Ship Check - Pre-Deploy Audit

Final security validation before deployment.

Usage: /vibe-check:ship

Instructions

Run all vibe-check scans and generate deploy-readiness assessment.

Step 1: Run Full Audit

Execute all checks:

1. /vibe-check:secrets - Secrets scan
2. /vibe-check:rls - RLS analysis
3. /vibe-check:auth - Auth review
4. /vibe-check:deps - Dependency audit

Collect all findings.

Step 2: Calculate Readiness Score

Base Score: 100

Deductions:

• Critical finding: -25 points each
• High finding: -10 points each
• Medium finding: -5 points each
• Low finding: -2 points each

Minimum score: 0

Step 3: Ship Decision

Score	Status	Action
90-100	SHIP IT	Good to deploy
70-89	CAUTION	Fix high/critical before prod
50-69	RISKY	Address issues first
0-49	BLOCKED	Do not deploy

Blocking Conditions (regardless of score):

• Any CRITICAL finding = BLOCKED
• .env file in git = BLOCKED
• Exposed service keys = BLOCKED

Step 4: Pre-Deploy Checklist

Generate checklist with pass/fail:

## Pre-Deploy Checklist

### Secrets
- [ ] No hardcoded API keys in source
- [ ] .env files not tracked in git
- [ ] .gitignore includes .env*
- [ ] NEXT_PUBLIC_ vars are safe for public

### Supabase RLS
- [ ] RLS enabled on all tables
- [ ] No overly permissive policies (USING true)
- [ ] Policies reference auth.uid()

### Authentication
- [ ] API routes protected
- [ ] Middleware configured for /api/*
- [ ] Session validation on mutations

### Dependencies
- [ ] No critical vulnerabilities
- [ ] No high vulnerabilities
- [ ] Lock file present and committed

### Environment
- [ ] Production env vars set in hosting platform
- [ ] Development secrets not in production
- [ ] CORS configured correctly

Step 5: Generate Report

Create VIBE_CHECK.md with full findings and checklist.

Step 6: Next Steps

Based on status, provide actionable guidance:

SHIP IT:

Ready to deploy! Consider:
- Enable Dependabot for ongoing security updates
- Set up monitoring for auth failures
- Schedule quarterly security reviews

CAUTION:

Address these before production:
1. [List high findings]

Can deploy to staging/preview for testing.

RISKY:

Fix these issues first:
1. [List all findings by severity]

Deploy only to isolated test environments.

BLOCKED:

STOP - Do not deploy!

Critical issues found:
1. [List critical findings]

These must be fixed immediately.
Exposed secrets should be rotated NOW.

Output Format

╔════════════════════════════════════════╗
║           VIBE CHECK: SHIP             ║
╠════════════════════════════════════════╣
║                                        ║
║   Deploy Readiness Score: 85/100       ║
║   Status: CAUTION                      ║
║                                        ║
╠════════════════════════════════════════╣
║  Findings:                             ║
║  ├─ Critical: 0                        ║
║  ├─ High: 2                            ║
║  ├─ Medium: 3                          ║
║  └─ Low: 1                             ║
╠════════════════════════════════════════╣
║                                        ║
║  Fix 2 HIGH issues before prod deploy  ║
║  See VIBE_CHECK.md for details     ║
║                                        ║
╚════════════════════════════════════════╝

Quick Fix Mode

If user wants to address issues:

Would you like me to help fix these issues?
- [Fix all auto-fixable] (npm audit fix, add .gitignore entries)
- [Show fix for specific issue]
- [Skip - I'll fix manually]