How we audit.
Public criteria.

A breach in a starter is a breach in every product that ships on top of it. Every defensive default is paid once in the catalog and recovered every time a subscriber ships.

• Content-Security-Policy must

  CSP header set by the app's Worker entry; `default-src 'self'`; no `unsafe-inline` scripts in shipping config.

• HSTS must

  Strict-Transport-Security set with `max-age=31536000; includeSubDomains` on every response.

• No client-side secrets must

  Build output scanned for secret-shaped tokens (`*_SECRET`, `*_KEY`, provider keys). Server-only env vars never reach the bundle.

• Validated boundaries must

  Every API request and response is Zod-validated; no `JSON.parse` of remote data without a schema.

• Safe rich-text rendering must

  No `dangerouslySetInnerHTML` without a sanitizer (DOMPurify or equivalent); user-supplied markdown rendered through a vetted pipeline.

• Hardened auth cookies must

  Auth cookies set `httpOnly`, `Secure`, `SameSite=Lax` (or stricter); never readable from JS.

• Deferred Stripe.js should

  Stripe.js (or equivalent payments SDK) is loaded only when checkout initiates, not on every page.

• No high/critical CVEs at ship should

  Dependabot or `npm audit` reports zero high or critical advisories at release.

• CSP violation reporting should

  CSP `report-to` directive points at a collector so violations in the wild are visible, not silent.

Failures happen. The question is whether your users feel them and whether you can see them after the fact. Reliability is staying coherent under partial failure.

• Error boundaries at the route level must

  Every route is wrapped in a React error boundary; the fallback gives the user something to do.

• Typed API errors must

  `ApiError` is a discriminated union with a known set of codes; no `throw new Error('boom')` in shipping code.

• Retry-on-idempotent only must

  Automatic network retries are limited to idempotent verbs (`GET`, `PUT`, `DELETE`); `POST` retries require an explicit idempotency key.

• Idempotent billing mutations must

  Every billing-side mutation carries a client-generated idempotency key; the same key returns the same result.

• Empty / loading / error states must

  Every async path has explicit empty, loading, and error UI. No state implied by absence.

• Timed-out external calls should

  Every fetch to an external service has a timeout and a fail-closed default; no unbounded waits.

• DLQ-paired queues (workers) should

  If the starter ships background workers, every queue is paired with a dead-letter queue and a documented poison-message policy.

A bug you can't observe is a bug you can't fix. Observability is the work that turns 'something is wrong' into 'this is what's wrong and here is when it started.'

• Propagated request ID must

  `X-Request-Id` issued at the edge, threaded through handlers and workers, and surfaced in every log line and error.

• Structured logs must

  Logs are JSON with a stable schema; not free-form `console.log` strings in shipping code.

• Predeclared event taxonomy must

  PostHog (or equivalent) event names are declared in a `taxonomy.ts`; new events require a taxonomy update reviewed in the PR.

• Errors captured with context must

  Server and client errors captured with trace ID, breadcrumbs, and user context. Sourcemaps uploaded on deploy.

• Sampled session replay should

  Replay sampled on anonymous and first-session traffic for funnel debugging; full-capture only during active investigation windows.

• Named alert policy should

  Documented list of conditions that page a human (e.g. queue lag, webhook signing failures, audit batch failures). Not 'we'll add alerts later.'

Performance is a feature your users feel before they read your copy. The catalog ships under measured budgets, not aspirational ones.

• LCP budget must

  Largest Contentful Paint ≤ 2.5s on simulated 4G across hot routes; ≤ 2.0s on landing surfaces.

• TBT budget must

  Total Blocking Time < 200ms on simulated 4G.

• Per-route bundle budget must

  Per-route JavaScript ≤ 200kb gzipped, enforced in CI by a build-time check that fails the build on regression.

• Lighthouse Performance ≥ 90 must

  Lighthouse Performance score ≥ 90 on every hot route. Audited automatically in CI on PRs that touch app code.

• React Compiler enabled should

  React Compiler is on; the codebase does not pre-optimize with manual `useMemo` / `useCallback` for memoization defaults.

• Route-level code splitting should

  Routes are lazy-loaded with skeleton fallbacks. No route hauls in another route's bundle.

• Optimized raster images should

  Raster images served via a responsive image pipeline (Cloudflare Images, Imgix, or equivalent).

Inaccessible software excludes users by accident. WCAG 2.2 AA is the floor; the rest is taste, not optional.

• axe-clean in CI must

  axe-core reports zero issues on every shipped route; CI fails on regression.

• WCAG 2.2 AA contrast must

  Body text ≥ 4.5:1; large text ≥ 3:1. Verified on every surface before ship, including focus and hover states.

• Keyboard reachability must

  Every interactive element reachable via Tab in DOM order; no `tabindex` hacks.

• Visible focus indicator must

  1px page-color gap + 3px accent ring on every focused control. Never `outline: none` without a replacement.

• Modal focus trap must

  Modals trap focus on entry; Esc closes; focus returns to the opener on close.

• Status with text labels must

  Status badges, errors, and signals always pair with text or an aria-label. Color alone is never a signal.

• prefers-reduced-motion respected must

  Pulse, marquee, fade-up, and hover transforms disabled under `prefers-reduced-motion: reduce`. Static color and state changes still work.

• 44 × 44 touch targets must

  Interactive elements ≥ 44 × 44 CSS pixels on touch viewports.

Tests aren't a coverage number — they're the artifact that lets a subscriber change the code with confidence. Boundary tests beat exhaustive line coverage.

• Vitest at every package must

  Every package, app, and worker ships unit tests adjacent to the code they cover.

• Playwright on critical paths must

  Playwright covers the happy path and the conversion-critical error paths. Auto-starts dev servers with MSW on.

• MSW shared with dev must

  The same MSW handlers run in Vitest (in-memory db), Playwright (auto-started servers), and `pnpm dev` (JSON-persistent db).

• Strict TypeScript must

  TS strict mode on; no `any` without an inline justification; no `@ts-ignore` without a linked issue.

• Boundary coverage threshold must

  Coverage thresholds set on package exports (boundaries), not per-line. CI fails on regression, not on aspirational targets.

• Producer ↔ consumer integration tests should

  For starters that ship background workers, the queue producer/consumer contract is tested against synthesized batches.