Shipflash logoDocs

Production Checklists

Use these checklists before shipping changes that touch data access, webhooks, cron jobs, outbox delivery, billing, email, deployment, or logs.

On this page

Production safety source map

RLS, grants, and schema invariants

Migrations define durable database access rules and generated types keep application code aligned.

  • supabase/migrations/20260426000000_init.sql
  • src/lib/supabase/types.ts

Webhook verification and event claiming

Provider callbacks must verify signatures, preserve request context, claim event rows, and tolerate duplicates.

  • src/lib/security/webhooks/request.ts
  • src/lib/security/webhooks/processing.ts
  • src/app/api/webhooks/stripe/billing/route.ts

Cron and outbox processing

Scheduled work must authenticate with the cron secret, process bounded batches, and keep retry state visible.

  • src/lib/security/cron-secret.ts
  • src/features/notifications/server/outbox/services/worker.ts
  • src/features/notifications/server/outbox/services/cron.ts

Billing and notification readiness

Provider setup, catalog state, templates, and delivery transports should fail early before customers hit broken flows.

  • src/features/billing/server/runtime/readiness.ts
  • src/features/billing/server/catalog/configuration.ts
  • src/features/notifications/server/delivery/registry.ts

RLS and grants

  • Confirm every user-facing table has an intentional RLS posture before UI or API reads it.
  • Keep service-role reads in trusted server modules only.
  • Prefer schema constraints for durable ownership, uniqueness, status, and foreign-key invariants.
  • Regenerate generated Supabase types after migration changes.
  • Run migration contract checks before deployment.

Webhooks and idempotency

  • Validate provider signatures before parsing business logic.
  • Persist the provider event id and request id before dispatch.
  • Claim work atomically so duplicate delivery cannot double-apply billing or notification state.
  • Do not assume provider event ordering.
  • Log stable identifiers instead of raw provider payloads or secrets.

Cron, outbox, and retries

  • Protect scheduled routes with Authorization: Bearer <CRON_SECRET>.
  • Use bounded batch sizes and retry limits.
  • Keep failed jobs queryable with useful status and error context.
  • Make the worker safe to rerun after a partial failure.
  • Smoke test cron routes in preview before enabling production schedules.

Billing, email, and deployment

  • Open billing setup and resolve every provider, catalog, webhook, and environment warning.
  • Send a test notification through the configured transport before relying on transactional email.
  • Use production webhook endpoints and signing secrets only for production deployments.
  • Confirm APP_URL points at the canonical HTTPS domain (NEXT_PUBLIC_SITE_URL is legacy fallback).
  • After deploy, smoke test auth, admin access, checkout, customer portal, email, cron, and logs with request ids.