The Product Development Playbook is a free, open-source reference guide for engineers, product managers, CTOs, and indie hackers who want to build tech products the right way β with industry-standard practices at every phase of the lifecycle.
It covers everything from validating a problem to launching a production-ready product and iterating post-launch, with every phase backed by real references from recognized books, standards bodies, and engineering organizations.
No fluff. No opinions without citations. Just a practical, validated guide you can actually use β whether you're building solo or leading a team of 50.
Methodology: Lean + Agile + Shape Up hybrid
Scope: Any tech product β web app, mobile app, SaaS, platform, API, or internal tool
Standard: Industry-grade, production-ready
Most product failures aren't caused by bad code. They're caused by:
- Building something the market doesn't need (42% of startup failures β CB Insights, 2021)
- Skipping architecture decisions that become expensive to reverse
- Treating security and testing as afterthoughts
- Having no shared process across roles
This playbook is the shared process.
| Role | How to use this guide |
|---|---|
| π§βπ» Solo Developer / Indie Hacker | Follow the 17 phases end-to-end before writing a single line of code |
| π₯ Small Development Team (2β10) | Use as a shared team standard and onboarding reference |
| π’ Engineering Manager / Tech Lead | Use phases as sprint planning inputs and definition-of-done references |
| π§βπΌ Product Manager | Use discovery, scoping, and roadmap phases as PM workflow |
| ποΈ CTO / Architect | Use architecture, auth, data modeling, and security phases as design review checklists |
| π DevOps / Platform Engineer | Use deployment, monitoring, and security phases as infrastructure runbooks |
| π Student / Bootcamp Graduate | Learn how production-grade products are actually planned and built |
The full guide covers 17 sequential phases, each with a checklist, deliverables, validated references, and role assignments.
The order matters. Each phase depends on the one before it. The guide is designed to prevent the most common mistake in software: building before you've validated the problem, the data model, or the architecture.
DISCOVERY βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 1: Product Discovery & Definition β
Phase 2: Feature Scoping (MVP First) β
β
DESIGN ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
Phase 3: User Flow & Journey Mapping β
Phase 9: UI/UX Design β
β
ARCHITECTURE ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
Phase 4: Data Modeling & Database Design β
Phase 5: System Architecture β
Phase 6: Authentication & Authorization β
β
LOGIC & API βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
Phase 7: Business Logic Definition β
Phase 8: API Design (Contract First) β
Phase 10: Edge Case & Failure Planning β
β
DEVELOPMENT βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
Phase 11: Project Structure & Coding Standards β
Phase 12: Development Roadmap β
Phase 13: Testing Strategy β
β
OPERATIONS ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
Phase 14: Deployment Plan β
Phase 15: Monitoring & Observability β
Phase 16: Security Checklist β
Phase 17: Post-Launch & Iteration β
β
LAUNCH ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| # | Phase | Category | Key Outputs | Primary Roles |
|---|---|---|---|---|
| 1 | π§ Product Discovery & Definition | Discovery | Product Brief, Personas, Competitor Analysis | PM, CTO |
| 2 | π Feature Scoping (MVP First) | Discovery | Feature List (MoSCoW), User Stories + Acceptance Criteria | PM, CTO |
| 3 | π User Flow & Journey Mapping | Design | Flow Diagrams, Screen Inventory, Journey Map | UX, PM |
| 4 | π§± Data Modeling & Database Design | Architecture | ERD, Data Dictionary, DB Schema | CTO, Dev |
| 5 | βοΈ System Architecture | Architecture | Architecture Diagram (C4), ADRs, Tech Stack Doc | CTO, Dev |
| 6 | π Authentication & Authorization | Architecture | Auth Flow, RBAC Matrix, Token Lifecycle | CTO, Dev, Security |
| 7 | π§© Business Logic Definition | Logic & API | Business Rules, State Machines, Formula Docs | PM, CTO, Dev |
| 8 | π API Design (Contract First) | Logic & API | OpenAPI Spec, Mock Server, API Docs | CTO, Dev |
| 9 | π¨ UI/UX Design | Design | Wireframes, Mockups, Design System | UX, PM |
| 10 | Logic & API | Edge Case Checklist, Error Message Library | CTO, Dev, PM | |
| 11 | ποΈ Project Structure & Standards | Development | Scaffold, README, CONTRIBUTING, Linter Config | CTO, Dev |
| 12 | π Development Roadmap | Development | Milestone Plan, Definition of Done, Sprint Board | PM, CTO |
| 13 | π§ͺ Testing Strategy | Development | Unit + Integration + E2E Test Suites, Testing Plan | Dev, CTO |
| 14 | π Deployment Plan | Operations | CI/CD Pipeline, Deployment Runbook, Rollback Plan | DevOps, CTO |
| 15 | π Monitoring & Observability | Operations | Dashboards, Alerts, Runbooks, SLO Definitions | DevOps, CTO, Dev |
| 16 | π Security Checklist | Operations | OWASP Coverage, Security Scan Results, Threat Model | Security, CTO, Dev |
| 17 | π Post-Launch & Iteration | Operations | Post-Launch Report, Updated Backlog | PM, CTO, Dev |
Every phase in the full guide includes:
β Action Checklist β Concrete, specific tasks with no ambiguity about what "done" means.
