Copilot Workspace App Production Checklist

Copilot Workspace PRs need thorough review of the full diff — the multi-file nature means changes are broad and subtle regressions are easy to miss

Authentication protects all private routes and API endpoints. Input validation on every form and data handler. No API keys or secrets in client-side code. Security headers configured (CSP, HSTS, X-Frame-Options). CORS restricted to your domain. Rate limiting on login and signup endpoints. HTTPS enforced everywhere.

Images optimized and lazy-loaded. Code splitting implemented. Lighthouse performance score above 80. Database queries have indexes on filtered columns. Pagination on all data lists. Static assets served with cache headers. No unnecessary client-side JavaScript.

Error tracking configured (Sentry or similar). Custom error pages for 404 and 500 errors. Error boundaries catch rendering failures gracefully. Loading states on all async operations. Graceful handling of network failures. Health check endpoint for monitoring. Database backups configured.

All call sites of changed function signatures updated. Authentication and authorization code not weakened. New endpoints have required middleware applied. Database schema changes have corresponding ORM/migration updates. Tests updated or added for changed functionality. CI passes including all test suites. SAST scan on the PR diff. No credentials or secrets introduced. Import statements correct and no circular dependencies added. Feature works end-to-end, not just at the changed file level. No remaining instances of old pattern after a migration PR. PR description accurately describes all changes made. Deployment-relevant configs updated for new dependencies. Code review by a human familiar with the affected code. Existing behavior not broken by broad changes

Our security scan ($19) and code audit ($19) check for all of these issues automatically. Upload your code and get a detailed report within 24 hours. If you need help fixing what we find, our team is here for that too.