115 runnable audit bundles. Each groups patterns by domain into weighted sections.
Foundational accessibility audit covering ARIA usage, color contrast, keyboard navigation, and screen reader compatibility.
Full WCAG 2.1 AA compliance review with 36 checks across perceivability, operability, understandability, and robustness.
UI/UX quality assessment for AI chat interfaces, covering response streaming, loading states, error communication, conversation history, and input handling polish.
Data handling assessment across the AI processing pipeline, covering storage, retention, PII protection, and user control over third-party model data sharing.
Safety assessment against prompt injection attacks, identifying vulnerabilities where untrusted user input might cause the AI to ignore instructions or exfiltrate data.
Quality and trustworthiness assessment of AI-generated responses, including output formatting, context grounding, and communication of uncertainty or knowledge gaps.
Catches multi-session AI confusion: codebases that accumulate multiple libraries doing the same job because the model picked differently across sessions, resulting in dependency cruft and split-brain data layers.
Catches code that will surprise-bill on the first viral moment — non-LLM cost vectors that AI tools commonly leave unbounded: file uploads with no size limit, unbounded DB queries, email/SMS without rate limits, webhooks without idempotency, and background jobs without retry caps.
Catches AI-specific half-finished code patterns that slip into production: mock API responses in real handlers, hardcoded test credentials in fallbacks, stub returns, debug bypasses, and dev-only routes left active.
Catches LLM hallucination — code that references modules, files, routes, schemas, env vars, or assets that do not exist anywhere in the project.
Catches security controls that are imported, configured, or defined but never actually wired up — the unique AI failure mode of code that looks secure but isn't. Strictly focused on the gap between declaring a security control and applying it.
Catches AI-generated test suites that look impressive but don't actually test anything — assertion-free test files, mock-saturated tests that test the mocks, tautologies, skipped tests in CI, and missing E2E coverage on critical user flows.
Token management and cost-efficiency patterns to prevent unexpected API bills, covering context growth, token limits, and efficient streaming and caching implementation.
AI-specific interaction conventions assessment covering regeneration controls, feedback mechanisms, and advanced patterns that distinguish polished AI interfaces from basic API wrappers.
Evaluates API design quality — naming conventions, schema contracts, versioning strategy, and developer ergonomics for REST, GraphQL, and gRPC APIs.
Comprehensive security audit for REST and GraphQL APIs, covering authentication, authorization, input validation, and protection against OWASP API Top 10 threats.
Audits in-app purchase and subscription implementations across iOS and Android — covering StoreKit 2, Play Billing Library, receipt validation, paywall compliance, and subscription lifecycle management.
Audits your App Store and Google Play listing metadata — descriptions, screenshots, review notes, compliance declarations, and platform-specific submission requirements.
Evaluates whether your mobile app meets Apple App Store and Google Play Store content and policy requirements — including app quality, content restrictions, regulated industries, and platform standards.
Audits iOS and Android apps for privacy manifest completeness, tracking consent, data handling practices, and children's data compliance to prevent store rejections and policy violations.
Detects the specific technical and policy issues that cause Apple App Store and Google Play Store reviewers to reject app submissions.
Evaluates calendar display quality, availability management, timezone handling, and recurring schedule support for booking systems.
Evaluates booking creation, double-booking prevention, modification, cancellation, waitlists, and payment integration.
Evaluates confirmation emails, SMS notifications, calendar invites, reminder scheduling, and rescheduling communication.
Audits open/click tracking implementation, A/B testing infrastructure with statistical rigor, multi-touch attribution models, and reporting pipeline reliability for email campaign systems.
Audits the campaign brain — sequence and drip architecture, cadence and spacing rules, reply and engagement detection, lead scoring, and CRM routing for email campaign systems.
California Consumer Privacy Act and California Privacy Rights Act compliance covering consumer rights, privacy disclosures, opt-out mechanisms, and data handling practices.
Evaluates command-line interface quality — command structure, help text, exit codes, error handling, I/O conventions, and distribution readiness.
Structural maintainability assessment of your codebase — how easily a developer can understand, modify, and extend the project.
TypeScript strictness, test coverage, dependency health, and common anti-pattern detection for AI-generated codebases.
Evaluates user-generated content moderation, spam prevention, report/block systems, content policies, and abuse detection mechanisms.
Assesses profile visibility settings, content privacy, data export, account deletion, consent management, and user control over their data.
Evaluates WebSocket/SSE implementation, message delivery reliability, presence indicators, connection handling, and real-time UX.
Assesses user profiles, follow/connection systems, activity feeds, notification management, and engagement patterns.
Audits the engineering of compliance systems — consent storage schema, opt-out processing pipeline, GDPR/CCPA data subject rights implementation, and compliance audit trails for email campaign platforms.
