What Senior Engineers Check Before Approving Production
A junior engineer asks "does it work?" A senior engineer asks "what happens when it doesn't?" Here's the checklist behind that second question.
1. What happens on failure, not just success
Every demo shows the happy path. A senior review asks: what does the user see if the payment webhook times out? If the LLM call errors? If two requests hit the same row at once? AI-generated code almost never handles these on its own — it optimizes for the path you described, not the ones you didn't.
2. Who can access what, tested directly
Not "does the login page exist" — can User A load User B's data by changing an ID in the URL (IDOR)? Can an unauthenticated request hit /api/admin/*? Senior engineers test this with curl, not by clicking through the UI as themselves.
3. Where the secrets actually live
A quick grep of the deployed JavaScript bundle for sk_live, sk-proj, or any key that should be server-only. This single check catches an enormous share of real incidents, and it takes thirty seconds.
4. Whether the database is actually locked down
For Supabase apps specifically: does every table have Row Level Security enabled with real policies, or is there a USING (true) policy quietly letting anyone read everything? This is checked directly against the live REST API, not assumed from the code.
5. What an adversary would try first
Not a full pentest engagement — just the obvious moves. Can a webhook be replayed? Can a price be manipulated client-side? Can an LLM endpoint be prompted into leaking its system prompt or draining API credits with no rate limit? A senior reviewer thinks like an attacker for five minutes before approving. An autonomous version of this is what Vezraa's AI Pentesting does at scale.
6. Whether any of this is repeatable
A one-time manual review doesn't survive the next deploy. The senior-engineer checklist only holds up long-term if it's run on every release, which is why teams that do this well eventually automate it — see Production Readiness.
Run this checklist automatically in 25 seconds.
Check My App →