PRODUCTION READY

Perform a production-readiness audit before deployment. Verify the codebase meets security, reliability, and quality standards.

PHASE 1: RUN OFFICIAL LINTING & BUILD CHECKS

Run all available project tooling. Every check must pass before deployment.

Detect project type and run ALL applicable commands:

JavaScript/TypeScript projects:

pnpm lint          # ESLint / project linter
pnpm typecheck     # or: tsc --noEmit
pnpm test          # full test suite
pnpm build         # production build must succeed
pnpm audit         # dependency vulnerabilities

Python projects:

ruff check .       # or: pylint src/ OR flake8
mypy .             # type checking
pytest             # full test suite
pip-audit          # dependency vulnerabilities

Go projects:

go vet ./...
golangci-lint run
go test ./...

Rust projects:

cargo clippy -- -D warnings
cargo test
cargo audit

If a command doesn’t exist (e.g., no typecheck script), skip it and note that in the report.

All checks must pass. If any fail, document the failures – they must be addressed before deployment.

PHASE 2: SECURITY AUDIT

2.1 Sensitive Files in Repository

Check for files that should NEVER be committed:

# Files that shouldn't be in git
git ls-files | rg -i '\.(env|pem|key|p12|pfx|sqlite|db)$' | rg -v '\.example|\.sample|\.template'

# Credentials and secrets files
git ls-files | rg -i 'credentials|secrets|private.*key|id_rsa|\.keystore'

# Check .gitignore covers common sensitive patterns
cat .gitignore 2>/dev/null | rg -q '\.env' || echo "WARNING: .env not in .gitignore"

Any sensitive files found = BLOCKER. They must be removed and rotated.

2.2 Hardcoded Secrets

Scan for secrets that should be environment variables:

# API keys and tokens (look for actual values, not variable names)
rg -i '(api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token)\s*[=:]\s*["\047][A-Za-z0-9_\-]{16,}' -g '!*.lock' -g '!node_modules' -g '!*.md'

# AWS keys pattern
rg 'AKIA[0-9A-Z]{16}' -g '!*.lock' -g '!node_modules'

# Private keys embedded in code
rg 'BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY' -g '!*.lock' -g '!node_modules'

# Connection strings with credentials
rg -i '(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@' -g '!*.lock' -g '!node_modules' -g '!*.md'

2.3 Dangerous Code Patterns

# eval/exec with potential user input
rg '\b(eval|exec)\s*\(' --type ts --type js --type py

# SQL injection risks (string concatenation in queries)
rg -i '(query|execute)\s*\(\s*[`"\047].*\+|\$\{' --type ts --type js --type py

# Command injection risks
rg -i '(child_process|subprocess|os\.system|shell_exec)\s*\(' --type ts --type js --type py

# innerHTML / dangerouslySetInnerHTML without sanitization
rg '(innerHTML|dangerouslySetInnerHTML)' --type ts --type js --type tsx

# Disabled security features
rg -i 'verify\s*[=:]\s*false|rejectUnauthorized\s*[=:]\s*false' --type ts --type js --type py

2.4 Authentication & Authorization

Review these areas in the codebase:

• API routes – Do all sensitive endpoints have auth guards?
• Role checks – Are permissions verified before sensitive operations?
• Token handling – Are tokens stored securely (not localStorage for sensitive apps)?

# Find API route definitions to verify auth coverage
rg '(app\.(get|post|put|delete|patch)|router\.(get|post|put|delete|patch)|@(Get|Post|Put|Delete|Patch))' --type ts --type js -l

# Find auth middleware/decorators
rg -i '(auth|protect|guard|middleware|@Authorized|@Auth|requireAuth)' --type ts --type js --type py -l

PHASE 3: EDGE CASE & ERROR HANDLING

3.1 Unhandled Errors

# Async functions - check for try-catch or .catch()
rg 'async\s+\w+\s*\([^)]*\)\s*\{' --type ts --type js -l

# Empty catch blocks (swallowing errors)
rg 'catch\s*\([^)]*\)\s*\{\s*\}' --type ts --type js

# Promises without .catch()
rg '\.then\s*\([^)]+\)\s*[^.]' --type ts --type js

# Unhandled promise rejection risk
rg 'new Promise\s*\(' --type ts --type js -l

Review the files found to ensure proper error handling exists.

