# Live-truth curl checklist

Version: 1.1
Updated: 2026-07-17

## Use when

You need to identify what a public host is actually serving, how requests reach it, and which source or deploy owns that result before editing.

## Safety first

These commands are read-only. Replace the example host before running them. They use GET rather than HEAD because some servers treat HEAD differently.

```bash
HOST="example.com"

if [ "$HOST" = "example.com" ]; then
  echo "Set HOST to the domain you are checking."
else
  echo "== HTTPS response and headers =="
  curl --silent --show-error --dump-header - --output /dev/null "https://$HOST/"

  echo "== Redirect chain and final destination =="
  curl --silent --show-error --location \
    --dump-header - --output /dev/null \
    --write-out 'final_url=%{url_effective}\nstatus=%{http_code}\nredirects=%{num_redirects}\n' \
    "http://$HOST/"

  echo "== Canonical discovery surfaces =="
  for path in / /robots.txt /sitemap.xml; do
    curl --silent --show-error --location --output /dev/null \
      --write-out "$path status=%{http_code} final=%{url_effective}\n" \
      "https://$HOST$path"
  done

  echo "== Homepage body hash =="
  if command -v shasum >/dev/null 2>&1; then
    curl --silent --show-error --location "https://$HOST/" | shasum -a 256
  else
    curl --silent --show-error --location "https://$HOST/" | sha256sum
  fi

  echo "== First-party versioned assets in homepage HTML =="
  CACHE_BUST="$(date +%s)"
  curl --silent --show-error --location "https://$HOST/?cb=$CACHE_BUST" \
    | grep -Eo '(src|href)="/[^"]+\?v=[0-9]+"' \
    | sort -u
fi
```

## Optional DNS and TLS context

```bash
dig +short "$HOST" A
dig +short "$HOST" AAAA
dig +short "$HOST" CNAME

echo | openssl s_client -connect "$HOST:443" -servername "$HOST" 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates
```

DNS answers identify the current route, not necessarily the application owner. A valid certificate proves hostname coverage, not that the right content is served.

## Trace the origin

- Final HTTPS status:
- Redirect chain and final URL:
- Canonical host declared in HTML:
- DNS provider or proxy layer:
- Cache and security headers:
- Served asset versions:
- Homepage body hash:
- Active deploy identifier:
- Owning revision:
- Build command and publish directory:
- Editable repository, branch, and source path:
- Other plausible working copies checked:

## Compare source and live output

- [ ] The active deploy is identified from the hosting source of truth.
- [ ] The deploy maps to a reproducible revision or artifact.
- [ ] Cache-busted live output contains the expected versioned assets.
- [ ] Redirects, canonical URLs, robots, and sitemap agree on the public host.
- [ ] A representative generated or downloadable artifact matches its source.
- [ ] Nearby worktrees or repositories do not own a newer live result.

## Stop if

- The live artifact cannot be matched to a revision or reproducible build.
- Multiple worktrees or deploys plausibly own the same release.
- The source tree is missing content present in production.
- A proxy, redirect, or edge transform changes the response unexpectedly.
- Continuing would overwrite unrelated work or require new external authority.

An HTTP 200 proves transport success. It does not prove that the correct content, configuration, cache state, or user outcome was delivered.