π Deliverable Outputs β Exact files and artifacts produced (e.g., docs/erd.png, openapi.yaml, ci.yml).
π Book References β Validated recommendations with author, year, and rationale for relevance.
π Online Resources β Links to recognized standards bodies: OWASP, W3C, NIST, IETF, Google, Microsoft, ThoughtWorks.
π₯ Role Assignments β Which roles are responsible and which are consulted per phase.
π Prerequisite Dependencies β Which phases must be completed first, and why.
Not all phases are independent. The map below shows what must be complete before you can begin each phase:
Phase 1 (Discovery)
βββ Phase 2 (Scoping)
βββ Phase 3 (Flows)
β βββ Phase 9 (UI/UX Design)
βββ Phase 4 (Data Model)
β βββ Phase 5 (Architecture)
β βββ Phase 6 (Auth)
β βββ Phase 7 (Business Logic)
β βββ Phase 8 (API Design)
β βββ Phase 10 (Edge Cases)
β βββ Phase 13 (Testing)
βββ Phase 11 (Project Standards)
βββ Phase 12 (Roadmap)
βββ Phase 14 (Deployment)
βββ Phase 15 (Monitoring)
βββ Phase 16 (Security)
βββ Phase 17 (Post-Launch)
Option A β Read online
Go straight to GUIDE.md and start from Phase 1. Use the Table of Contents to jump to any phase.
Option B β Clone locally
git clone https://github.com/heyitskuril/product-development-playbook.git
cd product-development-playbookOpen GUIDE.md in your Markdown viewer, VS Code, or Obsidian.
Option C β Use as a project template
Fork this repo and use the /docs structure as the foundation for your own product documentation:
your-project/
βββ docs/
β βββ product-brief.md β Phase 1
β βββ feature-list.md β Phase 2
β βββ user-stories.md β Phase 2
β βββ flows/ β Phase 3
β βββ screen-inventory.md β Phase 3
β βββ erd.png β Phase 4
β βββ data-dictionary.md β Phase 4
β βββ architecture.md β Phase 5
β βββ tech-stack.md β Phase 5
β βββ adr/ β Phase 5
β βββ auth-flow.md β Phase 6
β βββ rbac-matrix.md β Phase 6
β βββ business-rules.md β Phase 7
β βββ state-machines.md β Phase 7
β βββ api/
β β βββ openapi.yaml β Phase 8
β β βββ README.md β Phase 8
β βββ design-system.md β Phase 9
β βββ edge-cases.md β Phase 10
β βββ roadmap.md β Phase 12
β βββ testing-plan.md β Phase 13
β βββ deployment.md β Phase 14
β βββ rollback.md β Phase 14
β βββ monitoring.md β Phase 15
β βββ runbooks/ β Phase 15
β βββ security-checklist.md β Phase 16
β βββ threat-model.md β Phase 16
β βββ post-launch-report.md β Phase 17
βββ design/
β βββ wireframes/ β Phase 9
β βββ mockups/ β Phase 9
βββ tests/ β Phase 13
βββ .env.example β Phase 11
βββ README.md
βββ CONTRIBUTING.md β Phase 11
This guide is grounded in industry-recognized standards and research, not opinion:
| Standard / Source | Category | Used In |
|---|---|---|
| OWASP Top 10 (2021) | Security | Phases 6, 16 |
| OWASP Cheat Sheet Series | Security | Phases 6, 16 |
| NIST SP 800-63B | Identity & Passwords | Phase 16 |
| OpenAPI 3.1 Specification | API Design | Phase 8 |
| WCAG 2.1 β W3C | Accessibility | Phase 9 |
| RFC 8725 β JWT Best Practices (IETF) | Auth | Phase 6 |
| DORA Research | Engineering Performance | Phases 12, 14 |
| The 12-Factor App | Cloud-Native | Phases 5, 14 |
| C4 Model | Architecture Diagramming | Phase 5 |
| ADR Format | Architecture Decisions | Phase 5 |
| Google SRE Book | Site Reliability | Phase 15 |
| OpenTelemetry | Observability | Phase 15 |
| Google Core Web Vitals | Performance | Phases 13, 15 |
| Conventional Commits | Version Control | Phase 11 |
| Semantic Versioning | Version Control | Phase 11 |
The guide references 27 industry-standard books. The most frequently cited:
| Book | Author | Year | Phases |
|---|---|---|---|
| Inspired (2nd Ed) | Marty Cagan | 2018 | 1, 2 |
| The Lean Startup | Eric Ries | 2011 | 1, 17 |
| The Mom Test | Rob Fitzpatrick | 2013 | 1 |
| Shape Up | Ryan Singer (Basecamp) | 2019 | 2, 12 |
| Domain-Driven Design | Eric Evans | 2003 | 7 |
| Designing Data-Intensive Applications | Martin Kleppmann | 2017 | 4, 5 |
| Clean Architecture | Robert C. Martin | 2017 | 5, 11 |
| Building Microservices (2nd Ed) | Sam Newman | 2021 | 5 |
| Accelerate | Forsgren, Humble, Kim | 2018 | 12, 14 |
| Continuous Delivery | Humble & Farley | 2010 | 14 |
| Release It! (2nd Ed) | Michael Nygard | 2018 | 10 |
| Site Reliability Engineering | 2016 | 15 | |
| Refactoring UI | Wathan & Schoger | 2018 | 9 |
| The Pragmatic Programmer (20th Ed) | Hunt & Thomas | 2019 | 11, 13 |
Full reference list with rationale is in GUIDE.md β Master Reference Library.
