Security Audit Report

Cross-check against AI Agent Security Playbook — July 11, 2026
Overview
Cross-Check
All Projects
Fix Checklist
Tools & Costs
Game Plan
19
Projects Audited
5
Fully Hardened
14
Need Fixes
57
Files w/ Wildcard CORS

PDF Playbook Key Stats

45% of AI-generated code introduces OWASP Top 10 vulnerabilities (Veracode 2025). AI-written code produces flaws at 2.7x the rate of human-written code. 91.5% of vibe-coded apps had at least one AI-hallucination-related flaw.

The PDF identifies 8 critical vulnerability classes commonly found in AI-generated code. Sterling's audit confirmed every single one exists across our Cloudflare Pages projects. The most dangerous: hardcoded secrets, wildcard CORS, missing auth, and error message leakage.

Hardening Progress

5 of 19 projects hardened 26%
ProjectStatusDate
Command CenterHardenedJul 10
Stevens Family PlannerHardenedJul 10
Core Forum HubHardenedJul 11
DugoutReady FeedbackHardenedJul 11
DugoutReady SurveyHardenedJul 11
OA Website RedesignHardcoded PasswordPending
Sterling Task ActivationExposed SecretPending
OA Client DashboardsAuth BypassedPending
NYO Football ScheduleNo Auth on SMSPending
AI MBA PortalWildcard CORSPending
AI QuickstartCORS + Error LeaksPending
Brad's Brain Dump13 Files Need FixesPending
Brad's Brain TabsHardcoded JWTPending
Sterling Social ApprovalWildcard CORSPending
Tmp Social ApprovalWildcard CORSPending
KW VA AssessmentNo Auth + LeaksPending
Deb's Swim School DashboardCORS + Error LeaksPending
Deb's Swim School ReferralWildcard CORSPending
Forum Update BuilderNeeds AuditPending

Additional Finding: CC & SFP Error Leaks

Command Center and SFP were hardened for auth/secrets but still have 88 instances of err.message / e.message being returned to the client across 44 files. These need to be sanitized to 'Internal error'.

PDF Vulnerability Classes vs. Our Apps

Every vulnerability class the PDF flagged was found in our codebase. Here's the detailed cross-check:

Vulnerability ClassPDF WarningOur StatusSeverity
Hardcoded Secrets / API Keys "Common enough to treat as a default assumption" FOUND — 3 instances: sterling-task-activation (auth token in backend AND client HTML), brads-brain-tabs (Monday.com JWT), oa-website-redesign (plaintext password "bradstevens") Critical
Missing Authorization (IDOR/BOLA) "Single hardest class for scanners to catch" FOUND — oa-client-dashboards auth middleware completely bypassed. Multiple projects have no auth on data endpoints. Critical
Misconfigured CORS (wildcard *) Listed as top vulnerability category FOUND — 57 API files across 14 projects use Access-Control-Allow-Origin: '*' Critical
Error Message Leakage Exposes internal implementation details FOUND — 88+ instances of err.message returned to client across all projects including "hardened" CC and SFP High
Missing Rate Limiting "Login endpoints open to brute force, APIs open to scraping/abuse" PARTIAL — Rate limiting added to CFH login, DugoutReady. Missing on all other projects. High
SQL Injection "Always use .bind() parameters, never string interpolation" PASS — All D1 queries use parameterized .bind(). No string concatenation found. Clean
Secrets in wrangler.toml "Secrets placed in wrangler.toml instead of encrypted Worker Secrets" PASS — wrangler.toml files only contain non-secret config (database IDs, KV namespace IDs). Actual secrets use env bindings. Clean
XSS from Unsanitized Input Rendering user input to pages without escaping Low Risk — Most apps are SPAs that set innerHTML in controlled contexts. No server-rendered user content. Some risk in forum/feedback displays. Medium
Exposed Database Endpoints "Databases deployed with no row-level security" PARTIAL — D1 queries generally enforce user context, but some endpoints return all data without filtering (brads-brain-dump, sterling-task-activation GET). High
Dependency Vulnerabilities / Slopsquatting "~20% of AI code recommends packages that don't exist" LOW RISK — Cloudflare Pages/Workers use minimal dependencies. Most apps are vanilla JS with no npm packages beyond wrangler. Low

COPPA Compliance Alert

Stevens Family Planner handles children's data (Ella and Brayden's names, activities, schedules). The FTC's amended COPPA Rule became fully enforceable April 22, 2026, with civil penalties up to $53,088 per violation.

SFP is currently a private family tool (not public-facing), which limits COPPA exposure. However, if it were ever shared or made accessible to others, a COPPA review would be mandatory. The PDF recommends: privacy attorney review, verifiable parental consent mechanism, data retention/deletion policies, and no sharing children's data with third parties. Current risk: Low (private use only). Future risk: High if ever made public.

