PRODUCTION READY
Perform a production-readiness audit before deployment. Verify the codebase meets security, reliability, and quality standards.
PHASE 1: RUN OFFICIAL LINTING & BUILD CHECKS
Run all available project tooling. Every check must pass before deployment.
Detect project type and run ALL applicable commands:
JavaScript/TypeScript projects:
pnpm lint # ESLint / project linter pnpm typecheck # or: tsc --noEmit pnpm test # full test suite pnpm build # production build must succeed pnpm audit # dependency vulnerabilities
Python projects:
ruff check . # or: pylint src/ OR flake8 mypy . # type checking pytest # full test suite pip-audit # dependency vulnerabilities
Go projects:
go vet ./... golangci-lint run go test ./...
Rust projects:
cargo clippy -- -D warnings cargo test cargo audit
If a command doesn't exist (e.g., no typecheck script), skip it and note that in the report.
All checks must pass. If any fail, document the failures - they must be addressed before deployment.
PHASE 2: SECURITY AUDIT
2.1 Sensitive Files in Repository
Check for files that should NEVER be committed:
# Files that shouldn't be in git git ls-files | rg -i '\.(env|pem|key|p12|pfx|sqlite|db)$' | rg -v '\.example|\.sample|\.template' # Credentials and secrets files git ls-files | rg -i 'credentials|secrets|private.*key|id_rsa|\.keystore' # Check .gitignore covers common sensitive patterns cat .gitignore 2>/dev/null | rg -q '\.env' || echo "WARNING: .env not in .gitignore"
Any sensitive files found = BLOCKER. They must be removed and rotated.
2.2 Hardcoded Secrets
Scan for secrets that should be environment variables:
# API keys and tokens (look for actual values, not variable names)
rg -i '(api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token)\s*[=:]\s*["\047][A-Za-z0-9_\-]{16,}' -g '!*.lock' -g '!node_modules' -g '!*.md'
# AWS keys pattern
rg 'AKIA[0-9A-Z]{16}' -g '!*.lock' -g '!node_modules'
# Private keys embedded in code
rg 'BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY' -g '!*.lock' -g '!node_modules'
# Connection strings with credentials
rg -i '(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@' -g '!*.lock' -g '!node_modules' -g '!*.md'
2.3 Dangerous Code Patterns
# eval/exec with potential user input
rg '\b(eval|exec)\s*\(' --type ts --type js --type py
# SQL injection risks (string concatenation in queries)
rg -i '(query|execute)\s*\(\s*[`"\047].*\+|\$\{' --type ts --type js --type py
# Command injection risks
rg -i '(child_process|subprocess|os\.system|shell_exec)\s*\(' --type ts --type js --type py
# innerHTML / dangerouslySetInnerHTML without sanitization
rg '(innerHTML|dangerouslySetInnerHTML)' --type ts --type js --type tsx
# Disabled security features
rg -i 'verify\s*[=:]\s*false|rejectUnauthorized\s*[=:]\s*false' --type ts --type js --type py
2.4 Authentication & Authorization
Review these areas in the codebase:
- •API routes - Do all sensitive endpoints have auth guards?
- •Role checks - Are permissions verified before sensitive operations?
- •Token handling - Are tokens stored securely (not localStorage for sensitive apps)?
# Find API route definitions to verify auth coverage rg '(app\.(get|post|put|delete|patch)|router\.(get|post|put|delete|patch)|@(Get|Post|Put|Delete|Patch))' --type ts --type js -l # Find auth middleware/decorators rg -i '(auth|protect|guard|middleware|@Authorized|@Auth|requireAuth)' --type ts --type js --type py -l
PHASE 3: EDGE CASE & ERROR HANDLING
3.1 Unhandled Errors
# Async functions - check for try-catch or .catch()
rg 'async\s+\w+\s*\([^)]*\)\s*\{' --type ts --type js -l
# Empty catch blocks (swallowing errors)
rg 'catch\s*\([^)]*\)\s*\{\s*\}' --type ts --type js
# Promises without .catch()
rg '\.then\s*\([^)]+\)\s*[^.]' --type ts --type js
# Unhandled promise rejection risk
rg 'new Promise\s*\(' --type ts --type js -l
Review the files found to ensure proper error handling exists.
