Code Resilience Audit
Why This Exists
On 2026-03-29, 24 functional testing agents (Playwright, personas, journeys) found 60+ UX/feature issues but missed 3 CRITICAL code problems:
- Stripe webhooks had no idempotency — duplicate events processed
- Hardcoded fallback phone number routed unknown calls to a real customer
- 17 instances of
.catch(() => {})silently swallowing errors
These were only found when code audit agents READ the source looking for anti-patterns.
When to Run
- Before every go-live / launch readiness review
- After any major feature implementation
- Monthly maintenance audit
- When the QA Orchestrator runs a full suite (
/qa all)
Audit Checklist
1. Silent Error Swallowing
# Find all instances across a codebase
grep -rn "\.catch\s*(\s*(\(\s*\)\s*=>|function\s*(\s*\))\s*{?\s*}?\s*)" src/
grep -rn "\.catch\s*(\s*\(\s*\w*\s*\)\s*=>\s*null\s*)" src/
Rule: Every .catch() must at minimum console.error() the error with context.
2. Webhook Idempotency
Check every webhook handler (/api/*/webhook/route.ts):
- Does it check
webhook_eventstable before processing? - Does it insert into
webhook_eventsafter processing? - Can duplicate events cause duplicate side effects (emails, DB writes, charges)?
3. Hardcoded Values
# Find potential hardcoded secrets/IDs
grep -rn "sk_\|pk_\|price_\|prod_\|cus_\|sub_" src/ --include="*.ts" --include="*.tsx" | grep -v "node_modules\|\.env\|process\.env"
# Find hardcoded phone numbers
grep -rn '"\+1[0-9]\{10\}"' src/
# Find hardcoded URLs that should be env vars
grep -rn "https://.*supabase\|https://.*stripe\|https://.*livekit" src/ | grep -v "process\.env\|NEXT_PUBLIC"
Rule: All secrets, IDs, and service URLs must come from env vars.
4. Missing Rate Limiting
# Find POST/PATCH/DELETE routes
find src/app/api -name "route.ts" -exec grep -l "export async function POST\|PATCH\|DELETE" {} \;
# Check which ones have rate limiting
find src/app/api -name "route.ts" -exec grep -l "checkRateLimit\|rateLimit\|rateLimiter" {} \;
Rule: Every public mutation endpoint must have rate limiting.
5. Missing Input Validation
For every POST/PATCH route, check:
- Is the request body validated before use?
- Are string lengths bounded?
- Are array lengths bounded?
- Are enum values validated?
6. Auth Check Coverage
# Find routes that might be missing auth
find src/app/api -name "route.ts" -exec grep -L "getUser\|resolveToken\|auth\|ADMIN_SECRET" {} \;
Rule: Every non-public route must verify auth before processing.
7. Timing-Safe Comparisons
# Find direct string comparisons on tokens/secrets
grep -rn "=== token\|=== secret\|=== key\|\.eq.*token.*,\|\.eq.*secret" src/
Rule: Token/secret comparisons must use crypto.timingSafeEqual or constant-time DB queries.
8. Supabase Query Safety
- Are all queries paginated (not relying on default 1000-row limit)?
- Are destructive queries (DELETE, UPDATE without WHERE) impossible?
- Are column names verified before use?
9. Stripe Lifecycle Completeness
Check webhook handlers cover ALL subscription states:
checkout.session.completedcustomer.subscription.createdcustomer.subscription.updated(active, past_due, unpaid, paused)customer.subscription.deletedinvoice.payment_failedinvoice.payment_action_required
Output Format
Agents running this audit should report:
CODE RESILIENCE AUDIT — [PROPERTY]
===================================
[CRITICAL] [file:line] — description
[IMPORTANT] [file:line] — description
[MINOR] [file:line] — description
Summary: X CRITICAL, Y IMPORTANT, Z MINOR
Integration with QA Orchestrator
When /qa all or /qa resilience is invoked, dispatch an Explore agent with this checklist against each codebase. The agent reads code (does NOT run it) and reports findings.