Security Implementation Validation Audit

ai-slop-security-theater · v1.0.1 · paid

Catches security controls that are imported, configured, or defined but never actually wired up — the unique AI failure mode of code that looks secure but isn't. Strictly focused on the gap between declaring a security control and applying it.

Defined-but-Unenforced Validation

unenforced-validation · weight 0.28

Validation schemas have at least one runtime use
ab-000275
critical
Mutating routes validate input before processing
ab-000276
high
Validation runs before database writes
ab-000277
high
Validation failures return useful error responses
ab-000278
low

Imported-but-Unapplied Middleware

unapplied-middleware · weight 0.3

Helmet security middleware imported is actually applied
ab-000279
high
CSRF protection imported is actually applied
ab-000280
high
Rate limiting middleware imported is actually applied
ab-000281
high
CORS is explicitly configured (not relying on framework defaults)
ab-000282
medium
At least one security middleware export is detected
ab-000283
info

Configured-but-Unbound Auth

unbound-auth · weight 0.25

Protected route handlers call a session getter
ab-000284
critical
Session-getter failures return early without executing protected logic
ab-000285
high
OAuth state parameter is validated when handler is hand-rolled
ab-000286
low
Imported security libraries are actually used
ab-000287
info

Half-Wired Crypto

half-wired-crypto · weight 0.17

JWT verification uses .verify() not just .decode()
ab-000288
critical
Encryption keys are read from env, not hardcoded
ab-000289
medium
Password hashes use bcrypt or argon2 (not raw crypto)
ab-000290
medium