# 🚀 CTO-LEVEL PRODUCTION READINESS & WEB VISIBILITY CHECKLIST
## Complete Checklist for Cursor-Coded Projects
### Google Indexing • Rich Results • ChatGPT • Claude • Perplexity • Core Web Vitals • Production Ops

**Prepared for:** Replace Works
**Date:** February 2026
**Total Items:** 300+
**Philosophy:** If it's not on this list, it doesn't ship.

---

# ════════════════════════════════════════════════════════════════
# PART 1: PROJECT STRUCTURE & CODE QUALITY
# ════════════════════════════════════════════════════════════════

## 1.1 — File & Folder Organization
- [ ] Clean folder structure: /src, /public, /components, /pages, /assets, /styles, /utils, /lib, /config, /hooks, /services, /types, /constants
- [ ] Separate /api or /server directory for backend logic
- [ ] /tests or /__tests__ directory mirroring src structure
- [ ] /scripts directory for build, deploy, seed, migration scripts
- [ ] /docs directory for internal documentation, architecture decisions, API specs
- [ ] /.github directory with CODEOWNERS, PR templates, issue templates, workflows
- [ ] Consistent file naming convention across entire project (kebab-case recommended)
- [ ] Index files (index.ts) for clean barrel exports from each module
- [ ] No deeply nested folders beyond 4 levels — flatten where possible
- [ ] No orphan files sitting in root that should be in a subdirectory

## 1.2 — Project Configuration Files
- [ ] package.json — name, version, description, keywords, homepage, repository, author, license, engines
- [ ] package-lock.json or yarn.lock committed (never both)
- [ ] tsconfig.json / jsconfig.json with path aliases (@/components, @/lib, @/utils)
- [ ] .eslintrc with project-specific rules enforced
- [ ] .prettierrc with consistent formatting rules
- [ ] .editorconfig for cross-IDE consistency
- [ ] .nvmrc or .node-version specifying exact Node version
- [ ] .env.example with ALL environment variables documented with descriptions
- [ ] .env.local, .env.production, .env.staging — all gitignored
- [ ] .gitignore — node_modules, .env*, .next, build, dist, .DS_Store, coverage, *.log, .vercel
- [ ] docker-compose.yml if using containers
- [ ] Dockerfile with multi-stage build for production
- [ ] LICENSE file (MIT, Apache 2.0, or proprietary)
- [ ] README.md — comprehensive (see next section)
- [ ] CHANGELOG.md with semantic versioning
- [ ] CONTRIBUTING.md if open source

## 1.3 — README.md Must-Haves
- [ ] Project name and one-line description
- [ ] Badges: build status, coverage, version, license
- [ ] Screenshot or demo GIF of the live product
- [ ] Tech stack list with versions
- [ ] Architecture diagram or high-level overview
- [ ] Prerequisites (Node version, database, etc.)
- [ ] Installation & setup instructions (copy-paste ready)
- [ ] Environment variables table with descriptions and example values
- [ ] Available scripts (dev, build, test, lint, deploy)
- [ ] Folder structure overview
- [ ] API documentation link or summary
- [ ] Deployment instructions
- [ ] Contributing guidelines
- [ ] License info
- [ ] Contact / support info

## 1.4 — Code Quality & Standards
- [ ] TypeScript strict mode enabled (if using TS)
- [ ] No `any` types — proper typing throughout
- [ ] ESLint passing with zero warnings in CI
- [ ] Prettier formatting enforced via pre-commit hook
- [ ] Husky + lint-staged for pre-commit checks
- [ ] No console.log statements in production code (use proper logger)
- [ ] No hardcoded secrets, API keys, or credentials anywhere in codebase
- [ ] No TODO/FIXME/HACK comments left unresolved for launch
- [ ] Dead code removed — no commented-out blocks
- [ ] All imports are used — no unused dependencies
- [ ] Bundle size analyzed (use webpack-bundle-analyzer or equivalent)
- [ ] No circular dependencies
- [ ] Error boundaries implemented for React apps
- [ ] Proper error handling — no silent catch blocks
- [ ] Environment-specific configs (dev/staging/prod) properly separated

---

# ════════════════════════════════════════════════════════════════
# PART 2: TECHNICAL SEO FUNDAMENTALS
# ════════════════════════════════════════════════════════════════

## 2.1 — HTML Head / Meta Tags (Every Page)
- [ ] `<html lang="en">` (or appropriate language code) set on every page
- [ ] `<meta charset="utf-8">` as first element in head
- [ ] `<meta name="viewport" content="width=device-width, initial-scale=1">` for mobile
- [ ] Unique `<title>` tag — 50-60 characters, primary keyword first, brand last (e.g., "AI Document Processing | DocDataApp")
- [ ] Unique `<meta name="description">` — 150-160 characters with value prop and CTA
- [ ] `<link rel="canonical" href="https://yourdomain.com/exact-page-url">` on every page
- [ ] `<meta name="robots" content="index, follow">` on indexable pages
- [ ] `<meta name="robots" content="noindex, nofollow">` on admin, auth, internal pages
- [ ] `<meta name="author" content="Your Name or Company">`
- [ ] `<meta name="theme-color" content="#yourcolor">` for mobile browser chrome
- [ ] `<link rel="icon" href="/favicon.ico">` (32x32 .ico)
- [ ] `<link rel="icon" type="image/svg+xml" href="/favicon.svg">` (SVG favicon)
- [ ] `<link rel="apple-touch-icon" href="/apple-touch-icon.png">` (180x180)
- [ ] `<link rel="manifest" href="/manifest.json">` for PWA
- [ ] No duplicate meta tags on any page
- [ ] No more than one `<h1>` per page

## 2.2 — Open Graph Tags (Every Page)
- [ ] `og:title` — Same as or similar to page title, max 60 chars
- [ ] `og:description` — Compelling summary, 150-160 chars
- [ ] `og:image` — 1200x630px minimum, high quality, branded
- [ ] `og:image:width` and `og:image:height` specified
- [ ] `og:image:alt` — Descriptive alt text for the OG image
- [ ] `og:url` — Full canonical URL of the page
- [ ] `og:type` — "website" for homepage, "article" for blog posts, "product" for products
- [ ] `og:site_name` — Your brand name
- [ ] `og:locale` — e.g., "en_US"
- [ ] Test with Facebook Sharing Debugger (developers.facebook.com/tools/debug/)
- [ ] Test with LinkedIn Post Inspector (linkedin.com/post-inspector/)
- [ ] OG image loads fast (under 500KB, served from CDN)

## 2.3 — Twitter/X Card Tags (Every Page)
- [ ] `twitter:card` — "summary_large_image" for feature image, "summary" for small
- [ ] `twitter:site` — Your brand's @handle
- [ ] `twitter:creator` — Author's @handle (for articles)
- [ ] `twitter:title` — Max 70 characters
- [ ] `twitter:description` — Max 200 characters
- [ ] `twitter:image` — Min 800x418 for large image, 120x120 for summary
- [ ] `twitter:image:alt` — Alt text for the card image
- [ ] Test with Twitter Card Validator (cards-dev.twitter.com/validator)
- [ ] Ensure image ratio is 2:1 for summary_large_image
- [ ] Different OG images per page (not same image site-wide)

