Every time I'm about to ship something, the same boring things bite me. Not the features — the unglamorous stuff: a key that ended up in a frontend bundle, an app with an AI chat and no disclosure, a landing page with no privacy policy two days before an EU launch.

None of it is hard. It's just easy to forget, and the cost of forgetting is real: an App Store rejection, a GDPR complaint, a leaked credential someone finds in your main.js.

So I made myself a checklist. Then I got tired of running it by hand and built it into the tool I already live in — my AI coding agent. This post is that checklist (useful on its own), plus how I wired it into Claude Code with MCP.

The boring stuff that actually gets you

Secrets in your frontend — bundlers inline that "just for now" API key; grep your deployed main.[hash].js for sk-, AKIA, sk_live_.