Trust Misconfiguration Audit

The most common vulnerability in AI-generated code isn't SQL injection or XSS — it's trust misconfiguration. Code that assumes everything is fine. Open CORS, admin-level service accounts, raw input passed to shell commands. The AI optimizes for "make it work" with zero weight on "make it survivable in production."

## Key Points

- **All origins** (CORS `*`)
- **All users** (no authentication on endpoints)
- **All input** (no validation or sanitization)
- **All environments** (hardcoded dev credentials used in prod)
- **All permissions** (service accounts with admin access)
- **All network traffic** (no TLS enforcement, no rate limiting)
1. Search the entire codebase for patterns: `password=`, `secret=`, `api_key=`, `token=`, `sk_live`, `sk_test`, `AKIA` (AWS), `ghp_` (GitHub)
2. Check `.gitignore` includes: `.env`, `.env.local`, `.env.production`, `*.pem`, `*.key`, `serviceAccountKey.json`
3. Check git history: `git log --all -p | grep -i "password\|secret\|api_key"` — credentials removed from code may still be in history
4. Check CI/CD configs for hardcoded secrets (use platform secret management instead)
- SQL queries (parameterize instead)
- Shell commands (use safe APIs instead of `exec`)