Complete Project Inventory

ProjectAPI FilesHardcoded SecretsWildcard CORSError LeaksAuthRate LimitHeaders
Command Center40+CleanLocked83 leaksYesYesYes
Stevens Family Planner15+CleanLocked5 leaksYesYesYes
Core Forum Hub18CleanLockedCleanYesYesYes
DugoutReady Feedback3CleanLockedCleanAdminYesYes
DugoutReady Survey1CleanLockedCleanPublic FormYesYes
OA Website Redesign3PASSWORD*1 leakHardcodedNoNo
Sterling Task Activation1TOKEN*1 leakPartialNoNo
OA Client Dashboards10+CleanN/ACleanBYPASSEDNoNo
Brad's Brain Tabs2JWT*2 leaksNoNoNo
NYO Football Schedule1Clean*1 leakNoNoNo
AI MBA Portal5Clean*CleanYesNoNo
AI Quickstart7Clean*4 leaksYesNoNo
Brad's Brain Dump13Clean*3 leaksNoNoNo
Sterling Social Approval4Clean*CleanYesNoPartial
Tmp Social Approval2Clean*CleanYesNoNo
KW VA Assessment1Clean*1 leakNoNoNo
Deb's Swim Dashboard4Clean*4 leaksNoNoNo
Deb's Swim Referral1Clean*CleanNoNoNo
Forum Update Builder3TBD*TBDTBDNoNo
OA Recruit Chat1Backend URL*N/ANoNoNo

Sterling's Fix Plan — Priority Order

Fixes are sequenced by severity. Critical items (hardcoded secrets, auth bypass) first, then high (CORS, error leaks), then medium (rate limiting, headers).

Phase 1: Critical Fixes (Immediate)

  • CFH: Remove all hardcoded secrets — Moved APP_SECRET and API_KEY to Cloudflare Worker Secrets. 18 files rewritten.
  • sterling-task-activation: Remove hardcoded auth token — Token exposed in BOTH backend JS and client HTML. Move to Worker Secret.
  • brads-brain-tabs: Remove hardcoded Monday.com JWT — Full JWT token in source code. Move to Worker Secret.
  • oa-website-redesign: Remove hardcoded password "bradstevens" — Plaintext password in results.js. Move to env hash.
  • oa-client-dashboards: Re-enable auth middleware — Auth completely bypassed per July 9 directive. Need Brad's decision on re-enabling.

Phase 2: High-Severity Fixes

  • Lock CORS on CFH, DugoutReady (2 projects) — Changed from wildcard to specific origins.
  • Lock CORS on remaining 12 projects — 57 files still use wildcard CORS. Each needs domain-specific allowlist.
  • Sanitize ALL error messages — 88+ instances across CC, SFP, and all other projects. Change err.message to 'Internal error'.
  • Add auth to nyo-football-schedule SMS endpoint — Currently anyone can trigger SMS sends to arbitrary numbers.

Phase 3: Medium-Severity Hardening

  • Add rate limiting to ALL login endpoints — ai-mba-portal, ai-quickstart, oa-client-dashboards, forum-update-builder
  • Add rate limiting to ALL public submission endpoints — kw-va-assessment, debs-swim-school-referral
  • Add security headers (_headers files) to ALL 14 remaining projects
  • Input validation on all form submissions — Type, length, format checks

Phase 4: Edge Security (Cloudflare Features)

  • Enable Cloudflare WAF — Managed Ruleset + OWASP Core Ruleset on all domains
  • Add Turnstile to public forms — Free CAPTCHA replacement for signup/feedback/survey forms
  • Enable Cloudflare Access on admin panels — Free for up to 50 users
  • Enable Bot Fight Mode — Free automated bot mitigation on all domains

Phase 5: Ongoing / Professional

  • Set up GitGuardian pre-commit hooks — Prevent secrets from ever reaching the repo
  • Set up Semgrep CI scanning — Static analysis on every code change
  • Commission professional pentest — Before launching dugoutready.com ($5-15K)
  • Recurring weekly security scan — Automated sweep of all projects for regressions

Recommended Security Stack

Based on the PDF's recommendations, mapped to our specific setup. Ordered by impact-per-dollar.

Layer 1: Free / Already Available

Cloudflare WAF (Managed Ruleset)
Blocks known exploit patterns at the edge before they hit our Workers. Enable OWASP Core Ruleset.
Free (Pro plan)
Cloudflare Turnstile
Free CAPTCHA replacement for public forms. Stops bots without user friction.
Free
Cloudflare Access (Zero Trust)
Identity-based access control for admin panels. Google/Microsoft login integration.
Free (50 users)
Cloudflare Bot Fight Mode
Automated bot mitigation on all domains.
Free
Cloudflare Rate Limiting
Edge-level rate limiting by IP, header, or session. Protects auth and API endpoints.
Free (basic)
GitGuardian (Secrets Scanner)
Best-in-class secret detection. 450+ secret types. Pre-commit hooks prevent secrets from reaching repos.
Free (25 devs)
Claude Code /security-review
Built-in security review. Scans for SQL injection, XSS, auth flaws, IDOR, hardcoded secrets, CORS.
Free (uses API tokens)
OWASP ZAP
Free open-source DAST scanner. Attacks your running app like a hacker to find vulnerabilities.
Free

