Pre-launch checklist for shipping a new website. Orchestrates analytics setup (GA4, PostHog, Google Search Console, Ahrefs), legal compliance, security headers and audit, SEO and GEO with keyword research validated against Google Trends (robots.txt, sitemaps, llms.txt, AI policy, schema markup, hreflang), copywriting consistency via a TONE.md and a humanizer pass in the matching language, OpenGraph and social previews, full favicon set with manifest, quality gates (Lighthouse, Core Web Vitals, WCAG accessibility, mobile testing), and setup of a weekly SEO agent. Use this skill whenever the user mentions launching a site/app, deploying a domain to production, pre-launch audit, shipping a marketing/docs/SaaS site or lead magnet, or says "checklist for the site", "ready to ship", "before I go live", "audit before launch", "ready for prod", or asks for a site review.
Pre-launch audit and setup workflow for shipping a new website. Opinionated for Cloudflare DNS + Vercel hosting + PostHog + Legal context.
Interaction style (READ FIRST)
This skill is intentionally interactive. Use
ask_user_input_v0
aggressively instead of assuming. Ask one question at a time with 2-4 tappable options. The user will tap, not type.
Always ask these questions at the start of a run (one at a time, in this order):
Site type:
doc-site
|
marketing/lead-gen
|
SaaS-app
|
training/paid-course
|
personal-portfolio
Migration:
greenfield-new-domain
|
migration-need-301-redirects
|
replacing-existing-on-same-domain
Multilingual:
single-locale
|
en
|
fr+en
|
other-multi
PostHog setup:
hogpost.samber.dev
|
set-up-new-proxy
|
skip-PostHog
AI scraper policy:
use-default-for-site-type
|
customize-per-bot
|
block-all
Browser tool available:
claude-chrome-extension
|
playwright
|
neither-skip-browser-checks
Ask again at every decision point throughout the phases, including:
Whether to install Sentry / BetterStack / Crisp (depends on site type, ask explicitly)
www vs apex canonical preference (most sites: apex; ask anyway)
Which AI bots to allow if user chose
customize-per-bot
CSP tightness level:
strict-default-src-none
|
balanced-allow-self
|
permissive-for-marketing
Whether to skip a phase entirely (e.g., skip Phase 3 if non-FR site)
Never proceed past a decision point without explicit user input. Verbose checklists without checkpoints are not the goal.
Never install any MCP server or skill without explicit user confirmation. Always ask via
ask_user_input_v0
before running
npx skills add
,
claude mcp add
, or any equivalent install command — even when the skill selection workflow proposes a curated subset.
How to use this skill
Run the start-of-session questions above.
Walk the user through phases 1-10 in order. For each phase: a. List items, ask if any should be skipped. b. For each remaining item, run the verification command (see "Verification tools" below). c. Report pass/fail. On fail, ask the user if they want to fix now or queue for later.
End with a status report grouped by phase, with blockers, recommended fixes, and optional improvements clearly separated.
Companion skills
Six skill packs are useful for site launches. Never install full multi-skill packs. The actual subset to install is decided at invocation time based on the site type the user confirms.
After the user confirms site type, for each pack relevant to that site type:
List available sub-skills:
npx skills add owner/repo --list
Propose a curated subset based on site type and the phases this skill will execute. Match each phase's needs to specific sub-skills the listing returns.
Confirm with the user via
ask_user_input_v0
. Use multi-select when the proposed list has more than 3 items, single-select (
install-as-proposed
|
let-me-modify
|
skip-this-pack
) otherwise.
Bulk install the agreed subset:
npx skills add owner/repo --skill A B C
Rules:
Sub-skill names live in the pack, not in this SKILL.md. Always query
--list
for the current state. Pack contents change.
Never run
npx skills add owner/repo
without
--skill
(that installs everything).
Site type → packs mapping (which packs to enumerate, sub-skills still selected per workflow):
If the user later requests a phase that needs a sub-skill not yet installed, run the workflow again for that single sub-skill rather than re-installing the whole subset.
This avoids importing 80+ skills the user does not need, avoids going stale on sub-skill names, and avoids overfitting to a single pack version.
When delegating during a phase, do not duplicate work this skill orchestrates. Call the specialist with a narrow scope (e.g., "run only the security headers sub-audit on URL X").
Copywriting voice and humanizer pass
Every site has visible marketing copy (hero, features, CTAs, meta descriptions, OG descriptions, blog posts, 404 page text). Two layers of polish are mandatory before launch:
1. Define
TONE.md
once per site
Ask the user (
ask_user_input_v0
): "Does this site already have a
TONE.md
?" (
yes-already-exists
|
no-create-from-template
|
skip-use-default
).
If creating: write it to
.agents/TONE.md
or repo root
TONE.md
. See
references/templates.md
(section "TONE.md template") for the structure.
