The report, published in full.

Most audit shops tell you their reports are readable. We would rather show you. This is a real audit, run with our full pipeline on our own production app, so you can see exactly what you get before you spend a dollar.

App: Orbit, a production personal-ops dashboard (Next.js + Supabase + Vercel) · Reviewed: July 2026 · Honest framing: Orbit is professionally built, not vibe-coded, so it scores greener than a typical first audit. We published it anyway, findings and all. That is the point.
Ready
launch-readiness, with 2 cleanups
0
critical issues
2
worth fixing soon
6
already solid

Fix before you launch

0 found

Nothing. No exposed secrets, no open database, no logged-out access to private data. This is the part most apps fail, and this one passes it.

Fix before you get traction

2 found

An unprotected endpoint can run up the AI bill

WHAT WE FOUND
One route runs a live AI classification every time it is called, and it does not check who is calling.
WHERE
POST /api/atlas/inbox-triage?force=1
WHAT COULD HAPPEN
Someone who finds the URL could script it to fire hundreds of times an hour. Each call spends real money with the AI provider. No data leaks, but you would wake up to a surprise bill.
THE FIX
Require the logged-in user, or a shared secret, before running the job, the same way the app's scheduled routes already do. EFFORT: SMALL

The email webhook trusts anyone who calls it

WHAT WE FOUND
The inbound email endpoint acts on whatever it receives, without verifying the message actually came from the email provider.
WHERE
app/api/webhooks/gmail/route.ts
WHAT COULD HAPPEN
Someone could send a fake "you have new mail" message and force busywork inside the app. Low impact today, but it is an open door, and worth closing before more sensitive actions hang off the same hook.
THE FIX
Verify the provider's signed token, or require a shared secret in the URL, matching how the app's other webhook already verifies its signature. EFFORT: SMALL

What is already right

6 found

Every report includes this section, so you know what not to touch.

Secrets are clean
No API keys or private credentials in the repo or the browser. The only keys shipped to the browser are the ones designed to be public.
Login is enforced on the server
Logged-out visitors are bounced to the login page for everything private. Access is not just hidden in the UI.
The powerful database key stays server-side
The key that can bypass all rules never reaches the browser, and is only used inside server routes.
Almost every endpoint checks its caller
80 of 86 API routes verify a session, a secret, or a signature before doing anything.
It fails gracefully
If the database provider has an outage, users get sent to login instead of a crashed page.
Errors are monitored
Production failures are reported to an error tracker, which most early apps cannot say.

What we would do next

Appendix: the full checklist

01Secrets and keys
Pass. None leaked; public keys are correctly public.
02Logins and access
Pass. Server-side session guard on every private page.
03Database rules
Pass. Powerful key server-only; row-level policies recommended for a spot-check.
04API endpoints
2 warnings. The two findings above.
05Payments
Not applicable. No payment flow in this app.
06Deploy readiness
Pass. Live, monitored, custom domain and SSL.
07Data and privacy
Pass. No personal data over-fetching found.
08Reliability
Pass. Core flows hold up when a dependency fails.

Want this for your app?

A real vibe-coded app usually comes back with more red than this. Better to see it on our report than in your inbox after launch.

Start with the free look