---
name: security-pre-deploy
description: Pre-deployment security checklist — verify controls, compliance, and production readiness
---

# Pre-Deploy Checklist

10 automated checks + 3 manual verification questions.

## Automated Checks (PASS/FAIL/WARN/N-A)

Perform these checks using Read, Glob, and Grep:

1. **Deny-first permissions** — Settings contain restrictive default permissions
2. **Secrets hook active** — pre-edit-secrets hook is registered and script exists
3. **Path guard active** — pre-write-pathguard hook is registered and script exists
4. **Destructive command guard** — pre-bash-destructive hook registered and script exists
5. **MCP servers verified** — All configured MCP servers have been audited
6. **No hardcoded secrets** — Grep for API keys, tokens, passwords in source files
7. **Gitignore covers secrets** — .gitignore includes .env, credentials, keys
8. **Security instructions present** — CLAUDE.md or copilot-instructions.md has security section
9. **Sandbox enabled** — No `dangerouslySkipPermissions` or bypass flags
10. **Audit logging** — Post-tool hooks are active for monitoring

## Manual Verification

Ask the user these questions:
1. "Is this running on an Enterprise plan with audit logging?"
2. "Has a Data Protection Impact Assessment (DPIA) been completed?"
3. "Is there an incident response plan for AI security events?"

## Report

Present as checklist table. Verdict by pass count:
- 10/10: Low risk — Ready to deploy
- 7-9: Medium risk — Address gaps first
- 4-6: High risk — Significant exposure
- 0-3: Extreme risk — Do not deploy