Shapes of Intelligence / Safety & Trust

Before You Deploy

A final pass before anything goes on the internet. This is not perfection. It is a refusal to publish blind.

Most first deployments do not fail because the architecture is too simple. They fail because nobody asked the last obvious questions.

Run this checklist before you open a port, share a URL, or let strangers use the thing.

The checklist

  1. Scan for secrets. Search the project for keys, tokens, passwords, OAuth files, and private config values.
  2. Name the exposure. Is this still localhost, a private LAN tool, or a public internet service? Say which one it is.
  3. List the ports and routes. Know what listens, what pages exist, and whether any admin or debug paths survived into the build.
  4. Check the data boundary. What files can it read? What can it write? What leaves the machine?
  5. Check external calls. Which domains, APIs, or web pages can it reach? Are they intentional?
  6. Check user input paths. Can user input reach HTML, shell commands, file paths, database queries, or prompts?
  7. Check the kill switch. If the demo misbehaves, can you turn it off fast?
  8. Do one human spot-check. Open the actual site. Click the actual paths. Read the actual text that other people will see.
The boring question that saves you

Who can reach this right now? Ask that before you ask anything more exotic.

A deploy-audit prompt

Before we deploy, audit this project for real-world exposure.

Tell me:
1. Which secrets or credentials are in scope
2. Which ports and routes are exposed
3. Which files and directories the app can read and write
4. Which external domains or APIs it can call
5. Whether any user input reaches HTML, shell, file paths, SQL, or prompts
6. The top three things to fix before strangers touch this

What this page does not do

It does something smaller and more immediate: it stops you from pushing the button without looking.

Related pages