Step 1 of 5
Audit environment and config
Dev leftovers are the classic production faceplant.
Audit environment readiness. Check: no hardcoded localhost/dev URLs or ports in frontend or backend code (all from env vars); secrets only in environment config, none in the repo or bundle; debug modes/verbose logging off for production; CORS configured for the real origin; error pages not exposing stack traces; dependency lockfiles consistent. Fix every finding and list file-by-file changes.
Expected after this step
A clean config audit: env-driven URLs, no secrets, prod modes on.
Should not happen
- ✕localhost URLs shipped in frontend calls
- ✕One backend hiccup white-screening the app
- ✕Test users and lorem data visible to real users
- ✕Ship decisions made without listing known risks
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !localhost URLs shipped in frontend calls
- !One backend hiccup white-screening the app
- !Test users and lorem data visible to real users
- !Ship decisions made without listing known risks
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
Hardcoded URLs remain 'because it works'. Replace every one with the environment variable and verify the app still works through the configured values.