AI SHIP-READINESS AUDIT (ONE REPO) Goal: In 60–90 minutes, determine whether AI-assisted output can enter production safely in this repo. This is not a tool evaluation. It’s an operating check. 1) Ownership and scope - Who is the DRI for production health of this service/repo? - What is the blast radius (users, revenue-critical flows, data classes handled)? - What changes are considered “high risk” here (auth, payments, data migrations, infra, permissions)? Write them down. 2) Merge controls (prove it with links) - Branch protection: What rules are enabled (required reviews, required status checks, signed commits if used)? - Override power: Who can bypass protections? How often does it happen? - PR template: Does every PR state intent, constraints, verification, and rollback? 3) Verification pipeline - CI: What must pass before merge (tests, lint, typecheck)? Which checks are optional? - Flakiness: Are tests regularly retried or ignored? List the top flaky suites. - Test coverage isn’t the question. The question is: do tests reliably catch the last class of bugs you shipped? 4) Dependency and supply-chain hygiene - Are Dependabot (or equivalent) updates enabled? - Is there dependency scanning (Snyk/GitHub Advanced Security/etc.)? Who triages alerts? - Is there a clear rule for adding new dependencies (review, license, maintenance risk)? 5) Secrets and access - Where do secrets live (AWS Secrets Manager, GCP Secret Manager, Vault, env vars)? - Are production credentials accessible from developer laptops? - Are there least-privilege roles for CI, staging, and production? 6) Release safety - Rollout method: feature flags, canary, blue/green, or straight deploy? - Rollback path: can you revert quickly without heroics? Document the steps. - Is there a release note or changelog practice tied to deployments? 7) Observability tied to releases - What dashboards/alerts would detect breakage fast (errors, latency, saturation, key business events)? Link them. - Do deploy events appear in your observability tool (Datadog/New Relic/Grafana/etc.)? - Are incidents detected by users/support or by monitoring? Be honest. 8) AI-specific hygiene (minimal, practical) - Do PRs disclose meaningful AI assistance when used heavily (tool name + what was verified)? - Are engineers instructed not to paste sensitive data (customer PII, secrets, private keys) into general-purpose chat tools? - Are there approved tools/accounts for work use (enterprise tenants where applicable)? Output: A one-page doc with (a) the repo’s current “safe merge” definition, (b) the top 3 control gaps, and (c) the next concrete fix for each gap with an owner and a date.