3.2 Null/Undefined Handling

# Optional chaining opportunities (potential null access)
rg '\w+\.\w+\.\w+' --type ts --type js | head -20

# Check for nullish coalescing and optional chaining usage
rg '(\?\.|\ \?\?)' --type ts --type js --count || echo "Limited null-safety patterns found"

3.3 Input Validation

# API endpoints - verify input validation exists
rg '(req\.body|req\.params|req\.query|request\.json)' --type ts --type js --type py -l

# Check for validation libraries in use
rg -i '(zod|yup|joi|class-validator|pydantic|marshmallow)' --type ts --type js --type py -l || echo "No validation library detected"

3.4 Debug & Development Artifacts

# Console statements (excessive logging in production)
rg 'console\.(log|debug|trace|info)' --type ts --type js --count

# Debugger statements (must be zero)
rg '\bdebugger\b' --type ts --type js

# Debug flags
rg -i 'DEBUG\s*[=:]\s*true|VERBOSE\s*[=:]\s*true' -g '!node_modules'

# TODO/FIXME in critical code
rg '(TODO|FIXME|HACK|XXX):?' --type ts --type js --type py --count

Debugger statements = BLOCKER. Console.logs should be minimal. TODOs should be reviewed if in critical paths.

PHASE 4: CONFIGURATION & ENVIRONMENT

4.1 Environment Variables

# Find all env var usage
rg '(process\.env|import\.meta\.env|os\.environ|os\.getenv)' --type ts --type js --type py -l

# Check .env.example exists and documents required vars
ls -la .env.example .env.sample 2>/dev/null || echo "WARNING: No .env.example file"

# Verify no .env files committed
git ls-files | rg '^\.env$|^\.env\.(local|production|development)$'

4.2 Hardcoded Configuration

# Localhost/staging URLs that should be env vars
rg -i '(localhost|127\.0\.0\.1|staging\.|\.local)' --type ts --type js --type py -g '!*.test.*' -g '!*.spec.*' -g '!node_modules'

# Hardcoded ports
rg ':\d{4,5}["\047/]' --type ts --type js -g '!node_modules' -g '!*.lock'

4.3 Third-Party Integrations

Verify production configuration for:

• API endpoints pointing to production (not staging/sandbox)
• Webhook URLs configured for production
• Analytics/monitoring enabled

PHASE 5: DEPENDENCY HEALTH

5.1 Vulnerability Audit

# JavaScript
pnpm audit --audit-level=high

# Python
pip-audit

# Go
govulncheck ./...

# Rust
cargo audit

Critical or high severity vulnerabilities = BLOCKER unless documented with mitigation.

5.2 Outdated Dependencies

# Check for significantly outdated packages
pnpm outdated 2>/dev/null || npm outdated 2>/dev/null

# Python
pip list --outdated 2>/dev/null

Note major version updates that may be needed.

OUTPUT REPORT

Provide a structured report:

## Production Readiness Report

### Linting & Build
| Check | Status | Notes |
|-------|--------|-------|
| Lint | PASS/FAIL | |
| Types | PASS/FAIL | |
| Tests | PASS/FAIL/SKIPPED | |
| Build | PASS/FAIL | |

### Security
| Check | Status | Notes |
|-------|--------|-------|
| Sensitive files | CLEAR/FOUND | |
| Hardcoded secrets | CLEAR/FOUND | |
| Dangerous patterns | CLEAR/FOUND | List any |
| Auth coverage | VERIFIED/NEEDS REVIEW | |

### Edge Cases & Error Handling
| Check | Status | Notes |
|-------|--------|-------|
| Error handling | ADEQUATE/NEEDS WORK | |
| Input validation | PRESENT/MISSING | |
| Debug artifacts | CLEAR/FOUND | Counts |

### Configuration
| Check | Status | Notes |
|-------|--------|-------|
| Env vars documented | YES/NO | |
| Hardcoded URLs | CLEAR/FOUND | |

### Dependencies
| Check | Status | Notes |
|-------|--------|-------|
| Vulnerabilities | X critical, Y high | |
| Outdated | X major updates available | |

### Blockers (must fix before deploy)
- [List any blockers]

### Warnings (should address)
- [List warnings]

### Recommendation
[READY TO DEPLOY / FIX BLOCKERS FIRST / NEEDS SIGNIFICANT WORK]

CONSTRAINTS

• Run all official linting tools – Don’t manually lint, but run eslint/ruff/etc.
• Security issues are blockers – Secrets, vulnerabilities, and dangerous patterns must be fixed
• Don’t auto-fix issues – Report findings for the user to decide
• Adapt to project type – Skip inapplicable checks (no Python tooling for JS projects)
• Be thorough but efficient – Use grep patterns to scan, then review flagged areas