TONE.md specifies: voice (terse, contrarian, etc.), forbidden patterns (e.g., "delve", "crucial", em dashes, AI-sounding openers), sentence length preference, audience reading level, examples of good and bad sentences from the user's own writing.
2. Run a humanizer pass in the matching language
After every drafting step (whether by a copywriting skill, by hand, or by Claude directly), run a humanizer to strip AI patterns.
Ask the user (
ask_user_input_v0
) for the site's primary audience language at the start of the session if not already known:
(custom French humanizer) or equivalent French-tuned skill
other
→ install matching humanizer if available; otherwise the skill writes a short language-specific anti-pattern checklist inline
Apply the humanizer to: hero copy, feature descriptions, CTA buttons, meta descriptions, OG/Twitter card descriptions, blog posts, email signup confirmations, 404 page text. Skip for legal pages (mentions légales, CGV) since they have rigid wording requirements.
3. Always reference TONE.md when invoking copywriting skills
When delegating to any copywriting or content-writing sub-skill (selected at invocation per the skill selection workflow), include
TONE.md
in the prompt context. Pass voice constraints explicitly: "Follow
.agents/TONE.md
. Avoid the listed patterns. Apply the humanizer after drafting."
Browser interaction preference
Many checks require a real browser (Lighthouse runs, securityheaders.com scan, opengraph.xyz validation, Twitter card validator, mobile viewport, screen reader smoke, Network tab inspection).
Always prefer the Claude Chrome extension. Fall back to Playwright only if the Chrome extension is unavailable. If neither is available, ask the user (
ask_user_input_v0
) whether to skip browser checks entirely or wait until they enable one.
Verification tools
Most checks are doable from the command line without third-party services. Use these tools inline at every phase. Don't trust panels in Cloudflare/Vercel/Google dashboards alone, verify with curl.
Always run the relevant command, paste the output to the user when reporting, then ask (via
ask_user_input_v0
) whether to fix immediately or queue.
Phase 1: Domain & Infrastructure
Most of this is one-click via Cloudflare's dashboard if the domain is on Cloudflare.
Ask first: "Is the domain already on Cloudflare with the standard config from previous launches?" (
yes-standard
|
yes-needs-review
|
no-fresh-setup
)
Checklist:
Cloudflare: proxy ON for apex + www, TLS 1.3 minimum, "Always Use HTTPS" enabled, HSTS preload enabled in Cloudflare SSL/TLS settings
DNS A/AAAA or CNAME pointing to Vercel (verify with
dig +short A example.com
)
MX records for Google Workspace (verify with
dig +short MX example.com
)
SPF, DKIM, DMARC records (verify all 3 with the dig commands above)
CAA records restricting cert issuance (verify with
dig +short CAA example.com
)
DNSSEC enabled at registrar level (verify with
dig +dnssec
)
Vercel: project linked to repo, prod + preview env vars set, custom domain attached, prod and preview aliases correct
Decide www vs apex canonical, configure 308 redirect for the non-canonical (verify with
curl -sIL https://www.example.com
)
Custom 404 page renders (verify with
curl -sI https://example.com/does-not-exist
)
Custom 500 page exists (cannot easily verify without forcing an error, ask user)
If migration: 301 redirect map for every old URL (loop verification with
curl -sIL
per URL)
Backups
If you don't configure backups at launch, you never will. Do it now.
Ask the user (
ask_user_input_v0
): "Which data stores does this app write to?" (
database-only
|
database-plus-file-storage
|
file-storage-only
|
stateless-no-persistent-data
). If
stateless-no-persistent-data
, skip this section.
Database:
Automated daily backups enabled at the provider level (Neon, Supabase, PlanetScale, Railway, RDS — each has a one-click toggle). Verify by opening the backup panel and confirming the last backup timestamp is recent.
Retention policy set to ≥30 days
Point-in-time recovery (PITR) enabled if available (Neon, Supabase, RDS all support it)
Off-site copy: if the provider stores backups in the same region as the primary, configure cross-region replication or a nightly export to a separate storage account (S3, R2, GCS)
Restore drill performed before launch: pick a recent backup, restore to a staging database, verify row counts and a sample query. A backup you haven't tested is not a backup.
Cross-region replication or a scheduled sync to a secondary bucket. Backblaze B2 is a cheap, reliable option for off-site copies (significantly cheaper than S3/GCS egress). Use
rclone
to sync from S3/R2/GCS → B2 on a daily cron.
Lifecycle rule: transition old versions to cheaper storage after 30 days, delete after 90 days (adjust to cost tolerance)
Secrets / environment variables:
All env vars documented and stored in a secrets manager (1Password, Doppler, Vault, or equivalent). Not in a
.env
file on someone's laptop.
Verify: if every engineer's machine burned tonight, could a new team member restore prod from scratch using only the secrets manager + git?
