Seatbelt read the Northstar Waitlist build, flagged three things, the agent fixed them, and a second pass confirmed it. This is sample data for the landing page, not a live scan.
| Gate | Flag | Summary | Status |
|---|---|---|---|
| info | login | Sign in route detected (/auth) and member dashboard at /app. Route looks scoped. | noted |
| soft | payments | Stripe checkout route for paid early access tier | verified |
| hard | secrets | API key pattern in client bundle NEXT_PUBLIC_* sk-…4f2a | fixed |
| info | customer data | Stores waitlist emails, referral codes, and profile names | noted |
| info | databases | ORM config found. No connection string or admin UI in the client. | noted |
| soft | risky shortcuts | Debug delete route present (/api/debug) | fixed |
| Flag | First read · 10:42 | Again · 10:51 |
|---|---|---|
| secrets | open · hard gate | fixed · moved server side, key rotated |
| payments | flagged · verify checkout | verified end to end |
| risky shortcuts | flagged · debug delete route | fixed · route removed |
Verified by Seatbelt, earned. A real scan on an app with substance, hard gates cleared on the second pass. The badge links to this report, not a sticker.
Honest scope: Seatbelt reads structure and clues on the folder or ZIP you share. Not a pentest. Not hacking production. Does not read live customer private data. Secret values are truncated in cues; only prefixes appear above.