firefrost-gaming/antigravity-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: add codebase-audit-pre-push skill and sync generated files

Browse Source
This commit is contained in:
sck_0
2026-03-05 16:10:31 +01:00
parent 8c42024a29
commit f358ad2c4d
6 changed files with 369 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

241
skills/codebase-audit-pre-push/SKILL.md Normal file
View File

@@ -0,0 +1,241 @@
---
name: codebase-audit-pre-push
description: "Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness."
category: development
risk: safe
source: community
date_added: "2026-03-05"
---
# Pre-Push Codebase Audit
As a senior engineer, you're doing the final review before pushing this code to GitHub. Check everything carefully and fix problems as you find them.
## When to Use This Skill
- User requests "audit the codebase" or "review before push"
- Before making the first push to GitHub
- Before making a repository public
- Pre-production deployment review
- User asks to "clean up the code" or "optimize everything"
## Your Job
Review the entire codebase file by file. Read the code carefully. Fix issues right away. Don't just note problems—make the necessary changes.
## Audit Process
### 1. Clean Up Junk Files
Start by looking for files that shouldn't be on GitHub:
**Delete these immediately:**
- OS files: `.DS_Store`, `Thumbs.db`, `desktop.ini`
- Logs: `*.log`, `npm-debug.log*`, `yarn-error.log*`
- Temp files: `*.tmp`, `*.temp`, `*.cache`, `*.swp`
- Build output: `dist/`, `build/`, `.next/`, `out/`, `.cache/`
- Dependencies: `node_modules/`, `vendor/`, `__pycache__/`, `*.pyc`
- IDE files: `.idea/`, `.vscode/` (ask user first), `*.iml`, `.project`
- Backup files: `*.bak`, `*_old.*`, `*_backup.*`, `*_copy.*`
- Test artifacts: `coverage/`, `.nyc_output/`, `test-results/`
- Personal junk: `TODO.txt`, `NOTES.txt`, `scratch.*`, `test123.*`
**Critical - Check for secrets:**
- `.env` files (should never be committed)
- Files containing: `password`, `api_key`, `token`, `secret`, `private_key`
- `*.pem`, `*.key`, `*.cert`, `credentials.json`, `serviceAccountKey.json`
If you find secrets in the code, mark it as a CRITICAL BLOCKER.
### 2. Fix .gitignore
Check if the `.gitignore` file exists and is thorough. If its missing or not complete, update it to include all junk file patterns above. Ensure that `.env.example` exists with keys but no values.
### 3. Audit Every Source File
Look through each code file and check:
**Dead Code (remove immediately):**
- Commented-out code blocks
- Unused imports/requires
- Unused variables (declared but never used)
- Unused functions (defined but never called)
- Unreachable code (after `return`, inside `if (false)`)
- Duplicate logic (same code in multiple places—combine)
**Code Quality (fix issues as you go):**
- Vague names: `data`, `info`, `temp`, `thing` → rename to be descriptive
- Magic numbers: `if (status === 3)` → extract to named constant
- Debug statements: remove `console.log`, `print()`, `debugger`
- TODO/FIXME comments: either resolve them or delete them
- TypeScript `any`: add proper types or explain why `any` is used
- Use `===` instead of `==` in JavaScript
- Functions longer than 50 lines: consider splitting
- Nested code greater than 3 levels: refactor with early returns
**Logic Issues (critical):**
- Missing null/undefined checks
- Array operations on potentially empty arrays
- Async functions that are not awaited
- Promises without `.catch()` or try/catch
- Possibilities for infinite loops
- Missing `default` in switch statements
### 4. Security Check (Zero Tolerance)
**Secrets:** Search for hardcoded passwords, API keys, and tokens. They must be in environment variables.
**Injection vulnerabilities:**
- SQL: No string concatenation in queries—use parameterized queries only
- Command injection: No `exec()` with user-provided input
- Path traversal: No file paths from user input without validation
- XSS: No `innerHTML` or `dangerouslySetInnerHTML` with user data
