Auth is present but authorization is missing on sensitive actions.
VibeFix
Find security risks in your AI-built app before users do
VibeFix checks auth, data access, secrets, payment flows, Supabase rules, injection risk, and unsafe admin paths.
main · 84 files mapped · spec coverage compared · no source stored
Launch Readiness62/100
Security RiskHigh
Missing Features7
Production Blockers5
Highest leverage finding
Payment state can drift from app state
Checkout can succeed while booking and entitlement records remain incomplete after webhook retries.
$4,500 to $7,500
app/api/stripe/webhook/route.tssupabase/policies.sqltests/checkout.spec.tsNext: make webhook persistence idempotent, add paid-state recovery, then re-scan.
Security surfaces checked
VibeFix separates symptoms from launch blockers.
Payment completion can drift from database persistence.
Secrets, env files, or admin paths may leak into unsafe places.
What you get
A report that explains the risk and the next patch boundary.
Each finding has a plain-English founder summary and expandable technical evidence with affected files, recommended fixes, acceptance criteria, and regression cautions.
Authentication
Authorization
Data access
Payments
Sample findings
The output is specific enough to scope repair work.
User-owned data is fetched without organization or owner scoping.
Secrets are referenced directly instead of through a validated server-only boundary.
Webhook handling lacks idempotency and signature-verification evidence.
Trust FAQ
Clear access boundaries before code is uploaded.
Do you support private repos?
Yes. The intended production integration uses read-only GitHub access for private repositories. ZIP exports are also supported for Lovable, Bolt, Replit, and similar tools.
Do you train models on my code?
No. The product promise is analysis only. Customer code is not used for model training, and deeper review runs through RubberDuck semantic analysis.
Can I delete my project?
Yes. V1 is designed around delete-after-report controls and revocable repo access. Production storage should enforce deletion and retention policies.
What access do you need?
VibeFix needs read-only source access or a ZIP export, plus any spec, PRD, screenshots, or notes that describe what the app should do.
Launch-readiness report
Turn the app into a launch plan
Upload the repo and spec. Get the gaps, risks, prompt pack, and repair quote before the next sprint decision.