ASAASA Standard
Active Phase 124 checks

Production Foundation

Protects the systems that must not fail in production: authentication, billing, admin access, environment safety, and deployment configuration.

What It Protects

AI tools generate code for the happy path. They build login forms, checkout flows, and admin panels that work in development. But they skip the safety checks that matter in production: Is the session verified server-side? Is the webhook signature checked? Can any user access admin routes by guessing the URL?

Production Foundation defines what "safe" means for these critical systems.

What Typically Breaks

Auth failures expose user data

Missing RLS policies, client-side-only auth checks, service_role key in client code. These gaps are invisible until exploited.

Billing failures cause revenue loss

Unverified webhooks, client-side checkout, fulfillment on success_url. These failures only show up in the bank account.

Admin failures enable privilege escalation

Unprotected admin routes, hardcoded credentials, exposed debug endpoints. Any user can access admin functions.

Foundation gaps create deployment failures

Missing .env.example, committed secrets, no TypeScript strict mode, no error boundary.

Phase 1 Checks

24 automated checks across four modules. Each has a defined threat thesis and binary PASS/FAIL result.

Auth Safety (8 checks)

AUTH-01service_role key not in client code
P0
AUTH-02RLS enabled on all tables
P0
AUTH-03RLS policies have WITH CHECK
P0
AUTH-05No secrets with NEXT_PUBLIC_ prefix
P0
AUTH-06Protected routes redirect unauthenticated
P1
AUTH-11Client/server auth separation
P0
AUTH-13getUser() not getSession() for server-side
P0
AUTH-14No eval() or dangerouslySetInnerHTML with user data
P0

Billing Safety (8 checks)

BIL-01Stripe secret key not in client code
P0
BIL-02Webhook signature verification
P0
BIL-03Raw body preservation in webhook
P0
BIL-04Idempotent webhook processing
P1
BIL-09No client-side billing state as source of truth
P1
BIL-14Checkout flow is server-initiated
P0
BIL-16Never fulfill on success_url
P0
BIL-17PCI raw card data safety
P0

Admin Safety (4 checks)

ADM-01Admin endpoints have server-side auth
P0
ADM-02Admin routes not accessible without auth
P0
ADM-08No unprotected debug/admin routes
P0
ADM-11No hardcoded admin credentials
P0

Foundation Safety (4 checks)

ENV-01.env.example exists
P1
ENV-02No secrets in committed .env
P0
CFG-01TypeScript strict mode
P1
ERR-01Global error boundary exists
P1

Relationship to Trust Score

Trust Score is the primary metric for Production Foundation. It measures how many safety checks the app passes.

GradeScoreMeaning
A90–100Low risk — no critical gaps in covered scope
B80–89Moderate risk — minor gaps, fix before scaling
C70–79Elevated risk — significant gaps in 1+ modules
D55–69High risk — critical issues found
F0–54Critical risk — major gaps across modules

Trust Score is a point-in-time assessment. It is not a certification, security audit, or guarantee of production safety.

What This Layer Does Not Cover