## 2.4 — Other Social / Platform Meta Tags
- [ ] Pinterest: `<meta name="p:domain_verify" content="...">` if using Pinterest
- [ ] Slack unfurl works correctly (test by pasting URL in Slack)
- [ ] Discord embed works correctly (test by pasting URL in Discord)
- [ ] WhatsApp preview works correctly (test by sharing URL in WhatsApp)
- [ ] Telegram preview works correctly
- [ ] iMessage / Messages preview works correctly
- [ ] LinkedIn preview shows correct image, title, description

---

# ════════════════════════════════════════════════════════════════
# PART 3: INDEXING, CRAWLABILITY & SITEMAPS
# ════════════════════════════════════════════════════════════════

## 3.1 — robots.txt
- [ ] File exists at /robots.txt (root of domain)
- [ ] `User-agent: *` with proper Allow/Disallow rules
- [ ] `Sitemap: https://yourdomain.com/sitemap.xml` referenced
- [ ] Disallow: /api/, /admin/, /auth/, /dashboard/, /_next/, /private/
- [ ] Allow AI crawlers explicitly (see AI Visibility section)
- [ ] No accidental `Disallow: /` blocking entire site
- [ ] Test with Google's robots.txt Tester in Search Console
- [ ] Host directive if needed for mirror/staging prevention

## 3.2 — Sitemap
- [ ] XML sitemap at /sitemap.xml
- [ ] All indexable pages included
- [ ] `<lastmod>` dates accurate and updated when content changes
- [ ] `<changefreq>` set appropriately (daily for blog, weekly for pages, monthly for static)
- [ ] `<priority>` set (1.0 for homepage, 0.8 for key pages, 0.6 for others)
- [ ] Sitemap auto-generates when new content is published
- [ ] Sitemap index file if >50,000 URLs (`<sitemapindex>`)
- [ ] Image sitemap if heavy on visual content
- [ ] Video sitemap if hosting video content
- [ ] News sitemap if publishing news content
- [ ] No noindex pages in sitemap — these should be excluded
- [ ] No redirected URLs in sitemap — only final destination URLs
- [ ] Sitemap is under 50MB uncompressed
- [ ] Submitted to Google Search Console
- [ ] Submitted to Bing Webmaster Tools

## 3.3 — Crawlability & Internal Linking
- [ ] Every important page reachable within 3 clicks from homepage
- [ ] Logical internal linking with descriptive anchor text (not "click here")
- [ ] Breadcrumb navigation on all pages except homepage
- [ ] No orphan pages (every page linked from at least one other page)
- [ ] No broken internal links (run a full crawl with Screaming Frog)
- [ ] No redirect chains (A→B→C should be A→C)
- [ ] No redirect loops
- [ ] JavaScript-rendered content is accessible to crawlers (use SSR/SSG)
- [ ] Pagination done with proper rel="next"/rel="prev" or load-more with real URLs
- [ ] Faceted navigation doesn't create infinite crawl paths
- [ ] Search result pages are noindexed
- [ ] Dynamic routes generate proper static pages at build time where possible
- [ ] XML sitemap and HTML sitemap page both exist

---

# ════════════════════════════════════════════════════════════════
# PART 4: STRUCTURED DATA & SCHEMA MARKUP (JSON-LD)
# ════════════════════════════════════════════════════════════════

## 4.1 — Global Schema (Every Page)
- [ ] Organization schema — name, url, logo (min 112x112), description, sameAs (all social profiles)
- [ ] WebSite schema — name, url, SearchAction (enables sitelinks search box in Google)
- [ ] WebPage schema — name, description, url, datePublished, dateModified, isPartOf
- [ ] BreadcrumbList schema — matching visible breadcrumb navigation

## 4.2 — Page-Specific Schema
- [ ] Homepage: Organization + WebSite + WebPage
- [ ] About page: Organization with detailed description, founders, foundingDate
- [ ] Blog posts: Article or BlogPosting — headline, author, datePublished, dateModified, image, publisher
- [ ] Product pages: Product — name, description, image, offers (price, currency, availability)
- [ ] Pricing page: Product or Offer with price, priceCurrency, availability
- [ ] FAQ pages: FAQPage with Question + acceptedAnswer pairs
- [ ] How-to/Tutorial pages: HowTo with steps, tools, supply lists
- [ ] Contact page: ContactPoint with telephone, email, contactType
- [ ] Team/People pages: Person — name, jobTitle, worksFor, image, sameAs
- [ ] Event pages: Event — name, startDate, endDate, location, performer
- [ ] Review pages: Review with rating, author, itemReviewed
- [ ] Software/App: SoftwareApplication — name, operatingSystem, applicationCategory, offers
- [ ] LocalBusiness (if applicable): address, phone, geo, openingHours

## 4.3 — Schema Validation
- [ ] All schema validated with Google Rich Results Test (search.google.com/test/rich-results)
- [ ] All schema validated with Schema.org Validator (validator.schema.org)
- [ ] Schema Markup Validator by Merkle (technicalseo.com/tools/schema-markup-generator/)
- [ ] No errors or warnings in Google Search Console enhancement reports
- [ ] JSON-LD injected in `<head>` or `<body>` (not in JavaScript-only rendering)
- [ ] Schema matches visible page content (no hidden/misleading data)
- [ ] Test with Google's Structured Data Testing Tool periodically

---

# ════════════════════════════════════════════════════════════════
# PART 5: LLM / AI VISIBILITY & READINESS
# ════════════════════════════════════════════════════════════════

## 5.1 — AI Crawler Permissions (robots.txt)
- [ ] Allow GPTBot (OpenAI/ChatGPT)
- [ ] Allow ChatGPT-User (ChatGPT browsing)
- [ ] Allow Claude-Web (Anthropic/Claude)
- [ ] Allow Anthropic-AI
- [ ] Allow PerplexityBot
- [ ] Allow Google-Extended (Gemini/Bard)
- [ ] Allow Amazonbot (Alexa)
- [ ] Allow Bytespider (ByteDance/TikTok AI)
- [ ] Allow meta-externalagent (Meta AI)
- [ ] Allow Applebot-Extended (Apple Intelligence)
- [ ] Review and update bot permissions quarterly as new AI crawlers emerge
- [ ] Monitor AI crawler activity in server logs

```
# Sample robots.txt AI section:
User-agent: GPTBot
Allow: /

User-agent: ChatGPT-User
Allow: /

User-agent: Claude-Web
Allow: /

User-agent: Anthropic-AI
Allow: /

User-agent: PerplexityBot
Allow: /

User-agent: Google-Extended
Allow: /

User-agent: Applebot-Extended
Allow: /
```

## 5.2 — llms.txt & AI Discovery Files
- [ ] Create `/llms.txt` at domain root — plain text file with:
  - Project/company name
  - One-paragraph description of what you do
  - List of key pages with URLs and descriptions
  - Contact information
  - Last updated date
- [ ] Create `/llms-full.txt` with comprehensive documentation:
  - Complete product/service description
  - Feature list with explanations
  - Pricing summary
  - Technical specifications
  - API documentation summary
  - Use cases and target audience
  - Comparison with alternatives
  - FAQ content
- [ ] Create `/.well-known/ai-plugin.json` if offering an API:
  - name_for_human, name_for_model
  - description_for_human, description_for_model
  - API endpoint and authentication details
  - Logo URL

```
# Sample llms.txt:
# DocDataApp
> AI-powered document processing platform that extracts, classifies, and routes data from any document type.

## Key Pages
- [Homepage](https://docdataapp.com): Overview and value proposition
- [Features](https://docdataapp.com/features): Complete feature list
- [Pricing](https://docdataapp.com/pricing): Plans starting at $29/mo
- [Documentation](https://docdataapp.com/docs): API docs and guides
- [Blog](https://docdataapp.com/blog): Industry insights and tutorials
- [About](https://docdataapp.com/about): Company info and team
- [Contact](https://docdataapp.com/contact): Support and sales

## Quick Facts
- Founded: 2025
- Category: Document AI / SaaS
- API: REST API available
- Integrations: Zapier, Slack, Google Drive, Dropbox

Updated: 2026-02-07
```

