# Pre-Deployment Security Checklist

<!--
TEMPLATE USAGE
This is a reference document describing the expected output structure for `/security pre-deploy`.
Agents use this as a formatting guide for the pre-deployment checklist report.
Fill every section with real observations. Do NOT output placeholder text.
Run all 10 automated checks first, then ask the 3 manual verification questions.
State the verdict clearly at the end based on the PASS count.
-->

---

## Header

**Project:** [Name of the project or directory assessed]
**Assessment date:** [ISO 8601 — e.g. 2026-02-19]
**Assessed by:** llm-security plugin v[X.X] — pre-deploy checklist
**Mode:** Pre-deployment checklist

---

## Score Summary

**Passed: X/10 automated checks**

```
[========--] 8/10
```

**Verdict:** [Ready for deployment / Nearly ready / Not ready]

---

## Automated Checks

Status values: PASS — control confirmed | FAIL — control absent or broken | WARN — partial or unverified | N/A — not applicable

| # | Check | Status | Detail |
|---|-------|--------|--------|
| 1 | Deny-first permissions | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 2 | Secrets hook active | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 3 | Path guard active | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 4 | Destructive command guard | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 5 | MCP servers verified | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 6 | No hardcoded secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 7 | .gitignore covers secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 8 | CLAUDE.md security docs | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 9 | Sandbox enabled | [PASS/FAIL/WARN/N/A] | [finding detail] |
| 10 | Audit logging configured | [PASS/FAIL/WARN/N/A] | [finding detail] |

---

## Manual Verification

Answers provided by the user during the assessment session.

- [ ] **Enterprise plan:** [user answer]
- [ ] **DPIA completed:** [user answer]
- [ ] **Incident response plan:** [user answer]

---

## Recommendations

FAIL items are listed first (blocking), followed by WARN items (advisory). Items with PASS or N/A status are omitted.

| Priority | Check # | Action | Effort |
|----------|---------|--------|--------|
| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |
| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |

> If no FAIL or WARN items exist, write: "No recommendations — all automated checks passed."

---

## Verdict

**[Ready for deployment / Nearly ready / Not ready]**

- **10/10 PASS:** Ready for deployment — all automated checks passed.
- **7–9 PASS:** Nearly ready — address the remaining items before deploying.
- **<7 PASS:** Not ready — significant security gaps remain. Resolve FAIL items before deployment.

---

## Footer

| Field | Value |
|-------|-------|
| llm-security version | [e.g. 0.1.0] |
| Assessment engine | pre-deploy checklist |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Full audit command | `/security audit` |
| Report generated | [ISO 8601 timestamp] |

---

<!--
SCORING LOGIC (for agents filling in this template)

Score = count of checks with status PASS only.
WARN and N/A do not count as PASS for scoring purposes.
FAIL counts against the score.

Progress bar fill = round((pass_count / 10) * 10) filled blocks out of 10
Example: 8 PASS → round((8/10) * 10) = 8 filled blocks → [========--]
Filled block: =   Empty block: -

Verdict thresholds:
  10/10 PASS  → "Ready for deployment — all automated checks passed."
  7–9 PASS    → "Nearly ready — address the remaining items before deploying."
  <7 PASS     → "Not ready — significant security gaps remain. Resolve FAIL items before deployment."

RECOMMENDATIONS SORTING
List FAIL items before WARN items, in ascending check number order within each group.
Omit PASS and N/A checks from the recommendations table entirely.
Each row must have a specific, actionable remediation step — not a generic instruction.

MANUAL VERIFICATION
Ask questions one at a time using AskUserQuestion.
Mark checkbox as checked [x] if user confirms yes; leave unchecked [ ] if no or unsure.
-->