For founders & builders shipping AI-built apps

The security checkvibe-coding skips.

AI builders optimize for “make it work,” not “make it safe” — and nearly half of AI-generated code ships with a known vulnerability. Run this gate before your first public launch: mark six controls, get one verdict, and find the one thing to fix first.

Get the Gate — $79one-time · instant download · yours to keep
Five deliverables · runnable
Runnable Python gate engine
stdlib
Workbook that reproduces it
.xlsx
Pre-launch audit playbook
.docx
Fix-the-control runbook
.docx
7-app worked sample
.csv
Works alongside
Hardening Kit · MCP Builder Kit · Go-Live Gate
01.The Problem

The app runs. That isn't the same as the app being safe.

~45%

of AI-generated code ships with at least one known vulnerability when reviewed without human oversight.

#1

vibe-coding fault of 2026: a secret — an API key, a database credential — left in client-side JavaScript.

3 days

from launch to a 1.5M-token breach in the headline 2026 case: a public DB key in the client with no access control.

None of these are exotic. They are the same handful of failure modes — exposed secrets, broken auth, missing validation — that repeat across every builder and every breach write-up. The fix isn't hard; it's a checklist you run before you launch. This gate is that checklist with a verdict.

02.See It Work

Mark six controls. Get one verdict — and the gate.

Try a preset:
Secrets out of the client bundle & repogate

No API keys, DB creds, or tokens in client JS or committed code.

wt 22
Server-side auth on every sensitive routegate

Every sensitive endpoint checks a valid session server-side — not frontend-only.

wt 22
Input validation & injection defense

Inputs validated; parameterized queries; SQLi / XSS / prompt-injection defended.

wt 16
Dependency & supply-chain integrity

Dependencies real & audited; no hallucinated or slop-squatted packages.

wt 14
No verbose errors, debug, or source maps in prod

Prod hides stack traces and schemas; no exposed source maps.

wt 12
Access control actually tested

Ownership / row-level access tested by calling endpoints as another user.

wt 14
DO NOT SHIP
78
score / 100

Gate: a fatal control (Server-side auth on every sensitive route) is scored 0 — DO NOT SHIP regardless of the 78 score. Lift it to at least 1 and the gate releases.

Fix first: Server-side auth on every sensitive route

Runs entirely in your browser and resets on reload. The downloadable engine and workbook produce the identical verdict from the same marks. Scores the app you describe, not people.

03.The Engine

The same verdict from a runnable, offline engine.

The download ships a zero-dependency Python engine. Point it at a CSV of apps and it returns the identical score, verdict, and fix-first the demo and workbook produce. Here is the shipped 7-app sample:

==================================================================
VIBE-CODED APP PRE-LAUNCH SECURITY GATE        as of 2026-06-28
==================================================================

  Stripe Checkout MVP
    Score 78/100   ->   DO NOT SHIP
    GATE: fatal fault (Server-side auth on every sensitive route) at 0 -> DO NOT SHIP regardless of score
    Fix first: Server-side auth on every sensitive route

  Internal Ops Dashboard
    Score 100/100   ->   LAUNCH-READY

  Waitlist Landing + Form
    Score 85/100   ->   LAUNCH-READY
    Fix first: Input validation & injection defense

  AI Resume Reviewer
    Score 50/100   ->   HARDEN FIRST
    Fix first: Secrets out of the client bundle & repo

  Community Forum (Lovable)
    Score 32/100   ->   DO NOT SHIP
    GATE: fatal fault (Secrets out of the client bundle & repo) at 0 -> DO NOT SHIP regardless of score
    Fix first: Secrets out of the client bundle & repo

  Booking Widget
    Score 87/100   ->   LAUNCH-READY
    Fix first: Dependency & supply-chain integrity

  Habit Tracker (Bolt)
    Score 67/100   ->   HARDEN FIRST
    Fix first: Server-side auth on every sensitive route

==================================================================
  BATCH ROLLUP: BLOCK LAUNCH
==================================================================

The Stripe Checkout MVP scores 78 — a LAUNCH-READY number — and still reads DO NOT SHIP, because it ships one open sensitive route. That is the gate doing its job: a high average can't hide one fatal fault.

04.The Standard

Six controls. Two of them are fatal on their own.

Secrets out of the client bundle & repo

gate

No API keys, database credentials, or tokens in client JavaScript or committed code. The #1 vibe-coding vulnerability of 2026 and a fatal control on its own.

Server-side auth on every sensitive route

gate

Every sensitive endpoint verifies a real session server-side — not a frontend-only check an attacker bypasses by calling the API directly. The second fatal control.

Input validation & injection defense

Inputs validated, queries parameterized, output encoded — SQL injection, XSS, and prompt injection all defended at the boundary.

Dependency & supply-chain integrity

Every dependency is real and audited; no hallucinated or slop-squatted packages; the lockfile is pinned.

No verbose errors, debug, or source maps in prod

Production hides stack traces and schemas, logs no tokens, and ships no source maps that hand an attacker a map of your code.

Access control actually tested

Ownership and row-level access tested by calling endpoints as a different user — not assumed because the code 'looks right.'

05.What This Is — And Isn't

A launch decision, not a scanner — and not the hardening itself.

What it is
  • A deterministic go/no-go you run at the launch moment, from marks you enter.
  • A single verdict with a dispositive gate that catches the two fatal faults a high score hides.
  • Stack-agnostic — Lovable, Bolt, v0, Replit, Cursor, Claude Code, or hand-assembled.
  • An engine, a workbook, and a demo that all return the same number.
What it isn't
  • Not a scanner, SAST tool, or penetration test — it connects to nothing and uploads nothing.
  • Not the depth hardening work (that's the Hardening Kit it routes you to).
  • Not a guarantee or a certification — fixing what it catches is on you.
  • Not a score of any person; it grades the app artifact only.

A readiness aid, not a security audit. It scores the marks you enter for the app you describe — it never scans, connects to, or runs your app, and it scores no person. Pair it with static analysis, a manual review, and (for apps handling payments, regulated, or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.

06.Who It's For

If an AI built most of your app and it's about to go live.

Built for
  • Founders and indie hackers shipping a vibe-coded MVP to real users.
  • No-code and low-code builders without a security reviewer on the team.
  • Agencies clearing a client's AI-built app before they put their name on the launch.
  • Anyone who's about to flip a Lovable / Bolt / Replit app from preview to public.
Not for
  • Teams that need code-level findings — run a scanner and a manual review instead.
  • Regulated, payment, or high-risk apps as the only review — add professional security counsel.
  • Anyone wanting an automatic fix; this decides go/no-go and names the fault, you do the work.
08.Common Questions

The questions buyers ask first.

Six security controls that the 2026 vibe-coding breach post-mortems keep surfacing: secrets kept out of the client bundle and repo, server-side auth on every sensitive route, input validation and injection defense, dependency and supply-chain integrity, no verbose errors or debug or source maps in production, and access control that has actually been tested. You mark each control 0, 1, or 2 for the deployed app and the engine returns LAUNCH-READY, HARDEN FIRST, or DO NOT SHIP plus the one control to fix first.

Don't let “it works”
be your security review.

Run the gate before you launch. One purchase, lifetime access, 12 months of updates. $79, once.

A readiness aid, not a security audit. It scores the marks you enter for the app you describe — it never scans, connects to, or runs your app, and it scores no person. Pair it with static analysis, a manual review, and (for apps handling payments, regulated, or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai