Authentication patterns across A Square Solutions span three systems: WordPress Application Passwords (Base64-encoded Authorization headers for REST API access), Firebase Auth (email/password and Google OAuth for TrustSeal and ScamCheck), and Vercel environment variable scoping (API keys for Gemini and Razorpay). Three documented failure patterns: Application Password URL-encoding corrupts the credential hash; Firebase Auth session is lost on every page refresh when the custom production domain is absent from the Authorized Domains list; Razorpay test and live API keys must both be the same mode or payment flows fail silently.
Operational records — 12 total
The 20 operational invariants governing the A Square Solutions ecosystem, extracted from real production failures and operational history. Each invariant is a condition that must remain true for the system to behave safely and predictably — an explicit reliability contract derived from TrustSeal, ScamCheck, AI Execution Lab, and WordPress production experience.
Security invariants, credential governance, trust boundary model, and access discipline for the A Square Solutions ecosystem. Documents the three-tier access architecture across TrustSeal and ScamCheck, all credentials and where they are allowed, the security implications of historical operational failures, silent security drift scenarios, and lightweight security observability patterns. Grounded entirely in real production architecture.
Production implementation reference for Razorpay subscription payments with Firebase Cloud Functions and Firestore. Covers the full flow: subscription creation, checkout modal, webhook verification, Firestore state synchronization, realtime client unlock via onSnapshot, idempotency, and failure modes. Built and verified in production on TrustSeal.
Operational pattern for managing test vs. live mode separation across payment processors, analytics platforms, and authentication providers. Covers the full failure surface: mode-mixed credentials, preview environment contamination, domain authorization gaps, and the unifying root cause — credentials or configuration valid in one scope that are absent, wrong, or mismatched in production.
Firebase Cloud Functions returned 403 errors with missing auth context for 12 minutes after a redeploy that included a Firestore rules update. Root cause: Functions were deployed before Rules, creating a window where new function code ran against stale IAM/rules state. Fix: always deploy Firestore rules before Cloud Functions when both change in the same release.
Complete operational provenance for ScamCheck (scamcheck.asquaresolution.com) from concept through production. Build phases, infrastructure changes, Gemini rate limit incident, auth configuration, CSS architecture decisions, and deployment milestones — consolidated as a queryable operational record.
Complete operational provenance for TrustSeal (trustseal.asquaresolution.com) from concept through production. Build phases, infrastructure changes, auth incidents, payment integration, deployment milestones, and failure resolutions — consolidated as a queryable operational record.
Application Password authentication to WordPress REST API failed silently — returned 401 on all write operations. Root cause: incorrect header format and URL encoding of Application Password spaces.
TrustSeal (trustseal.asquaresolution.com) — AI-powered website trust verification tool. React/Vite/GitHub Pages frontend, Firebase Auth + Firestore backend, Firebase Functions v2 for Gemini AI analysis and Razorpay webhook handling. Subscription-based monetization via Razorpay (INR). Node 22 runtime required.
Firebase Auth login succeeded but session was lost on every page refresh after moving to a custom domain. Root cause: the custom domain was not added to Firebase Console's Authorized Domains list for the Authentication project. Session cookies and token refresh calls require the domain to be explicitly authorized.
ScamCheck (scamcheck.asquaresolution.com) — AI-powered scam detection tool. React/Vite/GitHub Pages frontend, Firebase Auth + Firestore backend, Firebase Functions v2 for Gemini AI scam analysis. Plain CSS (no Tailwind — justified at this UI scope). Free-tier AI tool with no payment layer. Node 22 runtime required.
Razorpay checkout modal opened and payment appeared to complete, but the webhook was never fired and the subscription wasn't activated. Root cause: client-side key was in test mode (rzp_test_) while the server-side Cloud Function key was in live mode (rzp_live_), or vice versa. Both keys must match modes simultaneously.