Stack Scan (project-snapshot)

project-snapshot · tx-project-snapshot

Synthetic taxon carrying the 35 patterns extracted from the Stack Scan free-tier audit (project-snapshot).

Stack Scan (project-snapshot)

This taxon exists because the Stack Scan free-tier audit covers ten distinct domains (secrets, auth, injection, data exposure, legal, accessibility, SEO, performance, error handling, code quality) at shallow depth. Each of the 35 patterns is load-bearing only inside the Stack Scan composite — they are mile-wide/inch-deep by design, and each category maps to a dedicated Pro audit that covers the domain in depth.

Patterns in this taxon are NOT intended to be imported into other bundles. The deep coverage lives in the matching Pro audit (security-hardening, saas-authentication, etc.).

Patterns in this taxon (35)

.env files are gitignored
ab-002565 · project-snapshot
critical
API errors return structured JSON
ab-002596 · project-snapshot
medium
API routes have authentication
ab-002577 · project-snapshot
high
Cookie consent banner present when tracking is in use
ab-002581 · project-snapshot
medium
CORS is not wildcard in production
ab-002576 · project-snapshot
medium
Form inputs have labels
ab-002585 · project-snapshot
medium
Has error boundary at root layout
ab-002595 · project-snapshot
high
Images have alt text
ab-002584 · project-snapshot
high
Images have explicit dimensions
ab-002593 · project-snapshot
low
Meta descriptions are present
ab-002588 · project-snapshot
medium
No API keys or secrets hardcoded in source
ab-002566 · project-snapshot
critical
No console.log statements in production source
ab-002598 · project-snapshot
medium
No dangerouslySetInnerHTML with user input
ab-002573 · project-snapshot
high
No error swallowing
ab-002594 · project-snapshot
high
No NODE_ENV-based auth bypass
ab-002572 · project-snapshot
medium
No PII files in client bundle / public directory
ab-002578 · project-snapshot
critical
No render-blocking third-party scripts
ab-002591 · project-snapshot
high
No service-role/secret keys exposed via PUBLIC_ prefix
ab-002568 · project-snapshot
high
No source maps served in production
ab-002579 · project-snapshot
low
No SQL string concatenation
ab-002575 · project-snapshot
high
No TODO/FIXME/HACK blocking comments in production code
ab-002597 · project-snapshot
high
Only PUBLIC_-prefixed env vars referenced from client code
ab-002567 · project-snapshot
high
Privacy policy page exists and is linked
ab-002582 · project-snapshot
medium
Production error pages don't leak stack traces
ab-002580 · project-snapshot
info
Protected routes have auth guards
ab-002571 · project-snapshot
critical
README.md exists with project description
ab-002599 · project-snapshot
info
robots.txt is present
ab-002590 · project-snapshot
low
security.txt present at /.well-known/security.txt
ab-002583 · project-snapshot
low
Session cookies use httpOnly + Secure + SameSite
ab-002570 · project-snapshot
critical
sitemap.xml is generated
ab-002589 · project-snapshot
low
Skip-to-content link present
ab-002586 · project-snapshot
low
Static assets are compressed (build config enables it)
ab-002592 · project-snapshot
medium
Supabase Row-Level Security is not disabled
ab-002569 · project-snapshot
critical
Title tags are present and non-default
ab-002587 · project-snapshot
medium
User input is validated before use
ab-002574 · project-snapshot
high