The Complete Guide
Trust Score
A single letter grade — A to F — that tells you whether your app's critical foundation is safe for real users with real money.
Why billing, auth, and admin?
AI tools generate code that works in development but skips critical safety patterns — webhook verification, row-level security, server-side auth checks. These gaps are invisible until a real user exploits them.
Auth, billing, and admin are the three layers where these gaps cause immediate, measurable damage:
🔐Auth failures expose user data
A missing RLS policy means any logged-in user can read another user's data. A client-side auth check means any developer tool can bypass it. These gaps are invisible until someone exploits them.
Data breach, GDPR violation, user trust loss
💰Billing failures cause revenue loss
An unverified webhook means a failed payment still triggers subscription activation. A client-side price check means users can buy at $0. These failures only show up in your bank account.
Revenue fraud, chargebacks, Stripe account suspension
👥Admin failures enable privilege escalation
An unprotected admin route means any user can access admin functions by guessing the URL. A hardcoded admin credential means one leaked env file compromises everything.
Unauthorized admin access, data manipulation, business disruption
AI tools generate code for the happy path. They don't think about what happens when the payment fails, the token is stolen, or the admin URL is guessed.
What Trust Score measures
24 automated safety checks across auth, billing, and admin. A hard gate blocks grade A if any critical (P0) check fails. Architecture checks are measured separately by the AI Chaos Index.
💰 Billing Safety
8 checks🔐 Auth Safety
8 checksTrust Score measures Production Foundation — the ASA layer that protects auth, billing, admin, and environment safety. Based on the ASA Standard.
Grade scale
| Grade | Score | What it means |
|---|---|---|
| A | 90–100 | Your app meets production safety standards. Ship with confidence. |
| B | 80–89 | Almost production-ready. A few improvements needed before scaling. |
| C | 70–79 | Significant gaps found. Fix before accepting paying users. |
| D | 55–69 | High risk. Multiple critical issues. Do not launch without intervention. |
| F | 0–54 | Critical failures across modules. Immediate expert review needed. |
Hard gates
Any P0 (Critical Security Risk) failure blocks grade A — regardless of numeric score. Examples: Stripe secret key in client code, service_role key exposed, admin panel with no auth. Three or more P0 failures cap the grade at F.
How it differs from code quality tools
| Code quality tools ESLint, SonarQube | Trust Score Vibecodiq | |
|---|---|---|
| Measures | Style, complexity, duplication | Billing, auth, admin safety |
| Scope | File-level patterns | System-level: payment flows, access control, data boundaries |
| Predicts | Code maintainability | Revenue fraud, data breaches, unauthorized access |
| AI-specific | No — same checks for any code | Yes — designed for Lovable, Bolt, Cursor, Replit codebases |
| Detects | Code smells and style issues | Missing webhook verification, exposed API keys, no RLS |
How to get your Trust Score
Free — Run it yourself
Paste your GitHub URL or run npx @vibecodiq/cli scan locally. 32 safety checks. Results in seconds. No code leaves your machine.
Launch Readiness Assessment — $295
Expert-validated Trust Score + full findings report + AI Chaos Index + Fix vs Rebuild recommendation. 48h delivery.
Request Assessment →Methodology
The Trust Score is based on the ASA Standard — an open architecture standard for AI-generated codebases.
The scoring formula:
Trust Score = 100 - deductions
P0 failure (Critical) = -5 points each
P1 failure (Important Gap) = -3 points each
P2 failure (Recommended) = -2 points each
Hard gate: any P0 failure blocks grade A
The methodology is deterministic — the same codebase always produces the same score. No AI interpretation, no subjective judgment.
Trust Score evaluates billing, auth, and admin production-readiness patterns detected at scan time. It is a limited-scope assessment, not a guarantee, certification, or full security audit. Based on covered scope. Not a certification.
What's your Trust Score?
Find out in seconds with the free scan. Or get expert analysis with a Launch Readiness Assessment.
Limited-scope assessment. Not a certification.