• Request handlers
• Endpoint declaration
• User permissions and user flags
• Content types

Highest-signal areas to watch

1) Auth & session flows

• Token handling: new uses of localStorage/sessionStorage/indexedDB/postMessage or cookies with access|auth|id|jwt|token. Alert on tokens stored outside httpOnly cookies; watch for SameSite=None without Secure.
• OAuth/OIDC: new/changed redirect_uri, post_logout_redirect_uri, altered PKCE/state usage; addition of social login providers.
• Password reset / magic links: new endpoints with reset, recovery, verify, otp, code, token.

2) Privilege & feature-controls (beyond user flags)

• Feature flags / AB tests: discovery of new flags like enableAdmin, betaPayments, bypassKyc. Monitor for flags checked only client-side.
• Role leakage: strings like isStaff, isInternal, entitlements, scopes. Alert when code gates UI only in JS.

3) Endpoint discovery (beyond declarations)

• Hidden APIs: scrape JS bundles for URLs: /(wss?|https?):\\/\\/[^"' )]+/. Include GraphQL (/graphql) and WebSocket endpoints.
• Method/verb expansion: watch for DELETE, PUT, PATCH, OPTIONS becoming allowed on existing paths.
• Parameter shape drift: new query/body fields, especially role, price, discount, is_admin, user_id, owner_id, redirect, returnTo.

4) Source maps & build artifacts

• Leaked source maps: .map files yielding readable source, comments, internal endpoints, secrets, or TODOs.
• Debug builds / env leakage: __DEV__, NEXT_PUBLIC_*, REACT_APP_*, Vite import.meta.env.* appearing with sensitive data.

5) Client-side sinks & sanitization