Skill

verify-deploy

Post-deploy verification for web apps. Checks URL stability (redirect loops), console errors, CORS preflight validation, and HTTP health. Use this skill AFTER deploying a web app — trigger on "verify deploy", "check deploy", "smoke test", "is the site working", or when a deploy task just completed and verification is needed. This skill is meant to be called optionally after deployments, not automatically on every task.

Install

npx claudepluginhub ekelhaft-tools/forge-cursor

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill verifies that a deployed web application actually works in production. It catches the class of bugs that pass all tests but break in the real environment — redirect loops, missing CORS headers, empty env vars baked into bundles, stale assets.

Supporting Assets

scripts/check-cors.sh

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

168.3k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

168.3k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

168.3k

Stats

Stars0

Forks0

Last CommitApr 24, 2026

Actions

View Source View Plugin View on GitHub View README

Post-Deploy Verification

When to use

Call this skill after deploying a web app when you want to verify it works. It's optional — not every deploy needs a full smoke test, but it's invaluable when:

Auth flows or OAuth redirects are involved
Cross-origin API calls are part of the app
Env vars are baked in at build time
The deploy target changed or infrastructure was modified

Verification Steps

Run these checks in order. Stop at the first hard failure and report it.

1. HTTP Health Check

curl -sI <deployed-url> | head -20

Expect HTTP 200. If you get 404, 502, or 503, the deploy itself failed — no point checking further.

2. URL Stability (Redirect Loop Detection)

Using Chrome MCP:

Navigate to the deployed URL
Wait 5 seconds
Check if the URL changed
Wait another 3 seconds
Check again

If the URL keeps changing (especially with ?code=, ?state=, or auth-related params cycling), that's a redirect loop. Report the pattern you see.

Common causes:

OAuth callback not consuming the auth code before re-triggering login
isAuthenticating state not set synchronously before first render
Auto-login in a component that mounts before the token exchange completes

3. Console Error Check

Using Chrome MCP read_console_messages:

Navigate fresh to the URL (or reload)
Wait for page load (3-5s)
Read console with onlyErrors: true
Also check for excessive logging (>50 messages in 5s = something is spamming)

Report any errors. Common production issues:

TypeError: Cannot read properties of undefined — missing env var
Failed to fetch — CORS or network issue
sentry-trace related — Sentry distributed tracing headers not allowed by CORS

4. CORS Preflight Validation

For each known cross-origin endpoint pair, send an OPTIONS preflight and validate the response headers.

# Template for each endpoint
curl -sI -X OPTIONS <backend-url> \
  -H "Origin: <frontend-origin>" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: authorization,content-type,sentry-trace,baggage" \
  | grep -i "access-control"

Check that the response includes:

Access-Control-Allow-Origin matching the frontend origin (or *)
Access-Control-Allow-Headers including ALL requested headers (especially sentry-trace and baggage if Sentry is integrated)
Access-Control-Allow-Methods including the required method

If any header is missing, the browser will silently block the request after the preflight — this is the sneakiest class of deploy bugs because there are often no visible errors.

5. Network Request Validation (if Chrome MCP available)

After page load, check network requests:

Are the expected API calls being made?
Are any returning 401, 403, or CORS errors?
Are there pending requests that never resolve?

6. Bundle Inspection (optional, for env var issues)

If the app seems broken but no errors are visible, check what's actually in the deployed bundle:

ssh <server> "strings <deploy-path>/assets/index-*.js | grep -i '<expected-env-value>'"

This catches the "empty VITE_* env var" bug — the app builds fine but the runtime URLs are empty.

Endpoint Registry

For projects with known cross-origin dependencies, maintain an endpoint registry. For the ekelhaft ecosystem:

Frontend	Backend	Endpoint	Required Headers
buschfunk.edge.ekelhaft.tools	auth.edge.ekelhaft.tools	/token	authorization, content-type, sentry-trace, baggage
buschfunk.edge.ekelhaft.tools	scraper.edge.ekelhaft.tools	/api/*	authorization, content-type, sentry-trace, baggage

When adding new cross-origin dependencies, update this table.

Reporting

After all checks, produce a summary:

Deploy Verification: <URL>
========================
HTTP Health:     PASS (200)
URL Stability:   PASS (stable after 8s)
Console Errors:  PASS (0 errors, 3 info messages)
CORS Preflights: PASS (2/2 endpoints valid)
Network:         PASS (all API calls successful)

Result: ALL CHECKS PASSED

Or on failure:

Deploy Verification: <URL>
========================
HTTP Health:     PASS (200)
URL Stability:   FAIL - URL cycling with ?code= params (redirect loop)
Console Errors:  SKIPPED (page unresponsive)
CORS Preflights: SKIPPED
Network:         SKIPPED

Result: FAILED - Redirect loop detected
Likely cause: OAuth callback not consuming auth code before re-triggering login

If a Linear issue ID is available, post the result as a comment on the issue.

Integration with Forge

This skill is designed to be called optionally after Forge deploy tasks. When a Forge task includes a deploy step, the orchestrator can invoke this skill to verify the deploy worked. It's not mandatory — use it when the deploy involves auth flows, cross-origin calls, or infrastructure changes where silent failures are likely.