Cookie consent requirements under ePrivacy Directive and emerging US expectations covering banner UX, consent enforcement, cookie classification, and transparency.
Children's Online Privacy Protection Act compliance covering age determination, parental consent, data minimization for children, and operator obligations.
GDPR and privacy compliance review covering data collection, consent mechanisms, retention policies, and PII handling.
Validates email address quality, deduplication logic, data freshness management, and suppression list architecture for email campaign systems.
Audits how contact data enters the system — from scraping, APIs, purchased lists, form submissions, and referrals. Validates provenance tracking, legal sourcing practices, and ingestion pipeline reliability.
Evaluates database schema design, query patterns, migration safety, access control, backup strategy, and operational monitoring for SQL databases.
Comprehensive deliverability audit covering DNS authentication (SPF, DKIM, DMARC), IP/domain warm-up automation, sending reputation management, ISP-specific throttling, and bounce/feedback loop processing for email campaign systems.
Third-party dependency assessment covering security vulnerabilities, maintenance health, and license compliance.
Pre-launch deployment checklist covering CI/CD pipeline health, monitoring setup, rollback strategy, and production configuration.
Evaluates consumer-facing developer documentation — README quality, API reference completeness, code examples, and maintenance practices.
Evaluates structured data markup, data model quality, image handling, data freshness signals, and content completeness.
Evaluates map component implementation, geocoding, marker management, location-based search, and directions/routing.
Evaluates search implementation quality, filter/facet UX, sorting, pagination, URL-synced state, and empty state handling.
Evaluates submission forms, moderation workflow, spam prevention, claim/edit flows, and content policies.
Evaluates shopping cart persistence, item management UX, checkout flow efficiency, form handling, and order clarity across desktop and mobile devices.
Validates product data model integrity, variant/option handling, pricing logic correctness, inventory tracking accuracy, and product discoverability through search and filters.
Validates order state machine transitions, status tracking and history, cancellation and refund flows, notification triggers at each lifecycle stage, and admin order management capabilities.
Evaluates code-level payment implementation security covering Stripe/payment provider SDK usage, client-side tokenization, webhook verification, fraud prevention patterns, and payment error handling.
Assesses infrastructure and compliance posture for cardholder data environments including network segmentation, access controls, encryption, vulnerability management, and PCI DSS monitoring alignment.
Validates review collection UX, display patterns, content moderation practices, and schema markup for aggregate ratings to build trust without compromising data integrity.
Validates shipping rate calculation accuracy, delivery estimation, tax computation (sales tax/VAT), regional compliance, and tax transparency in checkout and order confirmation.
CAN-SPAM Act and TCPA compliance for commercial emails and text messages covering unsubscribe mechanisms, sender identity, consent, and content delivery rules.
Deep inspection of environment variable handling, secrets storage patterns, and runtime configuration security.
Error boundary coverage, structured logging, graceful degradation patterns, and external dependency failure handling.
Assesses data collection practices, privacy disclosures, storage security, third-party data sharing, and compliance with browser store privacy requirements.
Evaluates manifest permissions scope, content security policy, content script isolation, message passing security, and host permission minimization to ensure the principle of least privilege.
Assesses store listing completeness, policy compliance, screenshot quality, update strategy, and review preparation for Chrome Web Store submission.
Evaluates popup responsiveness, badge/notification usage, loading states, extension bundle size, memory usage, and integration with browser UX conventions.
Evaluates immutable transaction logging, balance reconciliation, regulatory retention compliance, tamper evidence, and audit report generation.
Evaluates fee transparency, APR and rate disclosures, terms presentation, consumer protection notices, and regulatory compliance content.
Evaluates data-at-rest and data-in-transit encryption, key management, certificate handling, algorithm selection, and PCI-DSS encryption requirements.
Evaluates currency and amount input validation, account number format enforcement, calculation accuracy, rounding rules, and financial math edge cases.
Evaluates session inactivity timeouts, step-up authentication for sensitive operations, concurrent session controls, session fixation prevention, and device trust.
FTC consumer protection rules covering truthful advertising, endorsement disclosures, dark pattern prevention, and AI transparency practices.
EU General Data Protection Regulation compliance covering lawful basis, user rights (DSAR), consent management, data processing agreements, and breach accountability.
Generative Engine Optimization assessment covering AI crawler access, content citability, authority signals, and AI-readable structure — evaluates whether AI systems can find, understand, and cite your content.
Requirements-to-implementation comparison revealing feature gaps, scope creep, and mismatches between original specifications and what was built.
Evaluates code-level controls aligned with CMMC Level 1 (FAR 52.204-21) — access control, identification and authentication, system protection, communications security, and information integrity for projects handling Federal Contract Information (FCI).
