Consequence-first scan of your AI-built project: 25 checks that catch the scariest things AI coding tools ship wrong — broken access control (IDOR), unenforced validation, missing security headers, no account deletion, no payment-amount validation. Enough signal to know which Pro audits to run next.
25
Total Checks
3
Delivery Formats
8
Categories
4
Versions
Your data could leak. Your project could be taken over.
You could be fined or sued.
One bad user could bankrupt you overnight.
Included
Never included
MINOR — spook-first redesign. Replaces 22-check v3.0.0 with 25-check v3.1 selection validated against an OSS corpus before ship. Three score-inflation problems closed: (1) skip inflation — dropped 4 abuse checks (rate-limit-on-sms-otp, llm-api-cost-cap-per-user, rate-limit-on-email-sends, file-upload-size-type-limits) that were 60-95% skip on typical SaaS. (2) Pass-bias — tightened 8 existing checks: supabase-rls now rejects USING(true) with an `// INTENTIONALLY_PUBLIC:` waiver; api-routes-require-auth now 100% on writes with first-10-lines requirement; cookie-consent now requires gated init call (not just banner presence); images-have-alt-text 95→99%; form-inputs-have-labels 90→98%; rate-limit-on-auth-endpoints requires all of login+signup+reset; unbounded-list-queries requires visible LIMIT/take/range; webhook-idempotency requires explicit dedupe pattern. (3) Wrong-target — dropped session-cookies-hardened (auto-passes on framework defaults) and admin-routes-auth-gated (40% skip on apps without /admin), interactive-elements-keyboard-accessible and color-contrast-sufficient (static grep precision low), privacy-policy-exists-substantive (LLM word-counting fragile). 13 NEW checks promoted: protected-routes-call-session-getter, object-level-access-control (IDOR), validation-schemas-have-runtime-use, security-middleware-applied, security-headers-present (HSTS+CSP+Referrer), dangerous-sinks-not-fed-user-content, account-deletion-coded, data-export-endpoint-exists, do-not-sell-or-opt-out-link, no-pii-in-server-logs (legal + abuse cross-bucket twin), terms-and-privacy-linked-from-footer, payment-amount-server-side-only. Bucket weights shifted security 0.45 / legal 0.30→0.35 / abuse 0.25→0.20 — legal lawsuits/fines (GDPR €20M / ADA $20K-$100K demand letters / CCPA $7,500/violation) are categorically existential, weight bumped to match. Severity distribution: 8 critical / 6 high / 3 medium / 0 info / 0 low — still skewed to consequence per v3.0 design exception. Predicted scoring: AuditBuffet (security tool) 75-85/B; partytab (casual SaaS) 55-65/D-C; vibe-coded MVP 40-55/F-D. Validated against 50-repo OSS corpus via scripts/validation/validate-oss.ts before final ship.
2026-04-23
MAJOR — consequence-first restructure. Reduces from 35 polish checks across 10 sections to 22 consequence-first checks across 3 buckets (Security Problems / Legal Exposure / Abuse Surface). Every check carries real-world consequence: breach, legal fine, or abuse-driven bill. 11 new checks added (admin-routes-auth-gated, webhook-signature-verified, interactive-elements-keyboard-accessible, color-contrast-sufficient, rate-limit-on-auth-endpoints, file-upload-size-type-limits, rate-limit-on-email-sends, rate-limit-on-sms-otp, llm-api-cost-cap-per-user, webhook-idempotency, unbounded-list-queries). 24 checks retired as tombstones (covered by Pro audits or cut as polish that didn't fit the spook-first funnel role). 11 checks renamed + rebucketed + polished with news/incident references (23andMe, Optus, Facebook admin, British Airways ICO, Target v NFB, CNIL cookie fines, Domino's v Robles ADA, Stripe webhook attacks, Twilio toll fraud, GitGuardian secret-scanners). Severity distribution intentionally skews critical/high — documented as v3.0.0 exception to audit-build-guide severity bands (9 critical / 9 high / 4 medium; 69.8% critical / 30.2% high+medium / 0% info). Prior v2.x scores are NOT comparable; version_migration_manifests row captures the break. Payload stays `audit_telemetry`; 22 check IDs under new `project-snapshot.{security,legal,abuse}.*` namespace with aliases on renamed patterns preserving inbound-link resolution. Rendered prompt now under 60K chars (was 83K) — fits comfortably under MCP response cap.
2026-04-22
Phase 8.1 bundling — 35 inline checks extracted to pattern files; rendered prompt reshapes slightly under the bundle pipeline. Check IDs + scoring + telemetry output shape unchanged; scores remain comparable across 2.0.0 → 2.0.1.
2026-04-22
MAJOR rewrite — Stack Scan becomes a real audit. Adds 35 surface-level checks across 10 categories and produces audit_telemetry instead of project_snapshot. Prior project_snapshot scores are not comparable — this is a new payload type.
2026-04-14
Picked by pack overlap with this audit.
Pre-launch deployment checklist covering CI/CD pipeline health, monitoring setup, rollback strategy, and production configuration.
Deep inspection of environment variable handling, secrets storage patterns, and runtime configuration security.
Requirements-to-implementation comparison revealing feature gaps, scope creep, and mismatches between original specifications and what was built.
Mobile responsiveness assessment across phones, tablets, and screen sizes, covering viewport configuration, responsive layouts, touch-friendly sizing, and mobile UX patterns.
Core web performance assessment targeting load time and user experience, covering image optimization, bundle sizing, code splitting, caching, and rendering strategies.