Use this as a project kick-off tracker:
| # | Phase | Status | Primary Output |
|---|---|---|---|
| 1 | Product Discovery & Definition | β¬ Not started | Product Brief, Personas |
| 2 | Feature Scoping (MVP First) | β¬ Not started | Feature List, User Stories |
| 3 | User Flow & Journey Mapping | β¬ Not started | Flow Diagrams, Screen Inventory |
| 4 | Data Modeling & Database Design | β¬ Not started | ERD, Data Dictionary |
| 5 | System Architecture | β¬ Not started | Architecture Diagram, ADRs |
| 6 | Authentication & Authorization | β¬ Not started | Auth Flow, RBAC Matrix |
| 7 | Business Logic Definition | β¬ Not started | Business Rules, State Machines |
| 8 | API Design (Contract First) | β¬ Not started | OpenAPI Spec, API Docs |
| 9 | UI/UX Design | β¬ Not started | Wireframes, Design System |
| 10 | Edge Case & Failure Planning | β¬ Not started | Edge Case Checklist |
| 11 | Project Structure & Standards | β¬ Not started | Scaffold, README, CONTRIBUTING |
| 12 | Development Roadmap | β¬ Not started | Milestone Plan, Sprint Board |
| 13 | Testing Strategy | β¬ Not started | Test Suite, Testing Plan |
| 14 | Deployment Plan | β¬ Not started | CI/CD Pipeline, Runbook |
| 15 | Monitoring & Observability | β¬ Not started | Dashboards, Alerts, Runbooks |
| 16 | Security Checklist | β¬ Not started | OWASP Coverage, Threat Model |
| 17 | Post-Launch & Iteration | β¬ Not started | Post-Launch Report |
Security is not a single phase β it runs through the entire guide. Here's the OWASP Top 10 coverage map:
| Rank | Risk | Covered In |
|---|---|---|
| A01 | Broken Access Control | Phase 6 (RBAC design), Phase 16 (server-side enforcement) |
| A02 | Cryptographic Failures | Phase 6 (token storage), Phase 16 (password hashing, data-at-rest encryption) |
| A03 | Injection (SQL, XSS, etc.) | Phase 16 (parameterized queries, input sanitization, CSP header) |
| A04 | Insecure Design | Phase 5 (threat modeling), Phase 6 (security requirements in design) |
| A05 | Security Misconfiguration | Phase 14 (environment hardening), Phase 16 (security headers) |
| A06 | Vulnerable Components | Phase 16 (dependency scanning: npm audit, Snyk, Dependabot) |
| A07 | Auth & Session Failures | Phase 6 (httpOnly cookies, token lifetimes, logout invalidation) |
| A08 | Software Integrity Failures | Phase 14 (dependency lockfiles, CI integrity checks) |
| A09 | Logging & Monitoring Failures | Phase 15 (structured logging, auth event logging, anomaly alerts) |
| A10 | SSRF | Phase 16 (URL allowlisting, internal IP range blocking) |
This guide is open to contributions from the community. Found a broken link? Know a better reference? Want to add a missing best practice or translate a phase?
π Read CONTRIBUTING.md to get started.
Ways to contribute:
- Fix a broken link or outdated reference
- Add a missing tool, book, or online resource to any phase
- Improve clarity or fix a typo
- Add a language translation
- Share how you adapted this guide for your team
All contributions β large or small β are reviewed and appreciated. Please open an issue before submitting a large change so we can discuss the approach first.
| Version | Date | Summary |
|---|---|---|
| v1.0.0 | April 2026 | Initial public release β 17 phases, full reference library |
This project is licensed under the MIT License.
You are free to use, copy, modify, distribute, and adapt this guide β for personal, team, or commercial use β with attribution.
If this guide saved you time or helped your team ship better β consider giving it a β
It helps others find it.
Technology-agnostic. Language-agnostic. Team-size-agnostic.
Validated against: OWASP Top 10 (2021) Β· WCAG 2.1 Β· OpenAPI 3.1 Β· DORA (2023) Β· 12-Factor App Β· C4 Model