3.2 Null/Undefined Handling
# Optional chaining opportunities (potential null access) rg '\w+\.\w+\.\w+' --type ts --type js | head -20 # Check for nullish coalescing and optional chaining usage rg '(\?\.|\ \?\?)' --type ts --type js --count || echo "Limited null-safety patterns found"
3.3 Input Validation
# API endpoints - verify input validation exists rg '(req\.body|req\.params|req\.query|request\.json)' --type ts --type js --type py -l # Check for validation libraries in use rg -i '(zod|yup|joi|class-validator|pydantic|marshmallow)' --type ts --type js --type py -l || echo "No validation library detected"
3.4 Debug & Development Artifacts
# Console statements (excessive logging in production) rg 'console\.(log|debug|trace|info)' --type ts --type js --count # Debugger statements (must be zero) rg '\bdebugger\b' --type ts --type js # Debug flags rg -i 'DEBUG\s*[=:]\s*true|VERBOSE\s*[=:]\s*true' -g '!node_modules' # TODO/FIXME in critical code rg '(TODO|FIXME|HACK|XXX):?' --type ts --type js --type py --count
Debugger statements = BLOCKER. Console.logs should be minimal. TODOs should be reviewed if in critical paths.
PHASE 4: CONFIGURATION & ENVIRONMENT
4.1 Environment Variables
# Find all env var usage rg '(process\.env|import\.meta\.env|os\.environ|os\.getenv)' --type ts --type js --type py -l # Check .env.example exists and documents required vars ls -la .env.example .env.sample 2>/dev/null || echo "WARNING: No .env.example file" # Verify no .env files committed git ls-files | rg '^\.env$|^\.env\.(local|production|development)$'
4.2 Hardcoded Configuration
# Localhost/staging URLs that should be env vars
rg -i '(localhost|127\.0\.0\.1|staging\.|\.local)' --type ts --type js --type py -g '!*.test.*' -g '!*.spec.*' -g '!node_modules'
# Hardcoded ports
rg ':\d{4,5}["\047/]' --type ts --type js -g '!node_modules' -g '!*.lock'
4.3 Third-Party Integrations
Verify production configuration for:
- •API endpoints pointing to production (not staging/sandbox)
- •Webhook URLs configured for production
- •Analytics/monitoring enabled
PHASE 5: DEPENDENCY HEALTH
5.1 Vulnerability Audit
# JavaScript pnpm audit --audit-level=high # Python pip-audit # Go govulncheck ./... # Rust cargo audit
Critical or high severity vulnerabilities = BLOCKER unless documented with mitigation.
5.2 Outdated Dependencies
# Check for significantly outdated packages pnpm outdated 2>/dev/null || npm outdated 2>/dev/null # Python pip list --outdated 2>/dev/null
Note major version updates that may be needed.
OUTPUT REPORT
Provide a structured report:
## Production Readiness Report ### Linting & Build | Check | Status | Notes | |-------|--------|-------| | Lint | PASS/FAIL | | | Types | PASS/FAIL | | | Tests | PASS/FAIL/SKIPPED | | | Build | PASS/FAIL | | ### Security | Check | Status | Notes | |-------|--------|-------| | Sensitive files | CLEAR/FOUND | | | Hardcoded secrets | CLEAR/FOUND | | | Dangerous patterns | CLEAR/FOUND | List any | | Auth coverage | VERIFIED/NEEDS REVIEW | | ### Edge Cases & Error Handling | Check | Status | Notes | |-------|--------|-------| | Error handling | ADEQUATE/NEEDS WORK | | | Input validation | PRESENT/MISSING | | | Debug artifacts | CLEAR/FOUND | Counts | ### Configuration | Check | Status | Notes | |-------|--------|-------| | Env vars documented | YES/NO | | | Hardcoded URLs | CLEAR/FOUND | | ### Dependencies | Check | Status | Notes | |-------|--------|-------| | Vulnerabilities | X critical, Y high | | | Outdated | X major updates available | | ### Blockers (must fix before deploy) - [List any blockers] ### Warnings (should address) - [List warnings] ### Recommendation [READY TO DEPLOY / FIX BLOCKERS FIRST / NEEDS SIGNIFICANT WORK]
CONSTRAINTS
- •Run all official linting tools - Don't manually lint, but run eslint/ruff/etc.
- •Security issues are blockers - Secrets, vulnerabilities, and dangerous patterns must be fixed
- •Don't auto-fix issues - Report findings for the user to decide
- •Adapt to project type - Skip inapplicable checks (no Python tooling for JS projects)
- •Be thorough but efficient - Use grep patterns to scan, then review flagged areas