Monitoring:
Set up an alert (email or Slack) if the daily backup job fails. Most providers support this natively; configure it before closing the backup panel.
Phase 2: Analytics & Observability
Most third-party integrations are one-click via Cloudflare or Vercel.
For the conditional tools (Crisp, Sentry, BetterStack), use
ask_user_input_v0
to confirm per site type. See
references/decisions.md
for the observability tier matrix.
Always-on:
Google Analytics 4: property created, measurement ID embedded, gated behind CNIL consent
PostHog: based on user's earlier answer:
If
hogpost.samber.dev
: configure client with
api_host: "https://hogpost.samber.dev"
and verify CORS allows the new domain (test with browser console or
Google Search Console: site verified (DNS TXT or HTML file), sitemap submitted
Bing Webmaster Tools: site verified, sitemap submitted, IndexNow key file at
/{key}.txt
on root (verify with
curl -sI https://example.com/{key}.txt
)
Ahrefs: site added to dashboard for tracking
Add the site to the internal stats spreadsheet (PostHog properties registry + GitHub Sponsors tracking sheet if applicable)
Brand monitoring (Google Alerts):
For each alert, use these settings: Frequency: once a day | Sources: Automatic | How many: All results | Region: Any region
Set up one alert per keyword via alerts.google.com:
Domain name (e.g.,
example.com
)
Brand or product name (quoted if multi-word, e.g.,
"My Brand"
)
Key feature or library names if the site documents a project
Competitor brand names (optional — ask user via
ask_user_input_v0
:
yes-monitor-competitors
|
skip
)
Ask the user: "Which additional keywords to monitor?" (
product-name-only
|
domain-plus-brand
|
full-set-with-competitors
|
custom-list
)
Developer community monitoring (F5bot) — for
doc-site
and
SaaS-app
targeting developers:
F5bot (f5bot.com) monitors Reddit, Hacker News, and Lobste.rs for keyword mentions and sends email alerts. Free, no API required.
Set up one keyword per line at f5bot.com/add:
Brand or product name
Domain name (catches link shares)
Key feature or library names
Common misspellings if applicable
Competitor analysis (
marketing/lead-gen
,
SaaS-app
,
training/paid-course
only):
Before writing copy, setting up ads, or planning content, run a competitor analysis to understand what is already working in the market — positioning, messaging angles, CTA patterns, pricing presentation, and content strategy.
Use a deep research tool or a competitor analysis skill if one is available in the toolchain. Ask via
ask_user_input_v0
:
"Do you already have competitor names/URLs to analyze?" (
yes-provide-list
|
no-discover-for-me
|
skip
)
If
yes-provide-list
: ask the user to paste 2-5 names or URLs (free text)
"What are we looking to extract?" (
positioning-and-messaging
|
pricing-strategy
|
content-and-seo
|
full-spectrum
)
Feed the output into:
Phase 5 keyword strategy (target queries they rank for but you can outrank or flank)
TONE.md
voice calibration (deliberately differentiate from the dominant tone in the category)
Phase 6 OG copy and CTA language (borrow proven frames, don't clone verbatim)
Copywriting sub-skills invoked later (pass the competitor snapshot as context)
Conditional (ask user, default per site type from
references/decisions.md
):
Crisp
Sentry
BetterStack
Phase 3: Legal & Compliance (FR)
Ask first: "Is this site subject to French law?" (
yes-FR-operator-or-audience
|
no-EU-only
|
no-non-EU
). If no, ask whether GDPR or equivalent applies and adjust.
For FR sites:
Mentions légales page (mandatory, fines up to 75k€ per omission)
CGV (Conditions Générales de Vente) if commercial activity
Privacy policy
Terms of service
CNIL-compliant cookie consent that gates GA4, PostHog, Crisp, Sentry script loading (not just a banner that always loads trackers). Use a CMP (Axeptio, Tarteaucitron, or custom). Verify with browser Network tab: no tracker fires before explicit consent.
Phase 4: Security
Delegate the deep audit to
trailofbits/skills
. The items below are the must-pass checklist.
Ask first: CSP tightness level (
strict-default-src-none
|
balanced-allow-self
|
permissive-for-marketing
). See
references/templates.md
for the CSP template per level.
CSP: target chosen tightness level. No
'unsafe-inline'
for scripts (use nonces). Verify with
curl -sI ... | grep -i content-security-policy
.
HSTS:
max-age=31536000; includeSubDomains; preload
. Submit to hstspreload.org. Verify with
curl -sI ... | grep -i strict-transport
.
