paulund/saas-launch-checklist
saas-launch-checklist/SKILL.md
Use when auditing launch readiness for a SaaS product, doing a pre-launch review, or checking what is missing before going live. Produces a categorised checklist with status for each item and clear distinction between must-have blockers and post-launch additions.
$ install --global
skillsauthnpx skillsauth add paulund/skills saas-launch-checklistInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 5:34 AM129.2s2 files scanned
SKILL.md
- name:
- saas-launch-checklist
- description:
- Use when auditing launch readiness for a SaaS product, doing a pre-launch review, or checking what is missing before going live. Produces a categorised checklist with status for each item and clear distinction between must-have blockers and post-launch additions.
- category:
- saas
Core Workflow
- Ask about the product — what it does, B2B or B2C, solo or team-based, paid or freemium.
- Ask what is already built — the user describes current state. Do not assume anything is done.
- Load the launch readiness reference — read
references/launch-readiness.mdfor the full checklist. - Run the audit — work through each category and assess status based on what the user has described.
- Output the checklist — for each item, assign a status:
Done,In Progress,Needed, orOptional. Mark blockers clearly. - Summarise blockers — at the end, list the items that must be completed before launch, separate from everything else.
Launch Priority Tiers
Not everything needs to be done before launch. Use these tiers to guide prioritisation:
Must-have before launch
These are blockers. Do not launch without them.
- Authentication — users must be able to sign up and sign in
- Billing — if charging money, payment flow must work end-to-end (including webhooks for failed payments)
- Core email flows — welcome email, password reset, email verification (at minimum)
- Legal pages — Terms of Service and Privacy Policy must exist before accepting payments
- Basic error monitoring — you need to know when things break in production
- Secure configuration — no secrets in code, HTTPS enforced, no debug mode in production
Should-have for launch
Important but not blockers. Ship these in the first 2-4 weeks post-launch.
- Onboarding flow — empty states, getting started guide, welcome sequence
- User account settings — profile editing, password change, account deletion
- Branded error pages — 404 and 500 pages that do not expose stack traces
- Support channel — email address or helpdesk people can reach
- Subscription management — ability to upgrade, downgrade, or cancel
- Health check endpoint — for uptime monitoring
Can add post-launch
These are real features but rarely needed on day one. Add when the user base demands them.
- Team and organisation management
- API and webhook support
- MCP server (AI assistant integration)
- Audit log
- Custom domains
- Admin panel
- Feature flags
- White-labelling
- Internationalisation
- In-app notification centre
- Data export / GDPR tooling
- SSO / SAML
Questions to Ask Before Running the Audit
These answers determine which items are blockers vs optional:
- Are you charging money at launch, or starting free?
- Is this B2B (multiple users per account) or B2C (solo users)?
- Are you targeting enterprise buyers, or self-serve?
- Is this available to users in the EU? (Affects GDPR requirements)
- What is the launch date target?
- Do you plan to offer an MCP server for AI assistant integration? (Developer-facing products benefit from this early)
Output Format
Present the audit as a table or checklist grouped by priority tier:
## Must-have before launch
| Item | Status | Notes |
| --- | --- | --- |
| User signup and login | Done | |
| Email/password auth | Done | |
| OAuth (Google/GitHub) | Needed | User expects it |
| Password reset flow | Done | |
| Stripe integration | In Progress | Payment works, webhooks not set up |
| Failed payment handling | Needed | Blocker |
| Welcome email | Needed | Blocker |
| Terms of Service | Done | |
| Privacy Policy | Needed | Blocker |
| Error monitoring (Sentry) | Not started | Blocker |
## Blockers summary
Before launch, complete:
1. Set up Stripe webhooks for failed payment handling
2. Write and publish Privacy Policy
3. Set up Sentry (or equivalent) error monitoring
4. Add welcome email to signup flow
Reference Guide
| Topic | Reference | Load When |
| ----- | --------- | --------- |
| Launch Readiness Checklist | references/launch-readiness.md | Always |
Constraints
MUST DO
- Ask about product type and what is already built before auditing
- Distinguish clearly between blockers and nice-to-haves
- Tailor the checklist to the product — B2B needs different things than B2C
- Summarise blockers at the end as a clear action list
- Mark items as Optional when they genuinely are not needed for this product type
MUST NOT DO
- Apply every item to every product — enterprise features are not needed for consumer apps
- List items without assigning a status
- Treat "should-have" items as blockers
- Skip the context-gathering questions and make assumptions
- Present hundreds of items without prioritisation — the value is in what to do first
Related Skills
paulund/quality-gate
development
VerifiedTrustedCommunity
Use when the user wants to run the project's lint + types + build sequence as a gate before pushing, opening a PR, or merging. Invoked by chained dev skills between phases. Trigger phrases - "/quality-gate", "run the quality gate", "check it builds".
2SKILL.mdUpdated May 10, 2026
paulund/pr-verify
tools
VerifiedTrustedCommunity
Use when the user wants to verify a PR's feature works at runtime by booting the dev server, exercising the affected UI via Chrome DevTools MCP, and posting a screenshot summary back to the PR. Idempotent — skips if `verified` or `verify-failed` is already on the PR. Trigger phrases - "/pr-verify", "verify this PR", "runtime check the pr".
2SKILL.mdUpdated May 10, 2026
paulund/pr-security-review
testing
VerifiedTrustedCommunity
Use when the user wants a security-focused review pass on a PR with findings actioned as commits on the same branch. Trigger phrases - "/pr-security-review", "security review and fix".
2SKILL.mdUpdated May 10, 2026
paulund/pr-open
testing
VerifiedTrustedCommunity
Use when the user wants to open a pull request for an already-pushed branch that implements a specific issue. Idempotent — returns the existing PR if one is already open for the branch. Trigger phrases - "/pr-open", "open the pr", "create pr for this branch".
2SKILL.mdUpdated May 10, 2026