원클릭으로
web-launch-gate
Pre-launch security, privacy, and abuse gate for web applications. Mandatory pre-flight before any public deployment.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Pre-launch security, privacy, and abuse gate for web applications. Mandatory pre-flight before any public deployment.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Unified business model evaluator, client filter, pricing engine, and distribution architect. Absorbs 31 business + 8 marketing + 13 content + 2 acquisition protocols.
Unified codebase manipulation, AI deployment, data analysis, and academic delivery engine. Absorbs 6 coding protocols + data-analysis + academic-delivery + spec-driven-dev.
Unified mathematical arbitrator for all resource allocation decisions — money, time, energy, relationships. Absorbs 46 decision protocols + 24 strategy protocols into one dense engine.
Unified survival infrastructure: health, finance, legal safety, circuit breakers, and structural protection against all ruin classes. The last line of defense.
Unified boundary enforcement, interpersonal diagnostic, and relational audit engine. Absorbs 40 psychology + 2 social protocols and all relationship case studies.
Unified zero-emotion variance shield for capital markets (FX, crypto, CFDs) and poker. Absorbs trading-risk-gate + zenith-execution + trade-journal-analyzer into one engine.
| name | web-launch-gate |
| description | Pre-launch security, privacy, and abuse gate for web applications. Mandatory pre-flight before any public deployment. |
Trigger: Activates automatically when deploying any web-facing application. Authority: This gate is MANDATORY. Do not skip items marked 🔴.
Run every item before deploying. Items marked 🔴 are blocking — deployment MUST NOT proceed if they fail. Items marked 🟡 are warnings — flag to the user but don't block.
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 1.1 | .env / .env.* is in .gitignore | 🔴 Critical | grep -n "\.env" .gitignore |
| 1.2 | No API keys, tokens, or passwords hardcoded in source | 🔴 Critical | grep -rn "sk-|sk_live|AKIA|ghp_|glpat-|xoxb-|Bearer [A-Za-z0-9]" --include="*.{ts,js,py,tsx,jsx}" . |
| 1.3 | No secrets in console.log, print(), or error responses | 🔴 Critical | grep -rn "console\.log.*key|console\.log.*secret|console\.log.*token|console\.log.*password" --include="*.{ts,js,tsx,jsx}" . |
| 1.4 | All keys loaded from environment variables or secret manager | 🔴 Critical | Manual review of config/init files |
| 1.5 | Frontend code does NOT contain server-side keys | 🔴 Critical | Check src/, public/, app/ for any process.env.SECRET_* usage that gets bundled client-side. In Next.js, only NEXT_PUBLIC_* vars reach the browser — everything else must stay server-side. |
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 2.1 | Auth is implemented if any user data is stored | 🔴 Critical | Review auth provider setup |
| 2.2 | Protected routes/API endpoints require authentication | 🔴 Critical | Test unauthenticated access to protected endpoints |
| 2.3 | JWT verify_jwt is true for edge functions / API routes | 🔴 Critical | Check supabase/config.toml or middleware config |
| 2.4 | RLS (Row Level Security) enabled on all database tables | 🔴 Critical | SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; |
| 2.5 | Password minimum length ≥ 8 characters | 🟡 Warning | Check auth config |
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 3.1 | No raw SQL string concatenation (use parameterized queries / ORM) | 🔴 Critical | grep -rn "execute.*f\"|execute.*%s|\.query.*\+|\.query.*\${" --include="*.{ts,js,py}" .` |
| 3.2 | User input is sanitized before rendering in HTML (XSS prevention) | 🔴 Critical | Check for dangerouslySetInnerHTML, innerHTML, v-html, or unescaped template literals |
| 3.3 | File uploads validated (type, size, extension whitelist) | 🟡 Warning | Check upload handlers for MIME type and size checks |
| 3.4 | CORS configured to allow only known origins (not * in production) | 🔴 Critical | grep -rn "Access-Control-Allow-Origin.*\*|cors.*origin.*\*" . |
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 4.1 | Privacy policy exists if collecting ANY user data (name, email, analytics, cookies) | 🔴 Critical | Check for /privacy route or linked policy page |
| 4.2 | You know WHERE user data is stored (DB region, provider, backups) | 🔴 Critical | Document in README or deployment notes |
| 4.3 | API responses don't return more data than the client needs | 🟡 Warning | Review API response shapes — no full DB rows with internal IDs, emails of other users, etc. |
| 4.4 | User data deletion path exists (GDPR right to erasure) | 🟡 Warning | If serving EU users, there must be a way to delete user data on request |
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 5.1 | X-Content-Type-Options: nosniff | 🟡 Warning | Check response headers |
| 5.2 | X-Frame-Options: DENY or CSP frame-ancestors | 🟡 Warning | Prevents clickjacking |
| 5.3 | Strict-Transport-Security (HSTS) header set | 🟡 Warning | Forces HTTPS |
| 5.4 | Content-Security-Policy configured | 🟡 Warning | Prevents inline script injection |
Shortcut: Most hosting platforms (Vercel, Netlify, Firebase Hosting) handle some of these automatically. Still verify with
curl -I https://your-app.com.
| # | Check | Severity | How to Verify |
|---|---|---|---|
| 6.1 | Rate limiting on API endpoints (especially auth, AI calls, webhooks) | 🔴 Critical | Check for rate-limit middleware or provider-level limits |
| 6.2 | Rate limiting on expensive operations (LLM calls, email sends, file processing) | 🔴 Critical | Someone WILL find your endpoint and loop it |
| 6.3 | CAPTCHA or bot protection on public forms | 🟡 Warning | hCaptcha, Turnstile, or reCAPTCHA on signup/contact forms |
| 6.4 | Cost caps / billing alerts set on cloud providers | 🟡 Warning | Vercel, Supabase, OpenAI, Google Cloud — set spending limits |
When this gate activates:
# 1. Check .gitignore covers secrets
grep -n "\.env" .gitignore
# 2. Scan for hardcoded keys (common patterns)
grep -rnI "sk-\|sk_live_\|AKIA\|ghp_\|glpat-\|xoxb-\|Bearer " --include="*.ts" --include="*.js" --include="*.py" --include="*.tsx" --include="*.jsx" .
# 3. Scan for console.log with sensitive terms
grep -rnI "console\.log.*key\|console\.log.*secret\|console\.log.*token" --include="*.ts" --include="*.js" --include="*.tsx" --include="*.jsx" .
# 4. Scan for dangerous HTML injection
grep -rnI "dangerouslySetInnerHTML\|innerHTML\|v-html" --include="*.ts" --include="*.js" --include="*.tsx" --include="*.jsx" .
# 5. Check for wildcard CORS
grep -rnI "Access-Control-Allow-Origin.*\*\|cors.*origin.*true" --include="*.ts" --include="*.js" --include="*.py" .
# 6. Check security headers
curl -sI https://YOUR-APP-URL | grep -iE "strict-transport|x-content-type|x-frame|content-security"
Codified from: