Prompts That Ship
Production setups: analytics funnels, secrets inventory, security scanning, OWASP review and more. Each one reproducible from a single copy-pasteable prompt to Claude Code or Codex. Discovery-first phasing, anti-patterns named upfront, verification built in. One afternoon per part. New entries land as new prompts get battle-tested.
← Back to blogA single prompt, pasted into a coding agent, that walks a production codebase from no instrumentation to shipped system, in an afternoon.
One prompt per setup. One afternoon to ship.
Each piece in this series is built around one copy-pasteable prompt. Phase 0 forces the agent to discover the actual stack before writing code. Phase 1 names the anti-patterns we shipped and then had to fix. Phase 2 demands verification before the PR merges. The prompt is the whole technical artefact. The article is the business case and the gotchas.
-
01
Have you got proper funnel tracking in GA4?
Do you know where signups leak on their way to paying? Article: Your GA4 Doesn’t Know Where You’re Losing Customers: Here’s the One-Prompt Fix → -
02
Have you got a single document listing every secret you run?
Could you rotate your Stripe key at 4pm on Friday? Article: Your Stripe Key Lives in Six Places. Most Teams Can’t List Three of Them. → -
03
Have you got six-layer security scanning wired into your repo?
Do you know which scanners belong on every PR and which belong on a weekly cron? Article: The Security Scanning Stack: The Prompt, Six Layers, and the GitHub Bill Most Teams Don’t See Coming → -
04
Have you got an OWASP review your scanners can’t do?
Do your JWT tokens actually expire? Article: Your Security Scanner Can’t See Your CORS Config. Here’s the One-Prompt OWASP Review That Can. → -
05
Have you got rate limiting on every public endpoint?
Does your throttle actually hold under 100 concurrent requests? Article: Rate Limiting Without Redis or Cloudflare Pro: The Postgres Pattern That Actually Holds Under Load → -
06
Have you got slow-query logging on every Supabase connection role?
Can you tell which Next.js route fired the eight-second query? Article: Your Supabase Project Is Flying Blind on Performance: Here’s the One-Prompt Fix → -
07
Have you got a dry-run guard on your email sender?
Do you know if CI is firing real emails at fixture addresses every night? Article: Your Playwright Suite Might Be Quietly Burning Your Sender Reputation → -
08
Have you got audit logging at every 3rd-party boundary?
Can you prove a Stripe call actually went through last Tuesday? Article: Your 3rd-Party Integrations Don’t Leave Receipts. One Log Line Per Call Fixes That. → -
09
Have you got a per-tenant activity feed?
Can you tell who disabled this backup, and when? Article: Your App Doesn’t Remember What Anyone Actually Did. Here’s the One-Prompt Fix. → -
10
Have you got browser-side error capture across all four sources?
Are you finding bugs from user screenshots? Article: Stop Finding Bugs From Screenshots: a Next.js Frontend Error-Trapping Setup With No New Vendors → -
11
Did the LLM scaffold Prisma without asking where your authz lives?
Are you sure your RLS policies are actually firing on every query? Article: Prisma Is the Right Default Until Your Authz Lives in Postgres: the One-Prompt Decision Tree →
None of these prompts are clever. All name the architecture upfront so the agent does the mechanical work in the right shape the first time.
Start with Part 1 →