Ship confidently. An automated production readiness scanner for any codebase.
Run one command. Get a full report. Know exactly what's missing before you deploy.
This skill scans your codebase β detects your stack, checks for security issues, missing configs, and best practice violations β and produces a detailed pass/fail report. No manual input needed. It reads your code and tells you what's wrong, with file paths and line numbers.
780 checklist items across 6 deployment types. Based on Google SRE, AWS Well-Architected, PCI DSS v4.0, OWASP, and WCAG 2.2.
You type: /production-checklist
The skill: 1. Scans your project files to detect the stack
2. Loads the right checklist (web? API? mobile? payment?)
3. Greps your code for issues (hardcoded secrets, missing headers, etc.)
4. Produces a report:
ββββββββββββββββββββββββββββββββββββββββ
β PRODUCTION READINESS SCAN REPORT β
ββββββββββββββββββββββββββββββββββββββββ
π΄ CRITICAL
1. β FAIL β Hardcoded API key in source code
src/config.ts:14 β const API_KEY = "sk_live_..."
Fix: Move to .env, add .env* to .gitignore
2. β
PASS β HTTPS enforced
nginx.conf:3 β redirect 301 https://...
3. β οΈ MANUAL β SSL certificate auto-renewal
Cannot verify from code β check your host
SCORECARD: 12/15 critical passed | VERDICT: β οΈ NOT READY
You say: "Fix all critical issues"
The skill: Applies actual code fixes.
That's it. One prompt. One report. Optional auto-fix.
The easiest way β works with 45+ coding agents including Claude Code, Cursor, Windsurf, Codex, and more.
# Install to your project (team can use it too)
npx skills add Shawnchee/preflight-skill
# Install globally (available in all your projects)
npx skills add Shawnchee/preflight-skill -g
# Install to a specific agent only
npx skills add Shawnchee/preflight-skill -a claude-code
npx skills add Shawnchee/preflight-skill -a cursor
npx skills add Shawnchee/preflight-skill -a windsurf
# Preview what's available before installing
npx skills add Shawnchee/preflight-skill --list
# CI/CD-friendly (no prompts)
npx skills add Shawnchee/preflight-skill -g -a claude-code -ygit clone https://github.com/Shawnchee/preflight-skill.gitThen copy the production-checklist/ folder to your agent's skills directory:
| Agent | Project-level | Global |
|---|---|---|
| Claude Code | .claude/skills/ |
~/.claude/skills/ |
| Cursor | .cursor/skills/ |
~/.cursor/skills/ |
| Windsurf | .windsurf/skills/ |
~/.windsurf/skills/ |
| Codex / OpenCode | .codex/skills/ |
~/.codex/skills/ |
| Gemini CLI | .gemini/skills/ |
~/.gemini/skills/ |
Note: Skill directory paths may vary by agent version. Claude Code paths are verified; other agent paths follow the emerging SKILL.md standard and may need adjustment.
Example:
# Project-level (just this repo)
cp -r preflight-skill/production-checklist .claude/skills/
# Global (all your projects)
cp -r preflight-skill/production-checklist ~/.claude/skills/# Via skills.sh
npx skills remove production-checklist
# Manual
rm -rf .claude/skills/production-checklistCurrent version: 2.1.0 (changelog)
# Via skills.sh
npx skills update production-checklist
# Manual
cd preflight-skill && git pull
cp -r production-checklist/ ~/.claude/skills/production-checklist/Just tell your coding agent you want a production check. Any of these work:
/production-checklist
"Run the production checklist"
"Is my app production-ready?"
"Preflight check before deploy"
"Check if this is ready to ship"
The skill auto-detects your stack from the files in your project. You don't need to specify what you're building.
| If your project has... | It runs the... |
|---|---|
package.json with React/Next/Vue/Svelte |
Web frontend checklist |
Podfile, build.gradle, pubspec.yaml |
Mobile app checklist |
server.js, manage.py, go.mod, route files |
Backend API checklist |
*.sol, foundry.toml, hardhat.config.* |
Smart contract checklist |
| Stripe/PayPal/Adyen in dependencies | Payment system checklist |
*.tf, Dockerfile, k8s/, CI configs |
Infrastructure checklist |
Full-stack projects? It detects multiple types and runs all relevant checklists. A Next.js app with Express backend and Stripe gets all three.
| Type | Items | What it checks |
|---|---|---|
| Web / Frontend | 144 | Security headers, CSP, CORS, HTTPS, XSS, OWASP, auth tokens, Core Web Vitals, SEO, WCAG 2.2 accessibility, i18n, payment frontend (PCI DSS 4.0), GDPR/CCPA |
| Mobile (iOS & Android) | 123 | App Store / Play Store compliance, code signing, certificate pinning, binary security, in-app purchases, subscription lifecycle, crash reporting, accessibility |
| Backend API | 148 | Auth (OAuth/JWT/MFA), injection prevention (SQL, NoSQL, SSRF, XXE), rate limiting, SLOs, distributed tracing, circuit breakers, data compliance, microservices |
| Smart Contract (EVM) | 108 | Audit readiness, reentrancy, fuzz testing, multi-sig, gas optimization, oracle security, flash loans, MEV, DeFi checks, cross-chain |
| Payment & Financial | 112 | PCI DSS v4.0, tokenization, double-entry bookkeeping, fraud detection, reconciliation, multi-currency, tax, subscriptions, KYC/AML, SOX audit |
| Infrastructure & SRE | 145 | IaC, container security, Kubernetes, IAM, secrets management, disaster recovery (RTO/RPO), capacity planning, chaos engineering, incident management |
Total: 780 items β every one is a concrete, verifiable check. No fluff.