## 5.3 — Semantic HTML for AI Parsing
- [ ] Proper heading hierarchy: one `<h1>`, logical `<h2>` → `<h3>` → `<h4>` nesting
- [ ] Use `<main>` for primary content
- [ ] Use `<article>` for self-contained content pieces
- [ ] Use `<section>` with headings for content groups
- [ ] Use `<nav>` for navigation blocks
- [ ] Use `<aside>` for supplementary content
- [ ] Use `<header>` and `<footer>` for page/section headers and footers
- [ ] Use `<figure>` and `<figcaption>` for images with captions
- [ ] Use `<blockquote>` with `cite` attribute for quotes
- [ ] Use `<time datetime="...">` for dates
- [ ] Use `<address>` for contact information
- [ ] Use `<dl>`, `<dt>`, `<dd>` for definition lists
- [ ] Use `<abbr title="...">` for abbreviations
- [ ] All images have descriptive `alt` text (not "image1" or empty)
- [ ] Tables use `<thead>`, `<tbody>`, `<th scope="...">` properly
- [ ] Forms have proper `<label>` elements with `for` attributes

## 5.4 — Content Strategy for AI Citability
- [ ] Write in clear, factual, well-structured prose
- [ ] Lead paragraphs answer the "what" immediately (inverted pyramid)
- [ ] Use direct, quotable statements that AI can extract and cite
- [ ] Include specific numbers, statistics, and data points where possible
- [ ] Create comprehensive About page with clear entity descriptions
- [ ] Maintain a /docs or /help section with detailed, organized content
- [ ] Build a structured FAQ / Knowledge Base
- [ ] Publish original research, case studies, and data that AI systems value
- [ ] Ensure content is in the HTML (not behind JS modals, accordions, or tabs)
- [ ] Use descriptive, keyword-rich URLs (/pricing, /features/document-scanning)
- [ ] Add aria-labels and ARIA landmarks for accessibility and AI parsing
- [ ] Keep content fresh — update key pages at least quarterly

---

# ════════════════════════════════════════════════════════════════
# PART 6: PERFORMANCE & CORE WEB VITALS
# ════════════════════════════════════════════════════════════════

## 6.1 — Core Web Vitals Targets
- [ ] LCP (Largest Contentful Paint) < 2.5 seconds
- [ ] INP (Interaction to Next Paint) < 200ms
- [ ] CLS (Cumulative Layout Shift) < 0.1
- [ ] FCP (First Contentful Paint) < 1.8 seconds
- [ ] TTFB (Time to First Byte) < 800ms
- [ ] Total Blocking Time < 200ms
- [ ] Speed Index < 3.4 seconds

## 6.2 — Image Optimization
- [ ] All images in WebP or AVIF format (with JPEG/PNG fallbacks)
- [ ] Images properly sized — no 4000px images displayed at 400px
- [ ] Responsive images with srcset and sizes attributes
- [ ] Lazy loading on below-the-fold images (`loading="lazy"`)
- [ ] Eager loading on above-the-fold / hero images (`loading="eager"`)
- [ ] Image compression (80-85% quality for photos)
- [ ] next/image or equivalent automatic optimization
- [ ] SVG for icons and logos (not raster)
- [ ] No images over 200KB without good reason
- [ ] Image CDN configured (Cloudflare Images, Imgix, or Vercel)
- [ ] Proper width and height attributes to prevent CLS
- [ ] OG images pre-generated and cached

## 6.3 — Code & Asset Optimization
- [ ] CSS, JS, HTML minified in production
- [ ] Code splitting / dynamic imports for JS bundles
- [ ] Tree shaking enabled — no unused code shipped
- [ ] Critical CSS inlined in `<head>`
- [ ] Non-critical CSS loaded asynchronously
- [ ] Scripts use `async` or `defer` attributes
- [ ] No render-blocking resources
- [ ] Gzip or Brotli compression enabled on server
- [ ] HTTP/2 or HTTP/3 enabled
- [ ] Bundle analysis done — no unexpectedly large chunks
- [ ] Total JS bundle < 200KB gzipped for initial load
- [ ] Total CSS < 50KB gzipped
- [ ] Font files subset to only used characters
- [ ] Fonts preloaded: `<link rel="preload" as="font" crossorigin>`
- [ ] `font-display: swap` to prevent invisible text during load
- [ ] No more than 2-3 custom font files

## 6.4 — Caching & CDN
- [ ] CDN configured (Cloudflare, Vercel Edge, AWS CloudFront, Fastly)
- [ ] Static assets have long cache headers (Cache-Control: max-age=31536000, immutable)
- [ ] HTML pages have short/no cache (Cache-Control: no-cache or max-age=0)
- [ ] API responses cached where appropriate
- [ ] ETag headers configured
- [ ] Service worker for offline support (if PWA)
- [ ] Stale-while-revalidate strategy for dynamic content
- [ ] DNS prefetch for third-party domains: `<link rel="dns-prefetch" href="//cdn.example.com">`
- [ ] Preconnect to critical origins: `<link rel="preconnect" href="https://fonts.googleapis.com">`

## 6.5 — Performance Testing
- [ ] Google PageSpeed Insights: 90+ mobile, 95+ desktop
- [ ] Lighthouse audit: all categories 90+
- [ ] WebPageTest.org waterfall analysis clean
- [ ] Chrome DevTools Performance tab — no long tasks
- [ ] Core Web Vitals passing in Google Search Console (CrUX data)
- [ ] Real User Monitoring (RUM) set up (web-vitals library, Vercel Analytics, or equivalent)
- [ ] Performance budget established and monitored in CI

---

# ════════════════════════════════════════════════════════════════
# PART 7: URL STRUCTURE & NAVIGATION
# ════════════════════════════════════════════════════════════════

## 7.1 — URL Best Practices
- [ ] Clean, lowercase, hyphenated URLs (/about-us, /blog/ai-document-processing)
- [ ] No underscores, spaces, uppercase, or special characters in URLs
- [ ] No query parameters for content pages (use clean paths)
- [ ] No file extensions in URLs (no .html, .php)
- [ ] Trailing slash consistency — pick one and enforce via redirects
- [ ] URLs are descriptive and readable by humans
- [ ] URL hierarchy matches content hierarchy (/docs/getting-started/installation)
- [ ] URLs are as short as practical while remaining descriptive
- [ ] No session IDs, tracking params, or dynamic cruft in URLs
- [ ] www vs non-www — pick one and redirect the other

## 7.2 — Redirects & Error Pages
- [ ] 301 redirects for all changed URLs (never break existing links)
- [ ] Redirect map maintained and documented
- [ ] No redirect chains (max 1 hop)
- [ ] No redirect loops
- [ ] Custom 404 page with: helpful message, search bar, navigation, popular links, contact
- [ ] Custom 500 page with: friendly error message, retry suggestion, support contact
- [ ] 404 page returns actual 404 status code (not 200)
- [ ] Old domain redirects if migrating (301 all old URLs)