Evaluates frontend security controls aligned with NIST 800-53, authentication strength, audit logging, continuous monitoring readiness, and incident response documentation.
Evaluates WCAG 2.1 AA compliance, Section 508 E-series requirements, assistive technology compatibility, document accessibility, and VPAT readiness for government web applications.
Evaluates 21st Century IDEA Act compliance, plain language usage, required pages and links, USWDS pattern alignment, and digital analytics readiness.
Container, Kubernetes, and network security review covering image hardening, RBAC, network policies, and supply chain integrity.
Foundational legal page compliance covering required legal pages, content clarity, and accessibility requirements for every web application.
Advanced SEO signals assessment covering structured data, content optimization, and technical SEO factors that separate adequate sites from ones that rank.
Analytics and tracking implementation assessment covering setup correctness, conversion-critical event tracking, and privacy-respecting data collection.
Marketing site content quality assessment covering language clarity, structure, value proposition, and visitor messaging completeness.
Conversion optimization assessment covering CTA effectiveness, form design, trust signals, and conversion infrastructure quality.
Local SEO readiness assessment covering local schema, NAP consistency, business information, and local relevance signals.
Deep performance analysis for marketing sites, covering Core Web Vitals, resource optimization, and loading strategy impact on bounce rate and conversion.
Social sharing infrastructure assessment covering Open Graph metadata, platform-specific cards, and sharing mechanics for content appearance.
Evaluates MCP server implementations — tool definitions, transport protocol compliance, error handling, security boundaries, and capability negotiation.
Assesses React Navigation setup, deep link handling, universal/app links, back button behavior, and navigation state persistence.
Validates local data persistence, offline-first patterns, data synchronization, cache management, and secure storage mechanisms.
Evaluates runtime permission requests, privacy manifest compliance, data handling disclosures, and permission graceful degradation.
Mobile responsiveness assessment across phones, tablets, and screen sizes, covering viewport configuration, responsive layouts, touch-friendly sizing, and mobile UX patterns.
Checks app icons, splash screens, app metadata, build configuration, version management, and store guideline compliance.
Evaluates touch targets, safe areas, keyboard handling, platform-specific conventions, gestures, and responsive layout for varying screen sizes.
Audits monitoring, alerting, failure recovery, capacity planning, and incident response for email campaign systems — covers ESP failover, queue resilience, database backups, and deliverability incident runbooks.
Core Web Vitals-focused performance review covering loading, rendering, image optimization, and resource hints.
Advanced performance analysis covering bundle composition, caching strategy, runtime bottlenecks, and third-party script impact.
Core web performance assessment targeting load time and user experience, covering image optimization, bundle sizing, code splitting, caching, and rendering strategies.
Evaluates plugin and extension system quality — hook lifecycle, isolation boundaries, versioning contracts, and documentation for plugin authors.
Production readiness checklist covering infrastructure, legal compliance, user-facing essentials, monitoring, and backup verification.
API design quality assessment covering naming consistency, HTTP semantics, request/response shape, security controls, and developer experience.
Production-ready authentication assessment covering session management, login flow security, password handling, and OAuth integrations.
Authorization layer assessment covering access control, resource authorization, API permissions, and admin boundary enforcement.
Secure payment and billing assessment covering payment security, subscription management, pricing enforcement, and customer billing experience.
Error handling assessment covering exception handling, error reporting, user-facing error messages, and graceful degradation patterns.
Application logging and monitoring assessment covering activity logging, health monitoring, audit trails, and observability signals.
Multi-tenant data isolation assessment covering tenant boundary enforcement across all layers and safe shared resource management.
New user guidance assessment covering signup flow, first-run experience, activation, and onboarding effectiveness.
Evaluates the quality of published SDK and npm packages — exports configuration, type safety, tree-shaking, bundle size, documentation, and semver compliance.
Comprehensive security review covering auth, data validation, secrets management, transport security, and error handling.
Foundational security assessment covering HTTP security headers, transport security configuration, and basic security hygiene to protect against common web attacks.
Advanced security header configuration quality — evaluates whether headers are configured correctly, not just present. Sequel to Security Headers & Basics.
Audits email sending infrastructure including queue architecture, ESP integration patterns, template rendering security, retry strategies, and failure isolation for campaign systems.
Technical SEO deep dive covering Core Web Vitals impact, JavaScript rendering, international SEO, and advanced structured data.
Baseline SEO review covering meta tags, structured data, crawlability, and indexability for vibe-coded projects.
Remote health check for any live website — evaluates security headers, SEO basics, performance signals, accessibility, and trust indicators using only the public HTTP response. No code access needed.
FTC click-to-cancel rule and state auto-renewal law compliance covering pre-purchase disclosure, enrollment consent, cancellation mechanisms, and renewal notifications.