The report, published in full.
Most audit shops tell you their reports are readable. We would rather show you. This is a real audit, run with our full pipeline on our own production app, so you can see exactly what you get before you spend a dollar.
App: Orbit, a production personal-ops dashboard (Next.js + Supabase + Vercel) · Reviewed: July 2026 · Honest framing: Orbit is professionally built, not vibe-coded, so it scores greener than a typical first audit. We published it anyway, findings and all. That is the point.
Ready
launch-readiness, with 2 cleanups
Fix before you launch
0 found
Nothing. No exposed secrets, no open database, no logged-out access to private data. This is the part most apps fail, and this one passes it.
Fix before you get traction
2 found
An unprotected endpoint can run up the AI bill
WHAT WE FOUND
One route runs a live AI classification every time it is called, and it does not check who is calling.
WHERE
POST /api/atlas/inbox-triage?force=1
WHAT COULD HAPPEN
Someone who finds the URL could script it to fire hundreds of times an hour. Each call spends real money with the AI provider. No data leaks, but you would wake up to a surprise bill.
THE FIX
Require the logged-in user, or a shared secret, before running the job, the same way the app's scheduled routes already do. EFFORT: SMALL
The email webhook trusts anyone who calls it
WHAT WE FOUND
The inbound email endpoint acts on whatever it receives, without verifying the message actually came from the email provider.
WHERE
app/api/webhooks/gmail/route.ts
WHAT COULD HAPPEN
Someone could send a fake "you have new mail" message and force busywork inside the app. Low impact today, but it is an open door, and worth closing before more sensitive actions hang off the same hook.
THE FIX
Verify the provider's signed token, or require a shared secret in the URL, matching how the app's other webhook already verifies its signature. EFFORT: SMALL
What is already right
6 found
Every report includes this section, so you know what not to touch.
Secrets are clean
No API keys or private credentials in the repo or the browser. The only keys shipped to the browser are the ones designed to be public.
Login is enforced on the server
Logged-out visitors are bounced to the login page for everything private. Access is not just hidden in the UI.
The powerful database key stays server-side
The key that can bypass all rules never reaches the browser, and is only used inside server routes.
Almost every endpoint checks its caller
80 of 86 API routes verify a session, a secret, or a signature before doing anything.
It fails gracefully
If the database provider has an outage, users get sent to login instead of a crashed page.
Errors are monitored
Production failures are reported to an error tracker, which most early apps cannot say.
What we would do next
Both fixes are a few lines each, something you or your AI tool can knock out in one sitting. Start with the first one, since it touches your wallet. On a client app, this is where we would offer The Last 20 to just do them for you and redeploy.
Appendix: the full checklist
01Secrets and keys
Pass. None leaked; public keys are correctly public.
02Logins and access
Pass. Server-side session guard on every private page.
03Database rules
Pass. Powerful key server-only; row-level policies recommended for a spot-check.
04API endpoints
2 warnings. The two findings above.
05Payments
Not applicable. No payment flow in this app.
06Deploy readiness
Pass. Live, monitored, custom domain and SSL.
07Data and privacy
Pass. No personal data over-fetching found.
08Reliability
Pass. Core flows hold up when a dependency fails.
Want this for your app?
A real vibe-coded app usually comes back with more red than this. Better to see it on our report than in your inbox after launch.
Start with the free look →