\.system|shell_exec)\s*\(' --type ts --type js --type py
# innerHTML / dangerouslySetInnerHTML without sanitization
rg '(innerHTML|dangerouslySetInnerHTML)' --type ts --type js --type tsx
# Disabled security features
rg -i 'verify\s*[=:]\s*false|rejectUnauthorized\s*[=:]\s*false' --type ts --type js --type py
2.4 Authentication & Authorization
Review these areas in the codebase:
- API routes - Do all sensitive endpoints have auth guards?
- Role checks - Are permissions verified before sensitive operations?
- Token handling - Are tokens stored securely (not localStorage for sensitive apps)?
# Find API route definitions to verify auth coverage
rg '(app\.(get|post|put|delete|patch)|router\.(get|post|put|delete|patch)|@(Get|Post|Put|Delete|Patch))' --type ts --type js -l
# Find auth middleware/decorators
rg -i '(auth|protect|guard|middleware|@Authorized|@Auth|requireAuth)' --type ts --type js --type py -l
PHASE 3: EDGE CASE & ERROR HANDLING
3.1 Unhandled Errors
# Async functions - check for try-catch or .catch()
rg 'async\s+\w+\s*\([^)]*\)\s*\{' --type ts --type js -l
# Empty catch blocks (swallowing errors)
rg 'catch\s*\([^)]*\)\s*\{\s*\}' --type ts --type js
# Promises without .catch()
rg '\.then\s*\([^)]+\)\s*[^.]' --type ts --type js
# Unhandled promise rejection risk
rg 'new Promise\s*\(' --type ts --type js -l
Review the files found to ensure proper error handling exists.
3.2 Null/Undefined Handling
# Optional chaining opportunities (potential null access)
rg '\w+\.\w+\.\w+' --type ts --type js | head -20
# Check for nullish coalescing and optional chaining usage
rg '(\?\.|\ \?\?)' --type ts --type js --count || echo "Limited null-safety patterns found"
3.3 Input Validation
# API endpoints - verify input validation exists
rg '(req\.body|req\.params|req\.query|request\.json)' --type ts --type js --type py -l
# Check for validation libraries in use
rg -i '(zod|yup|joi|class-validator|pydantic|marshmallow)' --type ts --type js --type py -l || echo "No validation library detected"
3.4 Debug & Development Artifacts
# Console statements (excessive logging in production)
rg 'console\.(log|debug|trace|info)' --type ts --type js --count
# Debugger statements (must be zero)
rg '\bdebugger\b' --type ts --type js
# Debug flags
rg -i 'DEBUG\s*[=:]\s*true|VERBOSE\s*[=:]\s*true' -g '!node_modules'
# TODO/FIXME in critical code
rg '(TODO|FIXME|HACK|XXX):?' --type ts --type js --type py --count
Debugger statements = BLOCKER. Console.logs should be minimal. TODOs should be reviewed if in critical paths.
PHASE 4: CONFIGURATION & ENVIRONMENT
4.1 Environment Variables
# Find all env var usage
rg '(process\.env|import\.meta\.env|os\.environ|os\.getenv)' --type ts --type js --type py -l
# Check .env.example exists and documents required vars
ls -la .env.example .env.sample 2>/dev/null || echo "WARNING: No .env.example file"
# Verify no .env files committed
git ls-files | rg '^\.env$|^\.env\.(local|production|development)$'
4.2 Hardcoded Configuration
# Localhost/staging URLs that should be env vars
rg -i '(localhost|127\.0\.0\.1|staging\.|\.local)' --type ts --type js --type py -g '!*.test.*' -g '!*.spec.*' -g '!node_modules'
# Hardcoded ports
rg ':\d{4,5}["\047/]' --type ts --type js -g '!node_modules' -g '!*.lock'
4.3 Third-Party Integrations
Verify production configuration for:
- API endpoints pointing to production (not staging/sandbox)
- Webhook URLs configured for production
- Analytics/monitoring enabled
PHASE 5: DEPENDENCY HEALTH
5.1 Vulnerability Audit
# JavaScript
pnpm audit --audit-level=high
# Python
pip-audit
# Go
govulncheck ./...
# Rust
cargo audit
Critical or high severity vulnerabilities = BLOCKER unless documented with mitigation.
5.2 Outdated Dependencies
# Check for significantly outdated packages
pnpm outdated 2>/dev/null || npm outdated 2>/dev/null
# Python
pip list --outdated 2>/dev/null
Note major version updates that may be needed.
OUTPUT REPORT
Provide a structured report:
## Production Readiness Report
### Linting & Build
| Check | Status | Notes |
|-------|--------|-------|
| Lint | PASS/FAIL | |
| Types | PASS/FAIL | |
| Tests | PASS/FAIL/SKIPPED | |
| Build | PASS/FAIL | |
### Security
| Check | Status | Notes |
|-------|--------|-------|
| Sensitive files | CLEAR/FOUND | |
| Hardcoded secrets | CLEAR/FOUND | |
| Dangerous patterns | CLEAR/FOUND | List any |
| Auth coverage | VERIFIED/NEEDS REVIEW | |
### Edge Cases & Error Handling
| Check | Status | Notes |
|-------|--------|-------|
| Error handling | ADEQUATE/NEEDS WORK | |
| Input validation | PRESENT/MISSING | |
| Debug artifacts | CLEAR/FOUND | Counts |
### Configuration
| Check | Status | Notes |
|-------|--------|-------|
| Env vars documented | YES/NO | |
| Hardcoded URLs | CLEAR/FOUND | |
### Dependencies
| Check | Status | Notes |
|-------|--------|-------|
| Vulnerabilities | X critical, Y high | |
| Outdated | X major updates available | |
### Blockers (must fix before deploy)
- [List any blockers]
### Warnings (should address)
- [List warnings]
### Recommendation
[READY TO DEPLOY / FIX BLOCKERS FIRST / NEEDS SIGNIFICANT WORK]
CONSTRAINTS
- Run all official linting tools - Don't manually lint, but run eslint/ruff/etc.
- Security issues are blockers - Secrets, vulnerabilities, and dangerous patterns must be fixed
- Don't auto-fix issues - Report findings for the user to decide
- Adapt to project type - Skip inapplicable checks (no Python tooling for JS projects)
- Be thorough but efficient - Use grep patterns to scan, then review flagged areas
Related Skills
aravhawk/notebooklm
development
VerifiedTrustedCommunity
Complete API for Google NotebookLM - full programmatic access including features not in the web UI. Create notebooks, add sources, generate all artifact types, download in multiple formats. Activates on explicit /notebooklm or intent like "create a podcast about X", "install notebooklm", "add notebooklm to cowork"
SKILL.mdUpdated Apr 22, 2026
aravhawk/commit
tools
VerifiedTrustedCommunity
Commits with perfect messages. Use when making a commit.
SKILL.mdUpdated Apr 22, 2026
aravhawk/arch-mmd
development
VerifiedTrustedCommunity
Creates/updates an ARCHITECTURE.mmd file mapping out the codebase/product. Use whenever the user asks to see the architecture of the codebase/product or when the architecture changes and the current ARCHITECTURE.mmd file is out of date.
SKILL.mdUpdated Apr 20, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026