The Pre-Launch Checklist That Saved Our App

Last month, we almost shipped a Stripe secret key to production. Here's what happened and what we learned.

The Setup

We were building a SaaS application using Next.js. Like many teams in 2024, we were using AI coding assistants heavily — probably 60% of our code was AI-generated or AI-assisted.

Development was moving fast. We were about to launch.

The Discovery

On a whim, we decided to run our own tool (ProdReady) on our codebase before deploying. Within 30 seconds, it flagged something terrifying:

**Critical: Exposed API Key Detected** > File: `src/lib/stripe.ts` > Line: 14 > Pattern matched: `sk_live_` prefix

Someone had pasted a live Stripe secret key directly into the code while testing. The AI assistant had helpfully used it in the example. And it was about to be deployed.

The Impact

If this had shipped: - Our Stripe key would have been in our public GitHub repository - Anyone could have made charges on our account - Customer payment data could have been at risk

Estimated potential damage: Anywhere from $10K to catastrophic

The Fix

We immediately: 1. Rotated the Stripe key 2. Added proper environment variable usage 3. Updated our .gitignore 4. Made ProdReady scans a required step in our CI/CD pipeline

The Lesson

It's not about blaming AI assistants or blaming developers. It's about having a safety net.

AI coding is powerful, but it's a first draft. You need a final check before shipping — something that catches the predictable mistakes that happen when you're moving fast.

Your Pre-Launch Checklist

Before every deploy, ask: 1. ✅ Have I scanned for exposed secrets? 2. ✅ Are all debug routes removed? 3. ✅ Is user input validated? 4. ✅ Are there console.logs in production code? 5. ✅ Is SEO metadata in place?

Or just run a ProdReady scan and check all boxes at once.