## 7.3 — Navigation & Information Architecture
- [ ] Persistent header nav with links to all key sections
- [ ] Comprehensive footer: sitemap links, legal pages, social links, contact
- [ ] Breadcrumb navigation on all pages (except homepage)
- [ ] Mobile navigation (hamburger menu) works smoothly
- [ ] Search functionality on site (if 20+ pages)
- [ ] Call-to-action visible on every page
- [ ] No more than 7±2 items in primary navigation
- [ ] Active/current page highlighted in navigation

---

# ════════════════════════════════════════════════════════════════
# PART 8: CONTENT & ON-PAGE SEO
# ════════════════════════════════════════════════════════════════

## 8.1 — On-Page SEO Per Page
- [ ] Exactly one `<h1>` with primary keyword
- [ ] Logical heading hierarchy (h1 > h2 > h3 — never skip levels)
- [ ] Primary keyword in first 100 words of body content
- [ ] Keyword in URL slug
- [ ] Keyword in meta title and description
- [ ] Keyword in at least one image alt text
- [ ] Minimum 300+ words on key pages (1000+ for pillar content)
- [ ] Unique content on every page — no duplicate content across pages
- [ ] Internal links to 2-5 related pages with descriptive anchor text
- [ ] External links to 1-2 authoritative sources where relevant
- [ ] Last updated date displayed on content pages
- [ ] Author byline with link to author page (for blog/articles)
- [ ] Social sharing buttons on content pages
- [ ] Table of contents on long-form content (1500+ words)
- [ ] Related content / recommended articles section

## 8.2 — Essential Pages Checklist
- [ ] Homepage — clear value proposition, hero, features, social proof, CTA
- [ ] About page — company story, team, mission, values, founded date
- [ ] Pricing page — clear plans, comparison table, FAQ, CTA
- [ ] Features page — comprehensive feature list with descriptions
- [ ] Contact page — form, email, phone, address, map, social links
- [ ] Blog / Resources — regularly updated, categorized, searchable
- [ ] Documentation / Help Center — organized, searchable, with examples
- [ ] Privacy Policy — GDPR/CCPA compliant, plain language, last updated date
- [ ] Terms of Service — comprehensive, legally reviewed
- [ ] Cookie Policy — with consent mechanism
- [ ] FAQ page — structured with schema markup
- [ ] 404 page — helpful, branded, with navigation
- [ ] Sitemap page (HTML) — human-readable site overview
- [ ] Changelog / What's New — for SaaS/products
- [ ] Status page — system uptime and incident history
- [ ] Careers page — if hiring

---

# ════════════════════════════════════════════════════════════════
# PART 9: EMAIL CONFIGURATION & DELIVERABILITY
# ════════════════════════════════════════════════════════════════

## 9.1 — DNS Email Records
- [ ] SPF record configured: `v=spf1 include:_spf.google.com include:sendgrid.net ~all` (adjust for your providers)
- [ ] DKIM record configured and verified for all sending services
- [ ] DMARC record configured: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100`
- [ ] MX records pointing to correct mail server
- [ ] PTR (reverse DNS) record set for sending IP
- [ ] BIMI record configured with verified logo (optional but recommended)
- [ ] All DNS records have appropriate TTL values

## 9.2 — Transactional Email Setup
- [ ] Transactional email service configured (SendGrid, Postmark, AWS SES, Resend)
- [ ] Dedicated sending domain (e.g., mail.yourdomain.com) verified
- [ ] Welcome email template designed and tested
- [ ] Password reset email working and tested
- [ ] Email verification/confirmation flow working
- [ ] Invoice/receipt emails working (if applicable)
- [ ] Notification emails working (if applicable)
- [ ] All transactional emails have:
  - [ ] Proper From name and address (not noreply@)
  - [ ] Reply-to address that's monitored
  - [ ] Unsubscribe link (required by law for marketing)
  - [ ] Physical mailing address (CAN-SPAM requirement)
  - [ ] Plain text version alongside HTML
  - [ ] Responsive design — works on all email clients
  - [ ] Tested in Gmail, Outlook, Apple Mail, Yahoo
  - [ ] Tested with Litmus or Email on Acid
  - [ ] No broken images or missing assets
  - [ ] Links all work and point to correct URLs

## 9.3 — Email Deliverability
- [ ] Warm up sending IP if using dedicated IP
- [ ] Test deliverability with mail-tester.com (aim for 9+/10)
- [ ] Check blacklist status (mxtoolbox.com/blacklists.aspx)
- [ ] Bounce handling configured — auto-remove hard bounces
- [ ] Complaint feedback loops set up with major ISPs
- [ ] Email sending rate limits configured to avoid throttling
- [ ] Double opt-in for marketing emails
- [ ] List hygiene — remove inactive subscribers regularly
- [ ] Test emails don't land in spam folder across providers

## 9.4 — Contact & Communication
- [ ] Contact form working and delivering to correct inbox
- [ ] Contact form has spam protection (reCAPTCHA, honeypot, or rate limiting)
- [ ] Contact form sends confirmation to the submitter
- [ ] Auto-responder set up for contact form submissions
- [ ] Support email monitored (support@yourdomain.com)
- [ ] Business email configured (hello@, info@, or team@yourdomain.com)
- [ ] Email signature configured with logo, links, legal text

---

# ════════════════════════════════════════════════════════════════
# PART 10: SECURITY & HTTPS
# ════════════════════════════════════════════════════════════════

## 10.1 — SSL/TLS & HTTPS
- [ ] Valid SSL/TLS certificate installed (auto-renewing preferred)
- [ ] HTTPS enforced on all pages — HTTP 301 redirects to HTTPS
- [ ] HSTS header: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
- [ ] Consider HSTS preload list submission (hstspreload.org)
- [ ] SSL Labs test: A+ rating (ssllabs.com/ssltest)
- [ ] No mixed content (HTTP resources on HTTPS pages)
- [ ] TLS 1.2+ only (disable TLS 1.0 and 1.1)
- [ ] Certificate covers all subdomains (wildcard or individual)

## 10.2 — Security Headers
- [ ] `X-Content-Type-Options: nosniff`
- [ ] `X-Frame-Options: DENY` (or SAMEORIGIN if iframing yourself)
- [ ] `X-XSS-Protection: 0` (deprecated but set to 0 for modern browsers)
- [ ] `Content-Security-Policy` — configured and tested (report-only first)
- [ ] `Referrer-Policy: strict-origin-when-cross-origin`
- [ ] `Permissions-Policy` — restrict camera, microphone, geolocation, etc.
- [ ] `Cross-Origin-Opener-Policy: same-origin`
- [ ] `Cross-Origin-Resource-Policy: same-origin`
- [ ] Test with securityheaders.com — aim for A+
- [ ] Test with Mozilla Observatory (observatory.mozilla.org) — aim for A+

## 10.3 — Application Security
- [ ] All user inputs sanitized (prevent XSS, SQL injection)
- [ ] CSRF protection on all forms and state-changing requests
- [ ] Rate limiting on API endpoints and auth routes
- [ ] Brute force protection on login (lockout after N attempts)
- [ ] Password requirements enforced (min 8 chars, complexity)
- [ ] Passwords hashed with bcrypt/argon2 (never stored plain)
- [ ] Session management secure (HttpOnly, Secure, SameSite cookies)
- [ ] JWT tokens have proper expiration and refresh flow
- [ ] API keys and secrets stored in environment variables only
- [ ] No sensitive data in URLs, logs, or error messages
- [ ] Dependency vulnerabilities checked (npm audit, Snyk, Dependabot)
- [ ] CORS configured properly — no wildcard `*` in production
- [ ] File upload validation — type, size, content checking
- [ ] Admin routes protected with proper authentication + authorization

