The Complete Guide
Trust Score
A single letter grade — A to F — that tells you whether your app's critical foundation is safe for real users with real money.
What Trust Score measures
24 automated safety checks across auth, billing, and admin. A hard gate blocks grade A if any critical (P0) check fails. Architecture checks are measured separately by the AI Chaos Index.
💰 Billing Safety
8 checksBIL-01Stripe secret key not in clientcriticalreviewBIL-02Webhook signature verificationcriticalreviewBIL-03Raw body preservation in webhookimportantautofixBIL-04Idempotent webhook processingimportantreviewBIL-09No client-side billing stateimportantreviewBIL-14Server-initiated checkoutimportantreviewBIL-16Webhook-only fulfillmentimportantreviewBIL-17PCI raw card data safetyimportantautofix
🔐 Auth Safety
8 checksAUTH-01service_role key not in clientcriticalreviewAUTH-02RLS enabled on all tablescriticalreviewAUTH-03RLS policies have WITH CHECKcriticalreviewAUTH-05No secrets with NEXT_PUBLIC_criticalreviewAUTH-06Protected routes redirectrecommendedreviewAUTH-11Client/server auth separationimportantreviewAUTH-13getUser() not getSession()criticalautofixreviewAUTH-14No eval() with user dataimportantautofixreview
👥 Admin + Foundation
8 checksADM-01Admin endpoints have server authimportantreviewADM-02Admin routes not accessible without authimportantreviewADM-08No unprotected debug routesimportantreviewADM-11No hardcoded admin credentialscriticalreviewENV-01.env.example existsimportantautofixENV-02No secrets in committed .envcriticalreviewCFG-01TypeScript strict modeimportantautofixERR-01Global error boundaryimportantautofix
Label guide
Trust Score measures Production Foundation — the ASA layer that protects auth, billing, admin, and environment safety. Based on the ASA Standard.
Grade scale & scoring
Trust Score = 100 - deductions
critical failure (P0) = -5 points each
important failure (P1) = -3 points each
recommended failure (P2) = -2 points each
| Grade | Score | What it means |
|---|---|---|
| A | 90–100 | Production-ready. Ship with confidence. |
| B | 80–89 | Almost ready. A few improvements needed. |
| C | 70–79 | Significant gaps. Fix before accepting paying users. |
| D | 55–69 | High risk. Do not launch without intervention. |
| F | 0–54 | Critical failures. Immediate expert review needed. |
Hard gates
Any P0 (critical) failure blocks grade A — regardless of numeric score. Three or more P0 failures cap the grade at F.
Deterministic scoring — the same codebase always produces the same score. Based on the ASA Standard. Not a certification or full security audit.
Why billing, auth, and admin?
AI tools generate code that works in development but skips critical safety patterns — webhook verification, row-level security, server-side auth checks. These gaps are invisible until a real user exploits them.
Auth, billing, and admin are the three layers where these gaps cause immediate, measurable damage:
🔐Auth failures expose user data
A missing RLS policy means any logged-in user can read another user's data. A client-side auth check means any developer tool can bypass it. These gaps are invisible until someone exploits them.
Data breach, GDPR violation, user trust loss
💰Billing failures cause revenue loss
An unverified webhook means a failed payment still triggers subscription activation. A client-side price check means users can buy at $0. These failures only show up in your bank account.
Revenue fraud, chargebacks, Stripe account suspension
👥Admin failures enable privilege escalation
An unprotected admin route means any user can access admin functions by guessing the URL. A hardcoded admin credential means one leaked env file compromises everything.
Unauthorized admin access, data manipulation, business disruption
AI tools generate code for the happy path. They don't think about what happens when the payment fails, the token is stolen, or the admin URL is guessed.
How it differs from code quality tools
| Code quality tools ESLint, SonarQube | Trust Score Vibecodiq | |
|---|---|---|
| Measures | Style, complexity, duplication | Billing, auth, admin safety |
| Scope | File-level patterns | System-level: payment flows, access control, data boundaries |
| Predicts | Code maintainability | Revenue fraud, data breaches, unauthorized access |
| AI-specific | No — same checks for any code | Yes — designed for Lovable, Bolt, Cursor, Replit codebases |
| Detects | Code smells and style issues | Missing webhook verification, exposed API keys, no RLS |
The Core Launch Risks
These are the founder-facing consequences of auth, billing, and admin failures — what goes wrong when the critical foundation has gaps. Each risk is backed by real incidents and maps directly to Trust Score checks.
Your Admin Panel Has No Lock. Just a Sign That Says 'Admin Only.'
Your app has an admin panel. It's hidden from the navigation — regular users don't see a link to it. The admin dashboard shows user management, billing override
LR-08Your Login Check Is Lying.
Your app has authentication. Users log in. Protected pages redirect to the login screen. The auth flow works perfectly in every test.
LR-07They Cancelled. They Still Have Access. You're Losing Money.
A customer cancels their subscription. Stripe processes the cancellation. The customer still has full premium access in your app. Tomorrow. Next week. Next mont
LR-06Stripe Will Retry Until It Breaks You.
When your server takes too long to respond, returns an error, or drops the connection, Stripe retries the event. Retries escalate from seconds to minutes to hou
LR-03Anyone Can Upgrade to Pro for Free. Here's How.
Your app has a free tier and a paid tier. Users sign up, enter their card, pay through Stripe, and unlock premium features. The flow works perfectly in testing.
LR-01Your Database Is Public. You Just Don't Know It Yet.
Your app has a login page. Users sign in. The dashboard shows their data. Everything works exactly as expected.
LR-02One Exposed Key Gives Strangers Full Access to Your Database
Your Supabase project has two keys. The `anon` key is public — it's designed to be in the browser. The `service_role` key is the master key. It bypasses all Row
LR-04Your Stripe Webhook Trusts Strangers. It Shouldn't.
Your Stripe webhook endpoint is a URL. It accepts POST requests. When Stripe sends a payment event, your app processes it — activates a subscription, grants cre
Related Launch Risks
Additional validated risks that often appear alongside the core failure modes.
What's your Trust Score?
Find out in seconds with the free scan. Or get expert analysis with a Launch Readiness Assessment.
Limited-scope assessment. Not a certification.