Business Logic Protection
Business Logic Protection is not a test category. It is the protection of critical product flows, with E2E testing as its primary enforcement mechanism.
What It Protects
Business Logic Protection guards the flows that define what the product actually does — the sequences of steps that make the app valuable to its users.
Every product has critical flows: onboarding, checkout, subscription management, booking, approval, fulfillment. These flows are what the founder built the product for. When they break, the product stops working — not in a security sense, but in a "the thing I'm selling no longer does what it's supposed to do" sense.
Production Foundation protects the infrastructure these flows run on. Slice Architecture protects the structure they're built within. Business Logic Protection protects the flows themselves.
Why It Matters
AI tools are excellent at generating individual features. They struggle with preserving the relationships between features over time.
A checkout flow that worked yesterday can break today because an AI-assisted change to the subscription model accidentally removed a validation step. A booking flow can silently stop sending confirmation emails because a refactor moved the notification call.
These regressions are invisible to infrastructure checks. Auth is fine. Billing is secure. Architecture is clean. But the product no longer does what the user expects.
How It Will Be Enforced
1. Critical Flow Identification
Map the product's most important user flows. Not every flow — only the ones where failure means the product stops delivering value.
2. Scenario Definition
For each critical flow, define the expected behavior as testable scenarios: inputs, expected outcomes, side effects, and error conditions.
3. Continuous Verification
Enforce scenarios through automated end-to-end tests in CI/CD. In a mature implementation, no release should pass CI without critical flow tests passing.
Current Status
Planned — not active in Phase 1
Business Logic Protection is part of the ASA model but does not yet have automated checks in the Phase 1 check registry. Today, business logic protection is best achieved through manual scenario mapping, Playwright or Cypress E2E tests per critical flow, and CI/CD gates that require passing E2E tests before deploy.
Relationship to Other Layers
| Layer | What it protects | Example failure |
|---|---|---|
| Production Foundation | Infrastructure safety | Webhook accepts forged events |
| Business Logic Protection | Product flow correctness | Checkout no longer sends confirmation email |
| Slice Architecture | Structural stability | Change to auth slice breaks billing slice |
What This Layer Does Not Cover
- Authentication, billing, or admin safety (Production Foundation)
- Code structure, boundaries, or coupling (Slice Architecture)
- Performance, availability, or scalability
- UI/UX correctness or visual regression
- General QA discipline — this layer focuses on protection of founder-critical flows, not overall test coverage