## 10.4 — Data Protection
- [ ] Database encrypted at rest
- [ ] Database connections encrypted in transit
- [ ] Backups encrypted and stored securely
- [ ] PII (personally identifiable information) handling documented
- [ ] Data retention policy defined and implemented
- [ ] Right to delete / data export functionality (GDPR)
- [ ] Third-party data processors documented

---

# ════════════════════════════════════════════════════════════════
# PART 11: AUTHENTICATION & USER MANAGEMENT
# ════════════════════════════════════════════════════════════════

## 11.1 — Authentication
- [ ] Sign up flow working end-to-end (test with new email)
- [ ] Login flow working (email/password)
- [ ] OAuth/Social login working (Google, GitHub, etc. — if applicable)
- [ ] Password reset flow — request, email, reset, confirmation
- [ ] Email verification flow — send, verify, confirm
- [ ] Session persistence — users stay logged in appropriately
- [ ] Logout clears all session data properly
- [ ] "Remember me" functionality working
- [ ] Account deletion/deactivation flow working
- [ ] Multi-factor authentication (MFA/2FA) available
- [ ] Login rate limiting and lockout protection
- [ ] Password strength indicator on signup
- [ ] Error messages don't reveal whether email exists ("Invalid credentials" not "User not found")

## 11.2 — User Dashboard & Account
- [ ] Dashboard loads correctly after login
- [ ] Profile edit (name, email, avatar) working
- [ ] Password change from dashboard working
- [ ] Subscription/billing management accessible
- [ ] Usage limits/quotas displayed if applicable
- [ ] Notification preferences configurable
- [ ] API key generation/management if applicable
- [ ] Team/organization management if applicable
- [ ] Data export functionality
- [ ] Account deletion with proper data cleanup

---

# ════════════════════════════════════════════════════════════════
# PART 12: PAYMENT & BILLING (if applicable)
# ════════════════════════════════════════════════════════════════

## 12.1 — Payment Integration
- [ ] Payment processor configured (Stripe, Paddle, LemonSqueezy)
- [ ] Test mode → Production mode switch verified
- [ ] All plans/products created in payment processor
- [ ] Checkout flow working end-to-end (test with real card in test mode)
- [ ] Subscription creation working
- [ ] Plan upgrade/downgrade working
- [ ] Cancellation flow working
- [ ] Payment method update working
- [ ] Invoice generation and delivery working
- [ ] Refund process documented and tested
- [ ] Promo codes / discounts working (if applicable)
- [ ] Tax calculation configured (Stripe Tax, Paddle handles this)
- [ ] VAT/GST handling for international customers

## 12.2 — Webhooks & Events
- [ ] Payment success webhook handling
- [ ] Payment failure webhook handling
- [ ] Subscription cancelled webhook
- [ ] Subscription updated webhook
- [ ] Invoice paid webhook
- [ ] Dispute/chargeback webhook
- [ ] Webhook endpoint secured (signature verification)
- [ ] Webhook retry logic tested
- [ ] Failed payment → grace period → suspension flow working
- [ ] Customer portal link working (Stripe Customer Portal or equivalent)

---

# ════════════════════════════════════════════════════════════════
# PART 13: ANALYTICS, MONITORING & OBSERVABILITY
# ════════════════════════════════════════════════════════════════

## 13.1 — Analytics Setup
- [ ] Google Analytics 4 (GA4) installed and verified
- [ ] GA4 enhanced measurement enabled (scrolls, clicks, downloads, video)
- [ ] Custom events tracking: signups, purchases, feature usage, CTA clicks
- [ ] Conversion goals defined and configured
- [ ] UTM parameter strategy documented for campaigns
- [ ] Google Tag Manager set up (if managing multiple tags)
- [ ] Consent management platform (CMP) for GDPR cookie consent
- [ ] Analytics working with cookie consent (respects user choice)
- [ ] Plausible, Fathom, or PostHog as privacy-friendly alternative/complement
- [ ] E-commerce tracking if selling online (purchase events, revenue)
- [ ] User ID tracking for logged-in users (cross-device)
- [ ] Internal traffic filtered out (office IPs, team members)

## 13.2 — Search Console & Webmaster Tools
- [ ] Google Search Console — site verified (all variants: www, non-www, http, https)
- [ ] Bing Webmaster Tools — site verified
- [ ] Yandex Webmaster (if targeting Russian-speaking markets)
- [ ] Sitemap submitted in all webmaster tools
- [ ] Search Console monitoring: coverage, performance, enhancements
- [ ] Core Web Vitals report reviewed — no failing URLs
- [ ] Mobile usability report — no issues
- [ ] Rich results report — all structured data valid
- [ ] URL inspection tool — test key pages are indexable
- [ ] Manual actions — none (check regularly)
- [ ] Security issues — none (check regularly)

## 13.3 — Uptime & Error Monitoring
- [ ] Uptime monitoring configured (UptimeRobot, Pingdom, BetterUptime)
- [ ] Uptime alerts → Slack, email, SMS
- [ ] Error tracking configured (Sentry, Bugsnag, or LogRocket)
- [ ] Source maps uploaded to error tracker for readable stack traces
- [ ] Error alerts configured — critical errors → immediate notification
- [ ] API monitoring — response time and error rate tracking
- [ ] Database monitoring — query performance, connection pool
- [ ] Log aggregation (Datadog, Logtail, or CloudWatch)
- [ ] Status page public and maintained (Instatus, Better Stack, or Atlassian Statuspage)
- [ ] Incident response plan documented

## 13.4 — Performance Monitoring
- [ ] Real User Monitoring (RUM) — Vercel Analytics, web-vitals, or Datadog RUM
- [ ] Core Web Vitals tracked over time
- [ ] Synthetic monitoring (Lighthouse CI in CI/CD pipeline)
- [ ] Performance budget enforced (fail build if JS > X KB)
- [ ] Database query performance monitored
- [ ] API endpoint response times tracked
- [ ] Memory and CPU usage monitored on servers

---

# ════════════════════════════════════════════════════════════════
# PART 14: MOBILE, ACCESSIBILITY & CROSS-BROWSER
# ════════════════════════════════════════════════════════════════

## 14.1 — Mobile-First
- [ ] Google Mobile-Friendly Test passing on all pages
- [ ] Responsive design works: 320px, 375px, 414px, 768px, 1024px, 1440px, 1920px+
- [ ] Touch targets minimum 48x48px with 8px spacing
- [ ] No horizontal scroll on any viewport
- [ ] Font sizes minimum 16px body text on mobile
- [ ] Forms are usable on mobile (proper input types, autocomplete)
- [ ] Modals and popups don't break on mobile
- [ ] Images don't overflow containers on small screens
- [ ] Tables are horizontally scrollable or restructured on mobile
- [ ] PWA manifest configured (if applicable)
- [ ] App-like experience on mobile (if applicable)

