# Pre-Production Audit Checklist

**Last Updated:** 2026-03-02

Reusable checklist for pre-production audits. Run before major deployments.

## Phase 1: Dependencies

- [ ] `npm audit` – document vulnerabilities (4 low-severity in @lhci/cli chain; deferred)
- [ ] `npm outdated` – list upgradable packages
- [ ] `npm update` or targeted updates (Tailwind v4.2.x, ESLint 10.0.2, lint-staged v16.3.1, postcss-cli v11.0.1)
- [ ] `composer outdated` – root and v2
- [ ] `composer install` or `composer update` (PHP >=8.1 required; google/apiclient ^2.19, phpstan ^1.12)
- [ ] `pip list --outdated` – Python deps (use `.venv`; jsonschema >=4.26.0, pytest >=9.0.0)
- [ ] Node version: check `.nvmrc` (Node 22 LTS; migrated from Node 20)
- [ ] `php v2/scripts/dev-helpers/check-dependency-versions.php` – Compare current vs latest versions

## Phase 2: Validation

- [ ] `make pre-deploy` – minify, validate:php, schema
- [ ] `make validate` – lint, format, schema, PHPStan, links, lead capture copy
- [ ] `make rules` – rule metadata, globs, links, METADATA_INDEX
- [ ] `php v2/scripts/dev-helpers/check-php-extensions.php`
- [ ] `php v2/scripts/dev-helpers/pre-deployment-check.php`
- [ ] `npm run check-links` and `npm run check-links:rules`

## Phase 3: CI/CD

- [ ] Review GitHub Actions workflows
- [ ] PHPStan: 1900+ baseline issues; CI uses `continue-on-error`
- [ ] Lighthouse CI: `continue-on-error` (scores may fluctuate)
- [ ] Dependabot: npm, composer, pip, github-actions configured

## Phase 4: Documentation

- [ ] Update "Last Updated" dates in key docs
- [ ] Review DOCUMENTATION_REDUNDANCY_REPORT – consolidate if needed
- [ ] Regenerate RULE_TO_DOC_MAPPING via `make rules`

## Phase 5: Rules

- [ ] Fix invalid rule files (globs as list, alwaysApply present)
- [ ] Run `make rules` and commit METADATA_INDEX.json
- [ ] Use `.venv/bin/python` when `make rules` needs PyYAML

## Phase 6: Security

- [ ] `npm audit fix` (avoid `--force` for @lhci/cli)
- [ ] Verify API keys in config files only (v2/config/*.example)
- [ ] No hardcoded secrets in code

## Phase 7: Final

- [ ] Full `make pre-deploy` – all green
- [ ] Smoke test key pages (homepage, payroll, minijob-rechner)
- [ ] Document audit results and outstanding items

## Quick Commands

```bash
make pre-deploy          # Minify + PHP + schema
make validate            # Full validation (lint, format, schema, PHPStan, links)
make rules               # Cursor rules maintenance
php composer.phar phpstan # If composer not in PATH
```

## Related

- [DEV_TOOLING.md](DEV_TOOLING.md) – Tool reference
- [DEPENDENCY_UPDATE_2026.md](DEPENDENCY_UPDATE_2026.md) – Complete dependency update log
- [PRODUCTION_DEPLOYMENT_CHECKLIST.md](PRODUCTION_DEPLOYMENT_CHECKLIST.md) – Deployment steps
- [docs/ai/cursor-playbook.md](../ai/cursor-playbook.md) – Workflow guide