Production audit

Run an external audit on the repo's shipped state — deployed URL, GitHub signals, secrets exposure, RLS gaps, webhook idempotency, indexes, observability, prompt injection, and ten other failure modes that AI-assisted projects routinely miss.

This is complementary to in-session security skills (security-review, vibesec, OWASP-style) — those scan the editor buffer while you're coding. This scans the deployed product after you commit. Use both.

When to invoke

• User says "is this production-ready", "what would break in prod", "score my project", "what did I miss", "audit my repo", "ready to ship".
• Right after merging a feature branch to main (helpful as a pre-deploy gate).
• Before a public launch / Show HN post / investor demo.
• When git log shows >20 commits since the last .commitshow/audit.md was written.

When NOT to invoke

• During active in-session coding — use security-review / vibesec for line-level patterns. Production-audit is for post-merge / pre-ship review.
• For library or scaffold-form repos — the engine handles app form best; libraries get a partial-substitute score.
• If .commitshow/audit.json already exists and is < 1 hour old, read that instead of re-running. Audit is rate-limited (anonymous: 20/IP/day · 5/repo/day · 2000/day global).
• Inside a private/non-GitHub repo — the audit pulls public GitHub signals, so private repos return a not_found error.