## 14.2 — Accessibility (WCAG 2.1 AA)
- [ ] Color contrast meets 4.5:1 for text, 3:1 for large text
- [ ] All interactive elements keyboard accessible (Tab, Enter, Escape)
- [ ] Focus indicators visible on all interactive elements
- [ ] Skip-to-content link as first focusable element
- [ ] All images have meaningful alt text (or alt="" for decorative)
- [ ] Form inputs have associated `<label>` elements
- [ ] Error messages are descriptive and associated with fields
- [ ] ARIA landmarks used: main, navigation, banner, contentinfo
- [ ] aria-live regions for dynamic content updates
- [ ] Screen reader tested (VoiceOver, NVDA, or JAWS)
- [ ] Reduced motion respected: `prefers-reduced-motion` media query
- [ ] Text resizable to 200% without breaking layout
- [ ] No content conveyed by color alone
- [ ] Lighthouse Accessibility audit: 90+
- [ ] axe DevTools extension: 0 critical/serious issues
- [ ] WAVE tool: 0 errors

## 14.3 — Cross-Browser Testing
- [ ] Chrome (latest) — desktop and mobile
- [ ] Firefox (latest) — desktop and mobile
- [ ] Safari (latest) — desktop and iOS
- [ ] Edge (latest) — desktop
- [ ] Samsung Internet — if targeting Android
- [ ] Test on actual devices, not just emulators
- [ ] No JavaScript errors in any browser console
- [ ] CSS renders consistently across browsers
- [ ] Web fonts load in all browsers
- [ ] Forms work in all browsers
- [ ] Animations are smooth in all browsers

---

# ════════════════════════════════════════════════════════════════
# PART 15: LEGAL & COMPLIANCE
# ════════════════════════════════════════════════════════════════

## 15.1 — Privacy & Data Protection
- [ ] Privacy Policy published — covers data collection, use, sharing, retention, rights
- [ ] Privacy Policy last updated date displayed
- [ ] GDPR compliance (if serving EU users):
  - [ ] Cookie consent banner (opt-in, not opt-out)
  - [ ] Right to access (data export)
  - [ ] Right to deletion
  - [ ] Data processing records maintained
  - [ ] Data Protection Officer identified (if required)
  - [ ] Privacy by design principles followed
- [ ] CCPA compliance (if serving California users):
  - [ ] "Do Not Sell My Personal Information" link
  - [ ] Privacy rights request mechanism
  - [ ] Data categories disclosed
- [ ] Cookie Policy separate or within Privacy Policy
- [ ] Third-party services listed with their privacy policies
- [ ] Data Processing Agreements (DPAs) signed with all processors

## 15.2 — Terms & Legal Pages
- [ ] Terms of Service / Terms of Use published
- [ ] Acceptable Use Policy (if user-generated content)
- [ ] Refund Policy (if selling products/services)
- [ ] Subscription/cancellation terms clearly stated
- [ ] Intellectual property rights clearly stated
- [ ] Limitation of liability section
- [ ] Governing law and jurisdiction specified
- [ ] DMCA / takedown procedure documented (if hosting user content)
- [ ] Accessibility statement published
- [ ] Anti-spam policy (CAN-SPAM, CASL compliance)

## 15.3 — Business Compliance
- [ ] Company registration visible (Estonian e-residency company number)
- [ ] VAT number displayed if applicable
- [ ] Business address available (can be registered agent)
- [ ] Copyright notice in footer: `© 2026 Replace Works OÜ. All rights reserved.`
- [ ] Trademark usage guidelines if applicable
- [ ] Export control compliance if applicable (ITAR, EAR)

---

# ════════════════════════════════════════════════════════════════
# PART 16: DEPLOYMENT & INFRASTRUCTURE
# ════════════════════════════════════════════════════════════════

## 16.1 — DNS & Domain
- [ ] Domain registered with reputable registrar (Cloudflare, Namecheap, Google Domains)
- [ ] Domain auto-renewal enabled
- [ ] Domain lock (transfer protection) enabled
- [ ] DNSSEC enabled
- [ ] WHOIS privacy enabled
- [ ] A/AAAA records pointing to correct servers
- [ ] CNAME records for subdomains configured
- [ ] MX records for email configured
- [ ] TXT records for SPF, DKIM, DMARC configured
- [ ] DNS TTL values appropriate (300s for frequently changed, 3600s for stable)
- [ ] All subdomains documented and accounted for
- [ ] No dangling DNS records (pointing to decommissioned services)
- [ ] www and non-www redirect configured

## 16.2 — Hosting & Deployment
- [ ] Production hosting configured (Vercel, AWS, GCP, Railway, Fly.io)
- [ ] Staging/preview environment working
- [ ] CI/CD pipeline configured (GitHub Actions, GitLab CI, etc.):
  - [ ] Lint check
  - [ ] Type check (TypeScript)
  - [ ] Unit tests
  - [ ] Build step
  - [ ] Deploy to staging on PR merge
  - [ ] Deploy to production on release/tag
- [ ] Environment variables configured in hosting platform (not hardcoded)
- [ ] Build output optimized (no dev dependencies in production)
- [ ] Auto-scaling configured if traffic-dependent
- [ ] Rollback strategy documented and tested
- [ ] Blue/green or canary deployment if zero-downtime required
- [ ] Health check endpoint (/api/health) returning 200 with service status

## 16.3 — Database & Backend
- [ ] Database hosted on managed service (PlanetScale, Supabase, Neon, AWS RDS)
- [ ] Database backups automated (daily minimum)
- [ ] Backup restoration tested (at least once)
- [ ] Database connection pooling configured
- [ ] Database migrations versioned and repeatable
- [ ] Seed data available for development
- [ ] Read replicas configured if high-read workload
- [ ] Indexes on frequently queried columns
- [ ] No N+1 query problems
- [ ] Connection strings in environment variables only

## 16.4 — Secrets & Environment Management
- [ ] All secrets in environment variables or secrets manager
- [ ] No secrets in codebase, commit history, or logs
- [ ] Different API keys for dev/staging/production
- [ ] Secret rotation plan documented
- [ ] Access to production secrets limited to minimum required people
- [ ] `.env.example` up to date with all required variables
- [ ] Secrets scanning enabled in GitHub (push protection)

---

# ════════════════════════════════════════════════════════════════
# PART 17: SOCIAL SIGNALS & EXTERNAL PRESENCE
# ════════════════════════════════════════════════════════════════

## 17.1 — Social Media Profiles
- [ ] LinkedIn Company Page — complete with logo, banner, description, website link
- [ ] Twitter/X — @handle claimed, profile complete, pinned tweet
- [ ] GitHub — organization created, README with links, key repos public
- [ ] YouTube — channel created if doing video content
- [ ] Product Hunt — profile created, ready for launch
- [ ] Crunchbase — company profile (if applicable)
- [ ] AngelList/Wellfound — company profile (if applicable)
- [ ] All social profiles link back to website
- [ ] All social profiles use consistent branding (logo, banner, description)
- [ ] Organization schema `sameAs` includes all social profile URLs

## 17.2 — Directory & Listing Submissions
- [ ] Google Business Profile (if local business)
- [ ] Apple Maps listing (if local business)
- [ ] Bing Places (if local business)
- [ ] Industry-specific directories (G2, Capterra, ProductHunt for SaaS)
- [ ] Startup directories (BetaList, Launching Next, StartupBase)
- [ ] Hacker News / Show HN submission planned
- [ ] Reddit community engagement strategy
- [ ] NAP (Name, Address, Phone) consistency across all listings