X-Frame-Options:
DENY
X-Content-Type-Options:
nosniff
Referrer-Policy:
strict-origin-when-cross-origin
Permissions-Policy: deny camera, microphone, geolocation, payment unless used
Verify no leaked secrets in client bundle: open Chrome DevTools Network tab via Claude Chrome extension, grep response bodies for
sk_
,
pk_
,
AKIA
,
ghp_
,
Bearer
Phase 5: SEO & GEO
Delegate the full audit to
AgriciDaniel/claude-seo
. The items below are the orchestration list.
See
references/templates.md
for
robots.txt
,
llms.txt
, and
manifest.json
templates. See
references/decisions.md
for the AI scraper policy matrix by site type.
/robots.txt
present, references sitemap (verify with
curl -s https://example.com/robots.txt
)
/sitemap.xml
present, valid (verify with
curl -s https://example.com/sitemap.xml | head -40
). Sitemap-index with per-language sitemaps if multilingual.
/llms.txt
present (per llmstxt.org spec, verify with
curl -s https://example.com/llms.txt
)
AI scraper policy encoded in
robots.txt
. Apply the matrix from
references/decisions.md
based on site type, then ask user via
ask_user_input_v0
to confirm each non-default decision.
Schema markup (JSON-LD):
Organization
+
WebSite
+
BreadcrumbList
site-wide; per-page types where applicable (
SoftwareApplication
for lib homepages,
Article
for blog posts,
FAQPage
for FAQs,
Person
for author bio). Verify with
curl -s URL | grep -A 50 'application/ld+json'
. Validate structured data via Google Rich Results Test (https://search.google.com/test/rich-results) and Schema.org Validator (https://validator.schema.org) — Rich Results Test checks eligibility for rich snippets; Schema.org Validator catches spec violations that Google may silently ignore.
Meta tags per page: unique
<title>
(50-60 chars), unique
<meta description>
(150-160 chars),
<link rel="canonical">
,
<meta name="robots">
if needed
hreflang
tags on every page if multilingual (every language version declares all alternates including self). Verify with
curl -s URL | grep -i hreflang
.
Keyword analysis using both Google Trends and Ahrefs (they answer different questions, not interchangeable):
Google Trends (trends.google.com): trajectory (rising vs declining), geographic distribution (especially FR vs international split), seasonal patterns, related queries breakout, head-to-head comparison of 2-5 candidate keywords. Use Trends to validate direction and timing of the SEO bet.
Exploding Topics (explodingtopics.com): surfaces emerging trends weeks or months before they peak in Google Trends. Use to identify rising queries before competition solidifies and to validate that target keywords aren't already on the decline.
Answer The Public (answerthepublic.com/en): maps search questions, comparisons, and related queries around a seed keyword. Use to uncover long-tail intent clusters, populate FAQ schema, and identify content gaps.
Ahrefs Keywords Explorer: monthly volume, keyword difficulty, SERP analysis, CPC, parent topic, traffic potential. Use Ahrefs to size the opportunity in absolute terms.
Combined output: a ranked shortlist of 3-5 target queries per page, with rationale (volume × difficulty × trajectory × intent match).
Delegate to whichever keyword-research sub-skill was installed at session start (selected from the installed packs via the skill selection workflow; typical sources are the SEO+GEO and marketing packs).
AI visibility audit via productrank.ai: open productrank.ai in a browser, submit multiple category or product searches, run the full AI SEO report. It audits how the site appears in AI-generated answers (ChatGPT, Perplexity, Gemini, Claude). Flag any zero-visibility categories and surface content gaps the AI graders identify.
Typo and grammar pass on all visible text content
Backlink profile audit: run Ahrefs Backlink Checker and Moz Link Explorer to assess domain authority and surface toxic or broken inbound links before launch — especially critical on migrations to ensure old-domain equity transfers correctly
Internal linking audit: every important page reachable in ≤3 clicks from the homepage
Phase 6: Open Graph & Social Preview
Verify all OG and Twitter tags with:
curl -s URL | grep -iE 'og:|twitter:'
og:title
,
og:description
,
og:url
,
og:type
,
og:site_name
og:image
1200×630px, absolute URL,
og:image:width
and
og:image:height
declared,
og:image:alt
set
Per-page
og:image
, not one global. For doc sites: generate dynamically from page title. For blog posts: per-article custom image.
og:locale
+
og:locale:alternate
for each language if multilingual
Twitter Cards:
twitter:card=summary_large_image
,
twitter:title
,
twitter:description
,
twitter:image
,
twitter:site
(handle)
Validate with opengraph.xyz (covers FB, LinkedIn, Slack, Discord, WhatsApp previews) via Claude Chrome extension
Validate with Twitter's card validator
Manual check: paste URL in a LinkedIn DM, a Slack channel, a Discord, an iMessage. Preview must render correctly in all.
Phase 7: Favicons & Web Manifest
See
references/templates.md
for the
manifest.json
template.
Generate from a single 1024×1024 source PNG using realfavicongenerator.net or favicon.io.