Taxons

Authentication, authorization, session lifecycle, and request-scoped authority decisions — the decision layer of "who can do what".

WCAG conformance — perceivable, operable, understandable, robust — plus ARIA correctness, keyboard navigation, and assistive-technology support.

Type safety, test validity, naming conventions, dead code, documentation accuracy, and general maintainability of code that exists and resolves.

Accuracy, completeness, and trustworthiness of user-facing copy — claims truth, disclosure completeness, trust signals, marketing accuracy.

Server-side resource-consumption bounds — pagination, rate limits, retry caps, timeouts, token budgets, agentic-loop iteration caps, file-size limits.

Cryptographic material — algorithm choice, key lifecycle, secret storage, transport, certificate validation, and randomness.

Persistence correctness, schema and migration safety, tenant isolation at the record layer, retention, deletion mechanics, and backup/restore viability.

Internal consistency across a codebase — redundant or conflicting libraries, dual ORMs, dual auth, dual HTTP clients, split state systems, mixed module systems.

Error handling paths, retry and backoff logic, circuit breakers, graceful degradation, fallback behavior, and crash-recovery.

How indexers, crawlers, and generative engines extract and surface content — SEO, GEO, structured data, sitemaps, canonicals, crawlability.

The contract between a caller and an AI / model service — prompt structure, output validation, tool-call contracts, RAG correctness, and system-prompt protection.

Untrusted input reaching a sensitive interpreter or sink — SQL, command, template, deserialization, SSRF, XSS, and upstream validation gaps.

Structured logging, metrics, tracing, alerting, and incident-response coverage — the visibility layer for operators and responders.

Deployment correctness, environment and configuration hygiene, infrastructure hardening, health checks, runbook readiness, and rollback capability.

User-perceived latency and responsiveness — Core Web Vitals, bundle size, rendering path, network waterfall, and request-path DB efficiency.

Scaffolding, stubs, mock data, debug bypasses, and placeholder credentials that survived to production — code that runs but wasn't meant to.

User-facing privacy rights — consent capture, lawful basis, data-subject requests, tracking opt-outs, and disclosure obligations to the individual.

Symbols, imports, URLs, routes, tables, columns, env vars, or assets that are referenced but do not resolve.

Industry-mandated control sets — PCI, HIPAA, FISMA, FedRAMP, CMMC, SOC2, ISO 27001, Section 508 — where the defect is *non-conformance to a named framework*.

Third-party dependency integrity, build-pipeline trust, and artifact provenance — defects ingested from outside the first-party codebase.

Interaction patterns, form design, onboarding flows, mobile gesture correctness, navigation clarity, notifications, empty states — the behavior layer above the accessibility baseline.