## 17.3 — Backlink Strategy
- [ ] Guest posting targets identified in your niche
- [ ] HARO (Help A Reporter Out) or Connectively for press mentions
- [ ] Partner/integration pages linking to each other
- [ ] Broken link building opportunities identified
- [ ] Resource page link building opportunities identified
- [ ] Original data / research / tools that attract natural links
- [ ] Press kit page with logos, boilerplate text, founder bios, high-res images

---

# ════════════════════════════════════════════════════════════════
# PART 18: INTERNATIONALIZATION (if applicable)
# ════════════════════════════════════════════════════════════════

## 18.1 — Multi-Language / Multi-Region
- [ ] hreflang tags on all pages for each language/region variant
- [ ] x-default hreflang pointing to canonical language
- [ ] Language switcher in navigation
- [ ] URLs localized (/en/about, /tr/hakkimizda)
- [ ] Content professionally translated (not just Google Translate)
- [ ] Date, number, currency formats localized
- [ ] Right-to-left (RTL) support if serving Arabic, Hebrew, etc.
- [ ] Separate sitemaps per language or combined with hreflang annotations
- [ ] Local payment methods supported if selling internationally
- [ ] Local support/contact available for key markets

---

# ════════════════════════════════════════════════════════════════
# PART 19: TESTING & QUALITY ASSURANCE
# ════════════════════════════════════════════════════════════════

## 19.1 — Automated Testing
- [ ] Unit tests for critical business logic (80%+ coverage target)
- [ ] Integration tests for API endpoints
- [ ] End-to-end tests for critical user flows (signup, purchase, core features)
- [ ] Visual regression tests for key pages (Percy, Chromatic, or Playwright)
- [ ] Accessibility tests automated (axe-core in test suite)
- [ ] Performance tests (Lighthouse CI in CI/CD)
- [ ] Tests run on every PR
- [ ] Tests must pass before merge to main

## 19.2 — Manual QA Checklist (Pre-Launch)
- [ ] Complete sign-up → onboarding → core feature → billing flow tested
- [ ] All forms submit correctly and show success/error states
- [ ] All buttons/CTAs are clickable and go to correct destinations
- [ ] All links work (no 404s, no broken links)
- [ ] All images load correctly
- [ ] All videos play correctly (if applicable)
- [ ] Copy/content proofread — no typos, grammar errors, or placeholder text
- [ ] No "Lorem ipsum" or test data visible anywhere
- [ ] No console errors in browser DevTools
- [ ] Print stylesheet works (if users might print pages)
- [ ] Browser back/forward navigation works correctly
- [ ] Page refresh doesn't lose user state unexpectedly
- [ ] Deep links work (sharing a URL loads the correct page/state)
- [ ] Empty states handled gracefully (no data, no results, first-time user)
- [ ] Loading states shown during async operations
- [ ] Error states shown with helpful messages and recovery actions
- [ ] Edge cases tested: very long text, special characters, empty inputs, large files

---

# ════════════════════════════════════════════════════════════════
# PART 20: PRE-LAUNCH FINAL VERIFICATION
# ════════════════════════════════════════════════════════════════

## 20.1 — SEO Final Checks
- [ ] Full Lighthouse audit: Performance 90+, Accessibility 90+, Best Practices 90+, SEO 100
- [ ] HTML validated with W3C Validator (validator.w3.org) — 0 errors
- [ ] All structured data passes Google Rich Results Test
- [ ] Full site crawl with Screaming Frog or Sitebulb — 0 critical errors
- [ ] OG/Twitter Card previews tested with debugger tools
- [ ] Sitemap.xml accessible and valid (xmlsitemapvalidator.com)
- [ ] robots.txt is correct and accessible
- [ ] Canonical URLs correct on all pages
- [ ] No noindex on pages that should be indexed
- [ ] No index on pages that should be noindexed (admin, auth, etc.)

## 20.2 — Production Environment Checks
- [ ] Production environment variables all set correctly
- [ ] Production database migrated and seeded if needed
- [ ] Production API endpoints responding correctly
- [ ] Production email sending working (test a real email)
- [ ] Production payment processing working (test with real card)
- [ ] Production error tracking receiving events
- [ ] Production analytics tracking events
- [ ] Production CDN serving assets correctly
- [ ] Production SSL certificate valid and A+ rated
- [ ] Production health check endpoint returning 200
- [ ] DNS propagation complete (check with whatsmydns.net)
- [ ] Domain resolves correctly from multiple geographic locations

## 20.3 — Post-Launch Immediate Actions
- [ ] Submit URL to Google Search Console URL Inspection → Request Indexing
- [ ] Request indexing of all key pages individually
- [ ] Monitor Google Search Console for crawl errors (daily for first week)
- [ ] Monitor error tracking for production issues (hourly for first day)
- [ ] Verify analytics data is flowing correctly
- [ ] Verify email deliverability with real users
- [ ] Check site loads correctly from different countries (VPN test)
- [ ] Social share a link — verify OG preview looks correct
- [ ] Google "[your brand name]" — check what appears
- [ ] Set up Google Alerts for your brand name
- [ ] Announce launch on social channels
- [ ] Submit to Product Hunt / Hacker News / BetaList
- [ ] Notify partners, investors, and early users

## 20.4 — Week 1 Post-Launch Monitoring
- [ ] Google indexing progress (site:yourdomain.com)
- [ ] Core Web Vitals in Search Console (may take a few days)
- [ ] First organic search impressions appearing
- [ ] Error rates stable and low
- [ ] No unexpected 500 errors
- [ ] Page load times acceptable under real traffic
- [ ] User feedback collected and triaged
- [ ] Conversion funnel working as expected
- [ ] Email open rates and click rates normal
- [ ] Billing/payment working correctly with real customers

---

# ════════════════════════════════════════════════════════════════
# APPENDIX A: ESSENTIAL TOOL STACK
# ════════════════════════════════════════════════════════════════

## SEO & Indexing
- Google Search Console (free) — indexing, performance, issues
- Bing Webmaster Tools (free) — Bing indexing
- Screaming Frog SEO Spider (free up to 500 URLs) — full site audit
- Ahrefs or SEMrush (paid) — keyword research, backlinks, competitor analysis
- Google Rich Results Test (free) — structured data validation
- Schema.org Validator (free) — schema validation

## Performance
- Google PageSpeed Insights (free) — CWV and performance scoring
- WebPageTest.org (free) — detailed waterfall analysis
- GTmetrix (free) — performance monitoring
- Chrome DevTools — network, performance, lighthouse

## Analytics & Monitoring
- Google Analytics 4 (free) — traffic and behavior
- Plausible / Fathom (paid) — privacy-friendly analytics
- Sentry (free tier) — error tracking
- UptimeRobot (free tier) — uptime monitoring
- BetterUptime / Better Stack (free tier) — status page + monitoring

## Email
- mail-tester.com (free) — email deliverability test
- MXToolbox (free) — DNS and email diagnostics
- Litmus / Email on Acid (paid) — email rendering tests

## Security
- SSL Labs (free) — SSL/TLS testing
- SecurityHeaders.com (free) — security header analysis
- Mozilla Observatory (free) — security scoring
- Snyk / npm audit (free) — dependency vulnerability scanning

## Social & Previews
- Facebook Sharing Debugger — OG tag testing
- Twitter Card Validator — Twitter card testing
- LinkedIn Post Inspector — LinkedIn preview testing
- metatags.io (free) — preview all social cards at once

## AI / LLM Tools
- llms-txt.org — llms.txt specification and validator
- Google Rich Results Test — also used by AI for understanding
- Schema.org Validator — schema that AI systems reference

