# Microservice Golden Path Checklist

## Pre-Deployment
- [ ] Service name follows naming convention: lowercase-hyphenated
- [ ] Dockerfile uses multi-stage build + distroless base
- [ ] Image is signed with Cosign
- [ ] SBOM is generated and attested
- [ ] All security scans pass (Trivy, Semgrep, Checkov)
- [ ] Health endpoints: /healthz (liveness) + /readyz (readiness)
- [ ] Graceful shutdown handles SIGTERM

## Kubernetes
- [ ] Resource requests AND limits defined
- [ ] runAsNonRoot: true + readOnlyRootFilesystem: true
- [ ] capabilities.drop: ["ALL"]
- [ ] Probes configured (liveness + readiness)
- [ ] PDB created (minAvailable >= 2)
- [ ] HPA configured
- [ ] NetworkPolicy: default deny + selective allow
- [ ] Secrets from External Secrets Operator (not hardcoded)
- [ ] automountServiceAccountToken: false (unless needed)
- [ ] TopologySpreadConstraints for multi-AZ

## Observability
- [ ] Prometheus metrics endpoint exposed
- [ ] Structured JSON logging
- [ ] OpenTelemetry traces emitted
- [ ] Dashboard exists in Grafana
- [ ] Alert rules defined in Prometheus

## CI/CD
- [ ] DevSecOps pipeline passes (SAST + scan + sign + test)
- [ ] ArgoCD application manifest created
- [ ] Kustomize overlay for each environment