ASAASA Standard

Safety Checks

32 automated safety checks across two active layers: Production Foundation (24) and Slice Architecture (8).

Active Phase 132 checks
Not in Phase 117 additional

Production Foundation

24 checks

Protects auth, billing, admin, and environment configuration. View layer →

Billing Safety

BIL-09Billing State Integrity
P1
BIL-17PCI Raw Card Data Safety
P0
BIL-14Stripe Checkout Must Be Server-Initiated
P0
BIL-01Stripe Secret Key Exposure
P0
BIL-16Never Fulfill on success_url
P0
BIL-02, BIL-03, BIL-04Stripe Webhook Safety
P0

Auth Safety

AUTH-13getUser() vs getSession()
P0
AUTH-05NEXT_PUBLIC_ Secret Exposure
P0
AUTH-01service_role Key Exposure
P0
AUTH-02, AUTH-03Supabase RLS Safety
P0
AUTH-14Unsafe Code Patterns (eval, dangerouslySetInnerHTML)
P0

Admin Safety

ADM-08Exposed Debug & Admin Routes
P0
ADM-11Hardcoded Admin Credentials
P0

Foundation

ENV-01, ENV-02Environment Configuration Safety
P1
ERR-01Global Error Boundary
P1
CFG-01TypeScript Strict Mode
P1

Cross-Module

AUTH-06, AUTH-11, ADM-01, ADM-02Server-Side Auth for Protected Routes

Slice Architecture

8 checks

Protects structural boundaries, isolation, and complexity. View layer →

ARCH-01, ARCH-02, ARCH-03, ARCH-04, ARCH-05, ARCH-06ASA Architecture — Domain Slices & Boundaries
P0
STR-01, STR-02CI/CD Pipeline & Test Infrastructure
P1

Business Logic Protection

Planned

This layer protects critical product flows — it is not a test category. Scenario definition and E2E coverage are the planned enforcement model for future phases.

Learn more →

Additional Checks

Not in Phase 1

These checks exist in the broader registry but are not part of Phase 1 public results. They are being validated for future inclusion.

AUTH-24Account Enumeration Prevention
ADM-04Audit Log for Admin Actions
ADM-06, ADM-09, ADM-18, ADM-21Admin Governance & Destructive Action Safety
ADM-13MFA for Admin Roles
AUTH-23, AUTH-27Auth Hardening Essentials
BIL-10, BIL-18, BIL-24Billing Operations & Reconciliation
BIL-23Card Testing Protection
ADM-03No Client-Side-Only Role Checks
AUTH-22, ADM-19CSRF & Mutation Safety
ADM-20Data Export Controls
AUTH-07Session Tokens in httpOnly Cookies
AUTH-19Multi-Tenant Data Isolation
AUTH-09, ADM-14Rate Limiting for Auth & Admin
AUTH-18, ADM-05RBAC & Role Claims Design
AUTH-16, AUTH-25, AUTH-26Session & Token Safety
BIL-15Stripe Price ID Tampering
ADM-07UUIDs Not Sequential IDs

Methodology

Benchmark Methodology

Check results are a point-in-time assessment. A passing result does not mean the application is free of vulnerabilities. Not a certification. Not a security audit.