CROP
Shared

Production Pre-Deployment Checklist

> Purpose: This checklist ensures that code changes are production-ready before deployment. > Target: Bun + Hono + TypeScript monorepo ()

Production Pre-Deployment Checklist

Purpose: This checklist ensures that code changes are production-ready before deployment. Target: Bun + Hono + TypeScript monorepo (crop-microservices)

1. Security & Secrets

1.1 No Hard-Coded Secrets

  • No API keys, tokens, or passwords in source code
  • No secrets in configuration files (JSON, YAML, TOML)
  • No secrets in test files or fixtures
  • All secrets loaded from environment variables or secret manager
  • No .env files committed (check .gitignore)

1.2 Authentication & Authorization

  • All endpoints have proper authentication checks
  • Authorization rules enforce least-privilege access
  • No debug/backdoor endpoints in production code
  • Rate limiting configured for public endpoints

1.3 Input Validation & Sanitization

  • All user inputs are validated (type, format, range)
  • SQL injection protection (parameterized queries)
  • XSS prevention (output encoding, CSP headers)
  • File upload validation (type, size, content)
  • Command injection prevention (no shell execution with user input)

2. Code Quality & Testing

2.1 Type Safety

  • No any types without justification
  • TypeScript strict mode enabled
  • All functions have return type annotations
  • No type assertions (as) without safety checks

2.2 Error Handling

  • All async operations have proper error handling
  • No unhandled promise rejections
  • Errors logged with sufficient context
  • User-facing errors don't leak sensitive info
  • HTTP error codes match actual error scenarios

2.3 Testing

  • New features have unit tests
  • Critical paths have integration tests
  • All tests pass locally (bun test)
  • No skipped/disabled tests without documented reason
  • Test coverage for edge cases and error scenarios

3. Performance & Scalability

3.1 Database Queries

  • No N+1 query problems
  • Proper indexes on queried fields
  • Pagination for large result sets
  • Query timeouts configured
  • Connection pooling configured correctly

3.2 API Efficiency

  • Response payloads are reasonably sized
  • Heavy operations run asynchronously
  • Caching used where appropriate
  • Rate limiting prevents abuse

3.3 Memory & Resources

  • No memory leaks (streams closed, listeners removed)
  • File handles properly closed
  • Timeouts set for external API calls
  • Graceful shutdown handlers implemented

4. Observability & Monitoring

4.1 Logging

  • Appropriate log levels (error, warn, info, debug)
  • Structured logging (JSON format preferred)
  • No sensitive data in logs (PII, secrets, tokens)
  • Request IDs for tracing distributed requests
  • Critical operations logged with context

4.2 Metrics & Alerts

  • Key business metrics instrumented
  • Error rates tracked
  • Performance metrics (latency, throughput)
  • Alerts configured for critical failures

5. API & Integration Contracts

5.1 API Design

  • OpenAPI/Swagger documentation up-to-date
  • Breaking changes avoided or properly versioned
  • Backward compatibility maintained
  • Response schemas documented and validated
  • Proper HTTP methods (GET, POST, PUT, DELETE, PATCH)

5.2 External Dependencies

  • Third-party API failures handled gracefully
  • Circuit breakers for flaky services
  • Retry logic with exponential backoff
  • Fallback strategies for critical paths

6. Configuration & Environment

6.1 Environment Variables

  • All required env vars documented
  • Default values set for non-sensitive configs
  • Environment-specific configs separated
  • No development-only code in production paths

6.2 Feature Flags

  • New features behind feature flags if needed
  • Flag states documented
  • Rollback plan for feature flag changes

7. Deployment & Infrastructure

7.1 Docker & Containers

  • Dockerfile uses non-root user
  • Multi-stage builds for smaller images
  • Health check endpoint implemented
  • Readiness probe configured
  • Resource limits defined (CPU, memory)

7.2 Cloud Run / GCP

  • Service configuration reviewed
  • Auto-scaling parameters set appropriately
  • IAM permissions follow least privilege
  • Secrets managed via Secret Manager

7.3 CI/CD Pipeline

  • All pipeline checks pass (lint, test, build)
  • Pre-commit hooks executed
  • Dependency security scan (e.g., bun audit)
  • Docker image security scan (e.g., Trivy)

8. Data & Migrations

8.1 Database Migrations

  • Migration scripts tested in staging
  • Rollback plan exists
  • Backward-compatible schema changes
  • Data integrity constraints maintained

8.2 Data Handling

  • No destructive operations without confirmation
  • Bulk operations batched appropriately
  • Data retention policies respected
  • GDPR/privacy compliance maintained

9. Documentation

9.1 Code Documentation

  • Complex logic explained with comments
  • Public APIs have JSDoc/TSDoc
  • README updated if behavior changes
  • Breaking changes documented in changelog

9.2 Runbooks & Procedures

  • Deployment runbook updated
  • Rollback procedure documented
  • Known issues and workarounds listed
  • On-call escalation paths clear

10. Final Checks

10.1 Pre-Deployment

  • Peer review completed and approved
  • Smoke tests passed in staging
  • Load tests passed (if applicable)
  • Rollback plan prepared

10.2 Post-Deployment

  • Health check endpoints returning 200 OK
  • Key metrics within expected ranges
  • No error spikes in logs or APM
  • Stakeholders notified of deployment

Quick Command Reference

# Run all tests
bun test

# Type check
bun run typecheck

# Lint and format
bun run lint
bun run format

# Security audit
bun audit
trivy image <image-name>

# Build all services
bun run build

Severity Levels

When reviewing this checklist:

  • ❌ BLOCKER: Must be fixed before production. Security risk or critical bug.
  • ⚠️ WARNING: Should be fixed but can ship with documented risk. Technical debt or minor issue.
  • ✅ PASS: Item meets production standards.

Last Updated: 2025-01-16 Owner: Engineering Team Review Frequency: Before every production deployment

Shared Documentation

Cross-project documentation used across multiple CROP applications.

GCP Infrastructure & API Gateway Plan

Date: 2025-12-05 Status: In Progress Environment: Development (all services = prod, separation only in database: dev/stage/prod)

On this page

Production Pre-Deployment Checklist1. Security & Secrets1.1 No Hard-Coded Secrets1.2 Authentication & Authorization1.3 Input Validation & Sanitization2. Code Quality & Testing2.1 Type Safety2.2 Error Handling2.3 Testing3. Performance & Scalability3.1 Database Queries3.2 API Efficiency3.3 Memory & Resources4. Observability & Monitoring4.1 Logging4.2 Metrics & Alerts5. API & Integration Contracts5.1 API Design5.2 External Dependencies6. Configuration & Environment6.1 Environment Variables6.2 Feature Flags7. Deployment & Infrastructure7.1 Docker & Containers7.2 Cloud Run / GCP7.3 CI/CD Pipeline8. Data & Migrations8.1 Database Migrations8.2 Data Handling9. Documentation9.1 Code Documentation9.2 Runbooks & Procedures10. Final Checks10.1 Pre-Deployment10.2 Post-DeploymentQuick Command ReferenceSeverity Levels