Engineering audits for AI-generated code

We audit AI-built apps for what AI didn't think to check.

An AI tool writes you a login flow, an API, and a Stripe webhook in fifteen minutes. None of those pieces, by default, knows the others exist. Same pattern across Lovable, Bolt, Cursor, and v0.

Book a free audit Services & pricing
How it works

Start free. Pay only for the work you ask us to do.

Three tiers. Each one stands alone, so you can stop after any of them. No retainers, no hourly billing.

Most audits surface enough to act on by the second tier. The sprint is for when you need the fixes shipped, not just listed.

1
Free audit call $0
30 min

Scoping call plus read-only repo access. One-page list of findings within 48 hours.

2
Express audit $750
2 days

Written report, severity-ranked. Code excerpts and recommended fixes for each finding.

3
Audit + fix sprint $3,500
1-2 weeks

We ship PRs against your repo. Top 5-10 issues, with the negative tests AI didn't write.

Pattern catalog

The patterns we read for.

AI tools write the happy path beautifully. What they skip is everything else: the adversarial request, the second user, the failed payment.

Every vibe-coded app ships with some subset of the catalog below. Twelve of the most common. Each one gets its own teardown on the blog.

  1. 01

    Page-vs-API split

    CRIT

    Middleware protects /dashboard. The API routes the dashboard calls have no such check.

  2. 02

    Open-database default

    CRIT

    Supabase RLS off. The database doesn't refuse cross-tenant reads.

  3. 03

    Unsigned webhooks

    CRIT

    request.json() trusts whatever arrives. Anyone with the URL can mark invoices paid.

  4. 04

    Service-role keys in the client bundle

    CRIT

    Supabase admin keys imported into client components. They ship to every browser.

  5. 05

    Unmetered AI endpoints

    HIGH

    OpenAI key, called once per click. One bad actor runs your bill to four figures in an afternoon.

  6. 06

    Wildcard CORS

    HIGH

    Any site can make authenticated requests on behalf of a logged-in user.

  7. 07

    Body-spread inserts

    CRIT

    Mutation routes pass req.body to .insert(). Users write any column. Self-promotion to admin via one POST.

  8. 08

    Error responses leak internals

    MED

    Stack traces returned to clients. Table names, file paths, env var names visible on any 500.

  9. 09

    Schemas changed by hand

    MED

    No migration history. No rollback path. Production drift you can't reproduce locally.

  10. 10

    N+1 queries everywhere

    MED

    Loops that hit the database once per item. Fine at ten users. Times out at a thousand.

  11. 11

    No idempotency on payments

    HIGH

    Double-clicking the checkout button charges the card twice.

  12. 12

    No logging, no monitoring

    MED

    When something breaks in production, you find out from an angry customer email.

12 patterns 5 critical 3 high 4 medium

Read the teardowns →

By tool

Different tool, different failure modes.

The catalog is universal. Its distribution shifts depending on which AI tool produced the code.

Each landing page lists the patterns we see most often in code from that tool, with example fixes.

Lovable
Signature · Page-vs-API split

Auth lives on the page; the API stays open. Appears in nearly every audit.
Bolt.new
Signature · Unsigned webhooks

Migrations missing, AI endpoints unmetered. Production-readiness gaps dominate.
Cursor
Signature · Refactor drift

Race conditions in optimistic UI. Tests that pass without testing what matters.

Thirty minutes. Written list in forty-eight hours. We don't follow up unless you ask. The list tells you what's exposed. You decide whether that warrants the next step.

Book a free audit