Layer 2: Low-Cost Essentials

Semgrep (SAST + SCA + Secrets)
Strong security-focused static analysis. Best free tier. Catches vulnerabilities in source code.
$0 (CLI) / $40/mo (Team)
CodeRabbit (AI Code Review)
Most-installed, lowest-noise AI code reviewer. Catches bugs and logic issues in every PR.
$0 (free) / $24/dev/mo
Snyk (SCA + SAST)
Market-leading dependency scanning. IDE + PR integration. Auto-fix suggestions.
$0 (free tier) / $25/dev/mo
StackHawk (DAST)
Developer-friendly, CI-native dynamic scanner. Built on ZAP with better UX.
$0 (1 app) / $99/mo

Layer 3: All-in-One Option

Aikido Security
All-in-one: SAST + DAST + SCA + secrets + CSPM. Developer-first, low-noise. Replaces multiple tools above.
$0 (2 users) / $350/mo

Layer 4: Professional Pentesting

Cobalt (PTaaS)
Credit-based pentest-as-a-service. Kickoff in ~24 hours. Best for SMB with recurring needs.
$5,000-15,000 per app
Rhino Security Labs
Boutique firm. Strong on cloud/web. Tests from ~$10,000.
$10,000+ per engagement
Aikido AI Pentest
AI-powered pentest. $100/test via Aikido credits. Business-logic-aware.
$100/test

Recommended Monthly Budget

TierWhat You GetMonthly Cost
Minimum Viable SecurityCloudflare WAF/Turnstile/Access + GitGuardian + Semgrep CLI + Claude /security-review$0/mo
Recommended (Solo Founder)Above + Semgrep Team + CodeRabbit + StackHawk (1 app)$65-165/mo
ComprehensiveAikido all-in-one (replaces individual tools) + Cloudflare edge security$350/mo
+ Annual PentestProfessional human penetration test (1-2 apps/year)$5,000-15,000/yr

Sequential Execution Plan

This is the order of operations. Each phase builds on the previous. Sterling executes Phases 1-3 immediately. Phase 4+ requires Brad's input on tool purchases.
Now (July 11, 2026)
Phase 1: Critical Secret Removal
Remove ALL hardcoded secrets from source code. Move to Cloudflare Worker Secrets. Rotate any exposed tokens. Fix: sterling-task-activation, brads-brain-tabs, oa-website-redesign. Sterling executes immediately.
July 11-12
Phase 2: CORS Lockdown + Error Sanitization
Replace wildcard CORS on all 57 files with domain-specific allowlists. Sanitize all 88+ err.message leaks to 'Internal error'. Add _headers security files to all 14 remaining projects. Sterling executes immediately.
July 12-13
Phase 3: Auth + Rate Limiting
Add rate limiting to ALL login/auth endpoints. Add auth to unprotected sensitive endpoints (NYO SMS, brain-dump data). Discuss oa-client-dashboards auth re-enablement with Brad. Sterling executes after Phase 2.
July 13-14
Phase 4: Cloudflare Edge Security
Enable WAF managed rulesets on all domains. Add Turnstile to public forms. Set up Cloudflare Access on admin panels. Enable Bot Fight Mode. Requires Brad's Cloudflare dashboard access for some settings.
Week of July 14
Phase 5: CI/CD Security Pipeline
Set up GitGuardian pre-commit hooks. Configure Semgrep for automated SAST scanning. Add Claude Code /security-review to build process. Requires tool selection decision from Brad.
Week of July 21
Phase 6: Full Verification Sweep
Run OWASP ZAP DAST scan against all deployed apps. ASVS Level 2 gap assessment. Verify all Phase 1-4 fixes are deployed and working. Generate clean scan report. Sterling executes autonomously.
Before DugoutReady Launch
Phase 7: Professional Pentest
Commission professional human penetration test for dugoutready.com. Budget: $5,000-15,000. Recommended providers: Cobalt (PTaaS) or Rhino Security Labs. Remediate findings. Retest. Requires Brad's budget approval + vendor selection.
Ongoing (Weekly)
Phase 8: Recurring Security Sweep
Weekly automated scan of all projects for: new hardcoded secrets, wildcard CORS regressions, error message leaks, missing auth. Sterling runs this as a scheduled Cyndra task. Set up after Phase 6 is clean.

Post-Build Security Testing Sequence

Every time Sterling builds or significantly modifies an app, this sequence runs before deployment:

StepWhatToolPass Criteria
1Secret scanGitGuardian / grepZero hardcoded secrets in source
2CORS checkgrep for wildcard '*'Zero wildcard CORS in API files
3Error leak checkgrep for err.messageZero error message leaks
4Auth verificationcurl without tokenAll protected endpoints return 401
5Rate limit testrapid curl loopLogin endpoints block after 5 attempts
6SQL injection checkgrep for string interpolation in queriesAll queries use .bind() parameters
7Headers verificationcurl -IAll 6 security headers present
8DAST scanOWASP ZAP / StackHawkZero high/critical findings