PRE-LAUNCH SECURITY AUDIT

vibe-audit.

You shipped a SaaS in a weekend with Lovable, Bolt or Cursor. It works. You're three days from launch and the question that won't go away, what did the AI miss?

This kit answers that question. It's a curated audit your own AI coding tool runs against your codebase. No SaaS, scanner backend or source uploads. You drop the kit into your project, paste a prompt, and your AI walks through 25 findings one at a time, generates a report, and offers to apply fixes.

Buy on Gumroad — $49
Price$49
Findings25
Supplements05
Refund30 D
Updates12 MTH
THE GAP

The catalog is built on what has actually taken down real apps.

CVE-2025-48757 exposed data from roughly 13,000 users across 170 Lovable apps because Supabase ships Row Level Security disabled by default and the AI didn't think to turn it on. Carnegie Mellon's SusVibes study found that 61% of AI-generated code is functionally correct but only 10.5% is secure. Escape.tech scanned 5,600 vibe-coded apps and found 2,000+ vulnerabilities and 400+ exposed secrets.

These are the patterns the kit catches.

PLATFORM SUPPLEMENTS

Five supplements beyond the generic checklist.

Each covers the specific defaults that bite on that platform.

  • LovableService-role-key-in-client problem. Supabase RLS disabled by default. The pattern behind CVE-2025-48757.
  • BoltWebContainer-vs-deploy gap. Code that runs in the browser editor does not match what ships to production.
  • CursorFour documented IDE-level CVEs. The tool you're using to write the code has its own attack surface.
  • v0Vercel env scope leakage between Preview and Production. Variables visible where they shouldn't be.
  • ReplitSeparate Secrets store for Deployments trap. Secrets in the editor don't automatically carry to deployed builds.
WHAT'S IN THE KIT

What You Actually Get:

You Get

  • The 25-finding catalog with detection prompts and fix prompts
  • Five platform supplements (Lovable, Bolt, Cursor, v0, Replit)
  • A rules file template your AI reads on every turn to prevent these patterns from being created in the first place
  • A one-shot audit prompt that walks your AI through the catalog and writes a security report into your project
  • 12 months of updates as the patterns evolve and new platforms get added

You Don't Get

  • A guarantee. No audit is exhaustive. This catches the patterns that have actually taken down vibe-coded apps in production. If you have real users and regulated data, hire a pentester.
  • A scanner. This isn't a service you upload code to. It runs locally in your own AI session. Your source never leaves your machine.
  • A subscription. One-time purchase. Updates included for 12 months. After that, ongoing access pricing will be announced before the 12-month mark.
HOW IT ACTUALLY WORKS

Four steps.

  1. Buy the kit and download the zip.

  2. Copy the contents of install/ into your project root. Two install modes documented — drop-at-root or @import from an existing rules file.

  3. In a fresh AI session, paste: "Run the security audit defined in AI-AUDIT-CHECKLIST.md. Go through each finding one at a time."

  4. Your AI investigates your codebase finding by finding, writes a report into security/REPORT.md in your project, and offers to apply fixes.

Typical audit takes 15 to 45 minutes depending on codebase size and how much your AI has to read.

Who This Is For. Who It's Not.

FOR

+ Developers who shipped with Lovable, Bolt, Cursor, v0, or Replit and haven't run a security check before going live with real users.

+ Solo operators without a security background who are deploying apps with real users, real data, or payment flows.

+ Multi-project operators who shipped an AI-built SaaS and want to know what the AI left behind before they go live.

NOT FOR

Anyone who needs a formal penetration test or audit trail for regulated data. This is the pre-launch sanity check, not the report-of-record. Hire a pentester.

Teams with security budgets and pentesters already on retainer. Your needs are different.

Anyone looking for prompt packs. This is operating infrastructure.

PRICING

$49 standalone. $19 add-on for loopstack buyers. Coming soon.

Standalone $49
loopstack buyer add-on $19
Refund window 30 days
Updates included 12 months

The loopstack OS is launching soon. Buyers receive an add-on code to your original purchase receipt.

Questions

How do I actually run the audit?+

You drop the kit into your project and paste one prompt. From there your own AI runs the audit against your code and writes the report back into the project. The findings come with fixes, not just flags.

Which coding tools does it run in?+

Any tool that reads a project rules file at the root. Claude Code, Cursor, GitHub Copilot, Windsurf and Gemini CLI all have tested patterns in the kit.

How is this different from the free GitHub repos?+

The foundation overlaps with benavlabs/vibe-check (17 findings, MIT licensed, attributed). Beyond that: eight findings original to this kit, five deeply researched platform supplements with CVE citations, a packaged rules file plus audit checklist procedure, and 12 months of updates as the patterns evolve. Roughly 75% of what you read is original work. The rest is curation and rewriting of public material with attribution kept.

Does my code go anywhere?+

No. Everything runs inside your own AI session. The kit is a set of markdown files your AI reads next to your code. No SaaS, scanner backend or upload.

Catch what was missed
Before you launch.

Buy on Gumroad — $49