Fine.dev App Production Checklist

Fine.dev PRs need verification that the spec was fully implemented, not just partially — including security requirements, error handling, and integration with existing patterns

Authentication protects all private routes and API endpoints. Input validation on every form and data handler. No API keys or secrets in client-side code. Security headers configured (CSP, HSTS, X-Frame-Options). CORS restricted to your domain. Rate limiting on login and signup endpoints. HTTPS enforced everywhere.

Images optimized and lazy-loaded. Code splitting implemented. Lighthouse performance score above 80. Database queries have indexes on filtered columns. Pagination on all data lists. Static assets served with cache headers. No unnecessary client-side JavaScript.

Error tracking configured (Sentry or similar). Custom error pages for 404 and 500 errors. Error boundaries catch rendering failures gracefully. Loading states on all async operations. Graceful handling of network failures. Health check endpoint for monitoring. Database backups configured.

All acceptance criteria from the spec satisfied. Security requirements from spec implemented (auth, validation). New endpoints have authentication middleware. Server-side input validation present, not just frontend. User-generated content sanitized before rendering. Tests cover spec acceptance criteria. Tests also cover error paths and edge cases. CI passes fully. SAST scan passed on PR diff. Code follows existing project conventions (naming, error format). No duplicate implementations where an existing abstraction could be reused. Documentation updated for new public APIs. Integration with adjacent features verified end-to-end. Human review by someone familiar with the affected area. Feature tested in staging environment

Our security scan ($19) and code audit ($19) check for all of these issues automatically. Upload your code and get a detailed report within 24 hours. If you need help fixing what we find, our team is here for that too.