ARI.Software Docs

ARI.Software Docs

Module Security

Run a comprehensive security audit on any module with a single command.

Built-In Security Audit

Every module you build deserves a thorough review. ARI ships with a powerful audit tool that checks your module across dozens of security, performance, and quality dimensions — all from a single command.

Usage

Run the audit from your Claude Code:

/ari-audit-module tasks

Or you can run /ari-audit-module without specifying a module, it will list all available modules and ask you to pick one.

The audit covers one module per run to keep the report focused and readable. Run it after creating a new module, after making significant changes, or as a routine check before sharing your module with others.

The audit is completely read-only. It never modifies your code or executes SQL. It reads your module's files, analyzes them against ARI's security standards and best practices, and produces a clear, actionable report.

ARI Audit Module Terminal

What It Checks

The audit runs four parallel checks that cover every layer of your module:

Security (16 categories)

The core of the audit. Every API route, component, database schema, and configuration file is examined for vulnerabilities:

  • Authentication & Authorization — Missing auth checks, user ID taken from request body instead of session, routes accessible without proper permissions
  • Input Validation — Missing Zod validation, unvalidated query parameters, mass assignment risks
  • SQL Injection — Raw SQL with string interpolation, dynamic table names from user input, unparameterized queries
  • Data Exposure — Hardcoded API keys, stack traces returned to clients, secrets in code or config files
  • Cross-Site Scripting — Unsanitized user input, dangerouslySetInnerHTML without protection, unvalidated URLs
  • File Upload Security — Missing type validation, size limits, path traversal risks
  • Multi-Tenancy — Queries missing user isolation, cross-tenant data leakage
  • And more: CSRF protection, rate limiting, dependency vulnerabilities, cryptography, SSRF, Next.js-specific issues

The audit also runs a hardcoded credential scan across every file in your module — TypeScript, JSON, SQL, Markdown, everything — looking for accidentally committed API keys, tokens, and secrets.

Production-Readiness

Ensures your module follows ARI's architecture patterns and will work correctly when installed:

  • Manifest validationmodule.json exists, has required fields, ID matches folder name
  • Self-containment — All module code lives inside the module directory, no files scattered across the project
  • Database schemas — SQL is idempotent, RLS is enabled, user_id uses the correct type, no destructive operations in install scripts
  • API patterns — Routes use withRLS(), responses use toSnakeCase(), proper HTTP status codes, consistent error shapes
  • Registration — Module is properly registered in all required system files

Database Best Practices

Analyzes your SQL schemas and queries for performance and correctness:

  • Missing indexes on frequently filtered columns
  • Unsafe RLS policy patterns
  • Suboptimal column types
  • Inefficient query patterns

Frontend Quality

Checks your components and hooks against ARI's gold-standard patterns:

  • Performance — Unbounded queries without pagination, N+1 patterns, heavy imports that should be lazy-loaded
  • Data Fetching — Modules should use TanStack Query hooks, not raw fetch() calls. The audit checks for missing hooks, inline query keys, stale cache after mutations, and pre-migration auth patterns
  • UX Quality — Loading states, empty states, error states, double-submit prevention on mutation buttons, confirmation dialogs on destructive actions
  • Accessibility — Missing labels on interactive elements, form inputs without associated labels, color-only status indicators

The Report

The audit produces a single consolidated report with every finding categorized by severity:

  • High — Immediate risk. Auth bypass, data exposure, destructive SQL, missing RLS.
  • Medium — Significant weakness. Missing validation, unsafe error responses, unbounded queries.
  • Low — Best-practice gaps. Missing optional fields, convention violations, minor UX improvements.

Each finding includes the exact file and line number, a clear description of the issue, and a specific recommendation for how to fix it. The report ends with a Top 5 priorities list so you know exactly where to start.

This command is designed to provide a security, performance, and quality assessment of a module. However, it should not be considered a certification, formal audit, or guarantee that the module is secure, production-ready, or free from issues. You are fully responsible for performing your own due diligence to confirm that the module is suitable for your needs. You install and use the software and any module entirely at your own risk. The software is provided "as is" and "as available" without warranty of any kind. We make no guarantees regarding reliability, security, availability, or fitness for any purpose. You are solely responsible for securing the software and any environment in which it runs. This includes server security, access controls, encryption, patching, monitoring, backups, and compliance with applicable laws. We disclaim all liability for damages arising from use of the software, including data loss, security breaches, unauthorized access, system failures, or business interruption. You are strongly advised to implement and regularly test backup procedures. We are not responsible for any data loss.

Additional Tools

By prompting Claude Code, Open AI Codex, Vercel Deepsec, pnpm audit, GitHub CodeQL etc, you can run further audits on modules to ensure they are sutiable for your purposes.

Your Personal Workspace. Your Rules.

Open Source. Self-Hosted. Full Data Control. Fully Extendable. AI Native. Dozens of Built-In Modules And Build Your Own In Minutes. No Coding Required.

Download