**Auth/Authorization:**
- Passwords hashed with bcrypt/argon2 (never MD5 or plain text)
- Protected routes check for authentication
- Authorization checks on the server side, not just in the UI
- No IDOR: verify users own the resources they are accessing
**Data exposure:**
- API responses do not leak unnecessary information
- Error messages do not expose stack traces or database details
- Pagination is present on list endpoints
**Dependencies:**
- Run `npm audit` or an equivalent tool
- Flag critically outdated or vulnerable packages
### 5. Scalability Check
**Database:**
- N+1 queries: loops with database calls inside → use JOINs or batch queries
- Missing indexes on WHERE/ORDER BY columns
- Unbounded queries: add LIMIT or pagination
- Avoid `SELECT *`: specify columns
**API Design:**
- Heavy operations (like email, reports, file processing) → move to a background queue
- Rate limiting on public endpoints
- Caching for data that is read frequently
- Timeouts on external calls
**Code:**
- No global mutable state
- Clean up event listeners (to avoid memory leaks)
- Stream large files instead of loading them into memory
### 6. Architecture Check
**Organization:**
- Clear folder structure
- Files are in logical locations
- No "misc" or "stuff" folders
**Separation of concerns:**
- UI layer: only responsible for rendering
- Business logic: pure functions
- Data layer: isolated database queries
- No 500+ line "god files"
**Reusability:**
- Duplicate code → extract to shared utilities
- Constants defined once and imported
- Types/interfaces reused, not redefined
### 7. Performance
**Backend:**
- Expensive operations do not block requests
- Batch database calls when possible
- Set cache headers correctly
**Frontend (if applicable):**
- Implement code splitting
- Optimize images
- Avoid massive dependencies for small utilities
- Use lazy loading for heavy components
### 8. Documentation
**README.md must include:**
- Description of what the project does
- Instructions for installation and execution
- Required environment variables
- Guidance on running tests
**Code comments:**
- Explain WHY, not WHAT
- Provide explanations for complex logic
- Avoid comments that merely repeat the code
### 9. Testing
- Critical paths should have tests (auth, payments, core features)
- No `test.only` or `fdescribe` should remain in the code
- Avoid `test.skip` without an explanation
- Tests should verify behavior, not implementation details
### 10. Final Verification
After making all changes, run the app. Ensure nothing is broken. Check that:
- The app starts without errors
- Main features work
- Tests pass (if they exist)
- No regressions have been introduced
## Output Format
After auditing, provide a report:
```
CODEBASE AUDIT COMPLETE
FILES REMOVED:
- node_modules/ (build artifact)
- .env (contained secrets)
- old_backup.js (unused duplicate)
CODE CHANGES:
[src/api/users.js]
✂ Removed unused import: lodash
✂ Removed dead function: formatOldWay()
🔧 Renamed 'data' → 'userData' for clarity
🛡 Added try/catch around API call (line 47)
[src/db/queries.js]
⚡ Fixed N+1 query: now uses JOIN instead of loop
SECURITY ISSUES:
🚨 CRITICAL: Hardcoded API key in config.js (line 12) → moved to .env
⚠️ HIGH: SQL injection risk in search.js (line 34) → fixed with parameterized query
SCALABILITY:
⚡ Added pagination to /api/users endpoint
⚡ Added index on users.email column
FINAL STATUS:
✅ CLEAN - Ready to push to GitHub
Scores:
Security: 9/10 (one minor header missing)
Code Quality: 10/10
Scalability: 9/10
Overall: 9/10
```
## Key Principles
- Read the code thoroughly, don't skim
- Fix issues immediately, dont just document them
- If uncertain about removing something, ask the user
- Test after making changes
- Be thorough but practical—focus on real problems
- Security issues are blockers—nothing should ship with critical vulnerabilities
## Related Skills
- `@security-auditor` - Deeper security review
- `@systematic-debugging` - Investigate specific issues
- `@git-pushing` - Push code after audit