---

# ════════════════════════════════════════════════════════════════
# APPENDIX B: SAMPLE CONFIGURATION FILES
# ════════════════════════════════════════════════════════════════

## robots.txt
```
User-agent: *
Allow: /
Disallow: /api/
Disallow: /admin/
Disallow: /dashboard/
Disallow: /auth/
Disallow: /_next/
Disallow: /private/

# AI Crawlers - Allowed
User-agent: GPTBot
Allow: /

User-agent: ChatGPT-User
Allow: /

User-agent: Claude-Web
Allow: /

User-agent: Anthropic-AI
Allow: /

User-agent: PerplexityBot
Allow: /

User-agent: Google-Extended
Allow: /

User-agent: Applebot-Extended
Allow: /

Sitemap: https://yourdomain.com/sitemap.xml
```

## llms.txt
```
# YourProduct
> One-line description of your product or service.

## About
A 2-3 sentence overview of what you do, who you serve, and what makes you different.

## Key Pages
- [Homepage](https://yourdomain.com): Main landing page with overview
- [Features](https://yourdomain.com/features): Complete feature breakdown
- [Pricing](https://yourdomain.com/pricing): Plans and pricing details
- [Documentation](https://yourdomain.com/docs): API and product docs
- [Blog](https://yourdomain.com/blog): Insights, tutorials, and updates
- [About](https://yourdomain.com/about): Company info and team
- [Contact](https://yourdomain.com/contact): Get in touch
- [FAQ](https://yourdomain.com/faq): Common questions answered
- [Changelog](https://yourdomain.com/changelog): Product updates

## Quick Facts
- Founded: 2025
- Headquarters: Tallinn, Estonia
- Category: [Your Category] / SaaS
- API: REST API available
- Integrations: [List major integrations]
- Support: support@yourdomain.com

Updated: 2026-02-07
```

## .env.example
```
# App
NEXT_PUBLIC_APP_URL=https://yourdomain.com
NEXT_PUBLIC_APP_NAME=YourProduct
NODE_ENV=production

# Database
DATABASE_URL=postgresql://user:pass@host:5432/db

# Authentication
NEXTAUTH_SECRET=your-secret-here
NEXTAUTH_URL=https://yourdomain.com
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

# Email
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASSWORD=your-sendgrid-api-key
EMAIL_FROM=hello@yourdomain.com

# Payments
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_...

# Analytics
NEXT_PUBLIC_GA_MEASUREMENT_ID=G-XXXXXXXXXX
SENTRY_DSN=https://...@sentry.io/...

# AI / API
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...

# Storage
AWS_S3_BUCKET=your-bucket
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=eu-central-1
```

## Meta Tags Template (Next.js App Router)
```tsx
// app/layout.tsx — Global defaults
export const metadata = {
  metadataBase: new URL('https://yourdomain.com'),
  title: {
    default: 'YourProduct — Tagline Here',
    template: '%s | YourProduct'
  },
  description: 'Your default meta description here (150-160 chars).',
  keywords: ['keyword1', 'keyword2', 'keyword3'],
  authors: [{ name: 'Your Name', url: 'https://yourdomain.com' }],
  creator: 'Your Company',
  publisher: 'Your Company',
  robots: { index: true, follow: true },
  openGraph: {
    type: 'website',
    locale: 'en_US',
    url: 'https://yourdomain.com',
    siteName: 'YourProduct',
    title: 'YourProduct — Tagline Here',
    description: 'Your OG description here.',
    images: [{
      url: '/og-image.png',
      width: 1200,
      height: 630,
      alt: 'YourProduct preview'
    }]
  },
  twitter: {
    card: 'summary_large_image',
    site: '@yourhandle',
    creator: '@yourhandle',
    title: 'YourProduct — Tagline Here',
    description: 'Your Twitter card description.',
    images: ['/og-image.png']
  },
  alternates: {
    canonical: 'https://yourdomain.com'
  },
  verification: {
    google: 'your-google-verification-code',
    yandex: 'your-yandex-code'
  }
}
```

## JSON-LD Schema Template
```json
// Organization (site-wide)
{
  "@context": "https://schema.org",
  "@type": "Organization",
  "name": "YourCompany",
  "url": "https://yourdomain.com",
  "logo": "https://yourdomain.com/logo.png",
  "description": "What your company does.",
  "foundingDate": "2025",
  "founders": [{"@type": "Person", "name": "Founder Name"}],
  "address": {
    "@type": "PostalAddress",
    "addressLocality": "Tallinn",
    "addressCountry": "EE"
  },
  "contactPoint": {
    "@type": "ContactPoint",
    "email": "hello@yourdomain.com",
    "contactType": "customer support"
  },
  "sameAs": [
    "https://twitter.com/yourhandle",
    "https://linkedin.com/company/yourcompany",
    "https://github.com/yourcompany"
  ]
}

// WebSite (homepage)
{
  "@context": "https://schema.org",
  "@type": "WebSite",
  "name": "YourProduct",
  "url": "https://yourdomain.com",
  "potentialAction": {
    "@type": "SearchAction",
    "target": "https://yourdomain.com/search?q={search_term_string}",
    "query-input": "required name=search_term_string"
  }
}

// SoftwareApplication (for SaaS products)
{
  "@context": "https://schema.org",
  "@type": "SoftwareApplication",
  "name": "YourProduct",
  "applicationCategory": "BusinessApplication",
  "operatingSystem": "Web",
  "offers": {
    "@type": "Offer",
    "price": "29.00",
    "priceCurrency": "USD"
  },
  "aggregateRating": {
    "@type": "AggregateRating",
    "ratingValue": "4.8",
    "ratingCount": "150"
  }
}
```

---

# ════════════════════════════════════════════════════════════════
# APPENDIX C: QUICK PRIORITY MATRIX
# ════════════════════════════════════════════════════════════════

## 🔴 BEFORE LAUNCH (Blocking)
1. HTTPS enforced with valid cert
2. All meta tags on every page (title, description, OG, Twitter)
3. robots.txt and sitemap.xml created
4. Google Search Console verified and sitemap submitted
5. Structured data (Organization + WebSite schema) validated
6. Core Web Vitals passing (LCP <2.5s, CLS <0.1, INP <200ms)
7. Mobile responsive on all pages
8. Email deliverability confirmed (SPF, DKIM, DMARC)
9. Payment flow tested end-to-end (if applicable)
10. Error monitoring live (Sentry or equivalent)
11. Privacy Policy and Terms published
12. No console errors, no broken links, no placeholder content
13. Production environment variables all set
14. DNS configured correctly
15. Backup system verified

## 🟡 FIRST WEEK (High Priority)
1. llms.txt and llms-full.txt created
2. AI crawler permissions set in robots.txt
3. All key pages submitted for indexing
4. Analytics verified and tracking correctly
5. Social previews tested across all platforms
6. Uptime monitoring configured
7. Status page live
8. Performance budget enforced in CI
9. Security headers configured (aim for A+)
10. Accessibility audit 90+

## 🟢 FIRST MONTH (Growth)
1. Blog content strategy launched
2. Backlink building started
3. Social media presence active
4. Directory submissions complete
5. Keyword ranking monitoring set up
6. A/B testing framework in place
7. Customer feedback loop established
8. Internationalization if targeting multiple markets

---

**END OF CHECKLIST**

This document is a living checklist. Review and update quarterly as standards evolve.

© 2026 Replace Works OÜ — Built with precision.