Free tool

Vibe-Code Audit Checklist

9 things that break first in AI-generated SaaS apps. Built with Cursor, Lovable, Bolt, or Claude? Run this checklist before your users find the bugs for you.

No email required - just use it

0 / 9

checks completed

Your foundations look solid. Keep shipping.

Some weak spots. Worth fixing before your next paying customer.

Your app is carrying serious risk. These issues will surface as customer-facing incidents.

01 / 09

Data isolation between users

Change a user ID in any API request (URL parameter or request body). Can you see another user's data? If yes, you have no row-level security - this is the issue that kills companies.

02 / 09

No swallowed errors

Search your codebase for empty catch blocks: catch (e) { }. AI generates these constantly. Payments fail silently, webhooks drop without retry, data writes fail and nobody knows.

03 / 09

No secrets in git history

Check your git history for committed API keys, database URLs, or secrets. Even if you rotated the key, the old one is still in your git history. Anyone with repo access has your production credentials.

04 / 09

Webhook idempotency

Send the same Stripe or Clerk webhook event twice. Does it create duplicate charges, users, or notifications? If your handler is not idempotent, a retry from the provider creates real customer-facing problems.

05 / 09

Soft deletes or recovery

Delete something as a user. Can you recover it? AI-generated code uses hard deletes by default. The first time a paying customer accidentally deletes something important, you need a recovery path.

06 / 09

Error resilience

Turn off your internet and trigger an action that calls an external API (payment, email, etc.). Does the app crash, hang forever, or handle it gracefully with a retry or error message?

07 / 09

Concurrent session handling

Open your app in two browser tabs as the same user. Do both sessions stay valid? Make a change in one tab - does the other tab reflect it or break? AI auth code often fails with concurrent sessions.

08 / 09

Production monitoring

Do you have error tracking in production? Sentry, LogSnag, or even basic structured logging. If you are finding out about bugs from user complaints, you are already behind.

09 / 09

Database migration system

Look at your database setup. Is there a migrations folder with versioned changes, or just raw SQL and Supabase dashboard edits? Without migrations, your next schema change is a production risk.

3+ items failed?

I run a fixed-scope, one-week stabilization audit for solo SaaS founders. I go through your codebase, find every boundary condition that will break, and deliver a prioritized fix list. You pay only after the audit document is in your inbox. $1,500-2,500 CAD.

Get a fixed-price audit

Want the full breakdown of each issue and how to fix it? Read the complete guide: From Vibe Code to Production