Claude Code production checklist.
Thirty items to verify before you ship.

Built from 800 plus verified hours of autonomous operation, 718 safety hooks, and 12 documented incidents. Tap an item to mark it complete; your progress stays in your browser.

Updated 2026-05-05. Free, browser-only, no email, no tracking.

Progress: 0 / 30
Safety (10)
block-database-wipe hook installed (DROP DATABASE, prisma migrate reset, rails db:drop, php artisan migrate:fresh)
Issue #56255 (5/5/2026): an Agent ran DROP DATABASE before a rename and lost 7.8 GB of Postgis data. The hook is 60 lines.
rm-rf-blocker hook installed (with relative-path check)
cc-safe-setup tracks more than 700 hooks because rm -rf with relative paths recurs across teams.
force-push-guard hook installed for protected branches
git push --force on main is the second most common destructive incident shape after rm -rf.
secret-leak-prevention hook installed (.env, credentials, *.pem)
Stops Claude Code from committing or echoing files that match a pattern allow-list.
subagent-identity-leak-guard installed (Issue #55488 mitigation)
2.1.126 regression: sub-agents inheriting parent identity. Free hook in cc-safe-setup examples.
Auto Mode disabled for any session that touches production credentials
Auto Mode treats every Bash command as equally allowed. For prod work, switch to Plan Mode.
PreToolUse hooks tested with at least one negative case each
Run npx cc-safe-setup --verify and confirm each hook actually blocks its target pattern.
settings.json committed to repo (not gitignored)
If your hooks are not in git, your team is not protected; only your local machine is.
Sub-agent tool allowlist enforced (read-only sub-agents cannot lie about writes)
Issue #55653: read-only sub-agents falsely reported "saved successfully". Tool allowlist enforcer prevents the lie.
An incident response runbook lives in the repo (one file, README-linked)
If something breaks at 2 AM and the on-call has never seen Claude Code, what do they do? Write that down before you ship.
Cost (6)
cache_creation / total ratio measured and below 0.20 in steady state
Above 0.20 means cache is being rebuilt too often. Above 0.40 means it is rebuilt every call.
CLAUDE.md is under 50 lines (or has a documented reason to be longer)
CLAUDE.md bloat is the most common cache-hit-rate killer. 800h of data: 35 lines is the sweet spot.
Mechanical work share measured (formatting, classification, summarization)
If above 40 percent, hybrid delegation (Path B) typically pays for itself within a month.
Weekly quota threshold alert configured (notifies before quota is exhausted)
The 5-hour quota cluster (Issues #54776, #55053, #56075, #55941) is real. A burn alarm prevents 9-minute exhaustion shocks.
Cost-per-merged-commit metric tracked monthly
If you cannot answer this number, every cost decision is a guess. Token Book chapter 1 walks through the measurement.
A rollback budget is defined (how much spend before triggering a fallback path)
Without a budget, the team will keep paying through a regression hoping it gets fixed.
Version control (5)
Claude Code version pinned in CI / docker / deployment config
Auto-update on production runners is how silent regressions arrive. Pin the version, control the upgrade.
Last 3 minor versions documented (what changed, what regressions hit, who reported)
v2.1.121, v2.1.122, v2.1.123, v2.1.126 each shipped silent regressions. Keep a private record.
A rollback procedure exists (downgrade command, settings to revert, time estimate)
If v2.1.121 broke your production tomorrow, can your on-call get back to v2.1.119 in under 15 minutes?
Pre-update test sequence defined (the 5 commands you run before accepting a new version)
A small test repo, a known good prompt, a measured token output. If the numbers move, investigate before adopting.
A specific person owns the upgrade decision (not a rotating role)
Diffuse responsibility means upgrades happen reactively, after problems show up. Single owner forces proactive evaluation.
Incident readiness (5)
An incident channel exists (Slack, Discord, dedicated email) with a known on-call
"Just ping me" is not a channel. Define where incident reports go and who acknowledges them.
A read-only audit log captures all destructive commands attempted by Claude Code
If something destructive happened, can you reproduce the chain of commands that led there? Log every Bash call with timestamps.
A backup restoration drill ran in the last 90 days (not "we have backups", actual restore tested)
Issue #56255 lost 7.8 GB. The author's first thought: "I don't know if the new dump is valid." Untested backups are wishes.
A short post-incident template exists (what happened, why, what changed, what would prevent recurrence)
Without a template, post-incidents become emotional debriefs that produce no durable change.
At least one team member has read 5+ public Claude Code incident reports
Issues #56255, #54776, #55488, #55653, #55691 are a starter set. Familiarity with failure modes is the cheapest insurance.
Team operation (4)
Onboarding doc: how a new dev gets Claude Code set up safely in under 30 minutes
Run npx cc-safe-setup --shield, copy team CLAUDE.md, verify hooks installed. Three steps, documented, tested.
A CLAUDE.md style guide exists (allowed sections, max length, review cadence)
Without rules, CLAUDE.md becomes a junk drawer. Treat it as code: review it, prune it.
A model-mix policy is documented (when to use Sonnet, when Opus, when delegate to a side worker)
If everyone defaults to Opus for everything, the bill grows linearly with team size. Policy gives the team something to follow.
A sunset clause: if the tool stops fitting, what is the migration plan?
Path A (stay), Path B (hybrid), Path D (switch). Knowing your options before a crisis means you can act on principle, not panic.

Found gaps? Three books cover the next layer.

Each item above maps to a deeper treatment in one of the three reference books.

Items in Safety and Incident readiness: Incident Postmortems covers 12 production failures with detection and prevention hooks.

Items in Cost: Token Book covers measurement, the 0.20 ratio, and 9 token guards.

Items in Version control and Team operation: Migration Playbook covers the four paths and the rollback playbook.

Want all three together? See the Operations Suite.