The skill is designed to be token-efficient. Here's what it actually costs:
| Scenario | Tokens used | Approximate cost |
|---|---|---|
| Single type (e.g., just a web app) | ~12,000 | ~$0.04 (Sonnet) / ~$0.18 (Opus) |
| Two types (e.g., web + API) | ~22,000 | ~$0.07 (Sonnet) / ~$0.33 (Opus) |
| Three types (e.g., web + API + payment) | ~30,000 | ~$0.10 (Sonnet) / ~$0.45 (Opus) |
For context: A typical coding conversation where you ask "fix this bug" uses 20,000-50,000 tokens. This skill uses about the same as reading one large source file.
- Only loads what's needed β if you have a web app, it only loads the web checklist (not all 6)
- Targeted scanning β greps for specific patterns, doesn't read every file in your repo
- Single report β one prompt in, one report out. No back-and-forth
| Component | Tokens | Why |
|---|---|---|
| Skill instructions | ~1,400 | Tells the agent what to do |
| Checklist reference | ~3,000-5,000 | The actual items to check (per type) |
| Code scanning | ~4,000-7,000 | Reading your configs, grepping for patterns |
| Report output | ~3,000-5,000 | The detailed pass/fail report |
production-checklist/
βββ SKILL.md β Instructions for the agent (what to scan, how to report)
βββ references/
βββ web.md β 144 items: web/frontend checks
βββ mobile.md β 123 items: iOS & Android checks
βββ api.md β 148 items: backend API checks
βββ smart-contract.md β 108 items: Solidity/EVM checks
βββ payment.md β 112 items: payment & financial checks
βββ infrastructure.md β 145 items: infra & SRE checks
- SKILL.md is read by the agent β it contains the scanning instructions
- The agent globs your project to detect what stack you're using
- It loads only the matching reference file(s) β not all 6
- It scans your code using grep/read/glob for each checklist item
- It produces one report with every item marked β
PASS / β FAIL /
β οΈ MANUAL - It offers to fix any failing items with actual code changes
Each reference file is independent β no cross-file dependencies.
This checklist was compiled from industry-leading production readiness standards:
| Standard | What it covers | Version |
|---|---|---|
| Google SRE Book | Production readiness review, launch checklist | β |
| AWS Well-Architected | 6-pillar cloud architecture review | 2024 |
| PCI DSS | Payment card security | v4.0 |
| OWASP ASVS | Application security verification | v5.0 |
| OWASP Top 10 | Most critical web security risks | 2025 |
| WCAG | Web accessibility guidelines | 2.2 |
| Stripe PCI Guide | Developer PCI compliance | β |
Last reviewed: April 2026.
Any developer or team shipping to production. The checks range from basics (is HTTPS on?) to FAANG-grade (are your SLOs defined? is your error budget tracked?). It's useful whether you're a solo dev or a platform team at a large company.
Not unless you ask it to. The scan is read-only. After the report, it offers to fix failing items β but only if you say yes.
The 6 types cover the vast majority of production deployments. If you're deploying something else (ML model, data pipeline, desktop app), the skill will still check general items from the closest matching type. We're adding more types in future versions.
Yes. It scans from the project root and detects multiple types. A monorepo with a React frontend, Express API, and Terraform infra will get all three checklists.
Yes β each references/*.md file is plain markdown. Add, remove, or modify items to match your org's standards. The format is just - [ ] Item description (fix hint).
PRs welcome! Each references/*.md file is self-contained.
- Add items: Follow the format
- [ ] Item description (fix hint in parens) - New deployment type: Create
references/your-type.mdwith π΄/π‘/π’ tiers, add signals toSKILL.md - Update existing: Fix outdated references, add new best practices, improve fix hints
Severity tiers: π΄ = causes real damage if missed. π‘ = causes pain within a week. π’ = best practice.
| Version | Feature |
|---|---|
| v2.2 | nextjs.md β Next.js-specific checks (ISR, edge runtime, middleware, App Router) |
| v2.3 | supabase.md β Supabase production hardening (RLS policies, backups, connection pooling) |
| v2.4 | data-pipeline.md β ML model and data pipeline deployment checks |
| v3.0 | Auto-remediation β agent detects and fixes common issues automatically |
MIT