// Prod Checklist for MindTickle. Trigger: "mindtickle prod checklist".
Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".
Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".
Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".
Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".
Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".
| name | mindtickle-prod-checklist |
| description | Prod Checklist for MindTickle. Trigger: "mindtickle prod checklist". |
| allowed-tools | Read, Write, Edit |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| tags | ["saas","mindtickle","sales"] |
| compatibility | Designed for Claude Code |
MindTickle powers sales readiness at scale, managing user provisioning via SCIM, course progress tracking across thousands of reps, and quiz completion data that feeds pipeline forecasting. A production integration must enforce multi-tenant isolation through company-specific headers, handle SCIM provisioning race conditions during bulk onboarding, and ensure quiz score integrity under concurrent submissions. Misconfigurations here can leak training data across tenants, corrupt completion records, or silently drop user provisioning events during org restructures.
X-Company-Id)X-Company-Id header injected server-side (never exposed to client)https://api.mindtickle.com/v2 (production, not sandbox)X-Company-Id header included on every request for tenant isolationX-RateLimit-* response headers)limit and offset)X-Company-Id at API gateway levelasync function validateMindTickleProduction(apiKey: string, companyId: string): Promise<void> {
const base = 'https://api.mindtickle.com/v2';
const headers = {
Authorization: `Bearer ${apiKey}`,
'X-Company-Id': companyId,
'Content-Type': 'application/json',
};
// 1. Connectivity check
const ping = await fetch(`${base}/health`, { headers, signal: AbortSignal.timeout(5000) });
console.assert(ping.ok, `API unreachable: ${ping.status}`);
// 2. Auth and tenant validation
const users = await fetch(`${base}/users?limit=1`, { headers });
console.assert(users.status !== 401, 'Invalid API key');
console.assert(users.status !== 403, 'Company ID rejected — check tenant config');
console.assert(users.ok, `Users endpoint failed: ${users.status}`);
// 3. Rate limit headroom
const remaining = parseInt(users.headers.get('X-RateLimit-Remaining') ?? '0');
console.assert(remaining > 20, `Rate limit headroom low: ${remaining} remaining`);
// 4. SCIM endpoint reachable
const scimUrl = process.env.MINDTICKLE_SCIM_URL;
if (scimUrl) {
const scim = await fetch(`${scimUrl}/Users?count=1`, {
headers: { Authorization: `Bearer ${process.env.MINDTICKLE_SCIM_TOKEN}` },
signal: AbortSignal.timeout(5000),
});
console.assert(scim.ok, `SCIM endpoint failed: ${scim.status}`);
}
// 5. Course listing works
const courses = await fetch(`${base}/courses?limit=1`, { headers });
console.assert(courses.ok, `Courses endpoint failed: ${courses.status}`);
console.log('All MindTickle production checks passed');
}
| Check | Risk if Skipped | Priority |
|---|---|---|
| X-Company-Id tenant isolation | Cross-tenant data leak, compliance violation | Critical |
| SCIM conflict handling | Duplicate users or dropped provisioning during bulk onboard | Critical |
| Quiz submission retry queue | Lost quiz scores corrupt sales readiness metrics | Critical |
| Idempotent progress writes | Duplicate course completions inflate training KPIs | High |
| IdP-MindTickle user reconciliation | Ghost accounts retain access after offboarding | High |
See mindtickle-security-basics.