home/lifestyle/operational-readiness

Operational Readiness

GPTClaudeGemini··719 copies·updated 2026-07-14
operational-readiness.prompt
# Operational Readiness
## Phase: Hardening
## Purpose: Validate production configuration — logs, observability, secrets, auth mode
## Status: draft
## Version: 1.0.0

---

## Context

You are validating that the application is configured correctly for production operation.
This covers the gap between "app runs" and "app runs well in production":
- Log levels appropriate for production (minimal noise)
- Observability signals working (traces, metrics, health)
- Secrets rotated from bootstrap values
- Auth mode appropriate for environment
- Error handling doesn't leak internals

---

## Checklist

### 1. Log Levels

| Check | Expected | How to Verify |
|-------|----------|---------------|
| `LOG_LEVEL` in production | `info` or `warn` (NOT `debug`) | Check compose env / .env |
| `LOG_FORMAT` in production | `json` (structured, parseable) | Check compose env |
| No `console.log` in production code | Only structured logger calls | Grep for `console.log` in src/ |
| Error logs don't include stack traces to clients | 500 responses are generic | Test with invalid request |
| Debug logs disabled in production | No verbose output in container logs | Check running container logs |

### 2. Observability

| Check | Expected | How to Verify |
|-------|----------|---------------|
| Health endpoint responds | `/api/health` returns 200 | curl |
| Readiness probe works | `/api/health/ready` checks DB | curl |
| Liveness probe works | `/api/health/live` lightweight | curl |
| Metrics endpoint | `/api/metrics` returns Prometheus text | curl |
| Correlation IDs | `x-request-id` header on responses | curl -v |
| Traces configured | `OTEL_EXPORTER_TYPE` set | Check env |

### 3. Secrets & Auth

| Check | Expected | How to Verify |
|-------|----------|---------------|
| `AUTH_SECRET` is not bootstrap value | Rotated, min 32 chars | Check GH secrets (not the value, just that it was rotated) |
| `ALLOW_DEV_AUTH_SECRET` NOT set in prod | Absent from compose env | Check docker-compose.yml |
| `AUTH_PROVIDER` matches environment | `credentials` for dev, Azure AD for prod | Check compose env |
| Database password is not `testpass` | Rotated | Check GH secrets |
| MinIO credentials rotated | Not `minioadmin` | Check GH secrets |

### 4. Error Handling

| Check | Expected | How to Verify |
|-------|----------|---------------|
| Invalid routes return 404 (not stack trace) | Generic error | curl /api/nonexistent |
| Invalid body returns 400 with safe message | Zod error, no internals | POST with bad body |
| Auth failure returns 401/403 (not 500) | Clean error code | Request without token |
| Server errors return 500 with generic message | No stack trace in response | Force an error |

### 5. Production Auth Mode

| Check | Expected | How to Verify |
|-------|----------|---------------|
| Login works with configured provider | Credentials or OAuth | Test login flow |
| Disabled users cannot login | 403 ACCOUNT_DISABLED | Disable user, try login |
| Session expires correctly | After MAX_AGE | Check cookie/token expiry |
| Rate limiting active | 429 after threshold | Rapid requests |

---

## Output Format

when to use it

Community prompt sourced from the open-source GitHub repo Product-Engineering-Team/copilot-agent-framework (no explicit license). A "Operational Readiness" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.

tags

lifestylecommunitygeneral

source

Product-Engineering-Team/copilot-agent-framework · no explicit license