Pre-deploy and platform-specific security checklists for AI-built apps. Use them to catch launch blockers before auth, data, and API mistakes ship live.
A founder shipped a Bolt app with an OpenAI key hardcoded in frontend code. By morning, the key was scraped and their bill jumped by hundreds of dollars.
Cursor's Workspace Trust is disabled by default. A hidden runOn: folderOpen task can exfiltrate your .env before you finish your coffee.
A researcher found a Lovable app with 18,000 users leaking names, emails, debt amounts, and home addresses. The root cause: public client access plus weak RLS policy enforcement.
A team shipped an MVP from Replit with the repl left Public. The URL got shared, and so did the full source — including database credentials in code comments.
A founder shipped a gorgeous v0 interface connected to Supabase without enabling access controls. Visitors could query records they were never supposed to see.
A developer asked Cascade to simplify an auth flow. It removed token expiry checks across four files. The app still worked in testing. Sessions no longer expired in production.
Use this checklist before every release to catch the secrets, access control gaps, and API exposure issues that vibe-coded apps commonly ship with.
These guides explain the pattern. Ubserve checks whether the same issue is live in your app and returns fix-ready evidence.