Free Download

The 47 checks AI tools don't do for you

This is the exact 47-point checklist I run on every AI-built app before it goes to production. Not a generic list. Built from real post-mortems, real audits, real failures.

Matt Turley, 20 years in production systems, 50+ AI-built apps reviewed. 53% of teams discover AI-generated app issues only after shipping. (GitClear, 2024)

CursorLovableBoltReplitWindsurfClaude Code

FIG 1.0: What gets missed

AI says it's done

✓Auth flow is working

✓Stripe checkout live

✓Database queries run

✓API returns data

✓Deployed to prod

This checklist asks

?Can users bypass auth?

?Are webhooks verified?

?Who can read all rows?

?What does the API expose?

?Which secrets are public?

AI tools optimize for "working code". This checklist optimizes for "safe code". Those aren't the same thing.

Patterns that survive “it works” but fail in production

These come up in nearly every AI-built app. If you shipped without reviewing these, they're probably still there.

API keys hardcoded in client-side code

Lovable / Bolt

Common in Lovable and Bolt projects: keys end up in the browser bundle and are visible to anyone in devtools. Usually found in the first pass.

Database rows accessible without auth checks

Supabase + AI

Supabase ships with RLS disabled. AI tools almost never turn it on. Any authenticated user can query any table.

Webhook endpoints that accept any payload

Stripe + AI

AI-generated Stripe integrations rarely verify webhook signatures. Anyone can POST a fake payment event and trigger fulfillment.

Rate limiting missing on login endpoints

All AI tools

No limit on failed login attempts means brute-force is trivially easy. A $5/month VPS can cycle through 10,000 passwords in an hour.

Environment variables leaking into client bundles

Next.js / Vite

Next.js and Vite have specific naming rules about what gets exposed to the browser. AI tools get this wrong more often than not.

Six areas. 47 checks total.

Security

API keys, auth flows, exposed endpoints

Database

Row-level security, backups, connection security

Payments

Webhook verification, price manipulation guards

Performance

Query optimization, caching, load testing

Error Handling

Graceful failures, logging, alerting

Environment

Secrets management, prod vs dev config

Get the checklist

Free. Sent to your inbox immediately.

A few items from the list

[ ]API keys not present in client bundle or git history (check devtools Network tab and public repo search)

[ ]Stripe webhook endpoint verifies stripe.webhooks.constructEvent() signature before processing any event

[ ]Supabase Row Level Security enabled on all user-facing tables (RLS is off by default in new projects)

[ ]Auth endpoints rate-limited: /api/auth/login accepts no more than 5 failed attempts per IP before lockout

[ ]NEXT_PUBLIC_ prefix not used on any secret keys (any env var with this prefix is bundled into the browser)

···42 more in the full checklist

Want someone to run this for you?

The checklist is the DIY version. A $349 Vibe Check is the done-for-you version: independent senior review, written report, and launch verdict in 5 business days.

See the $349 Vibe Check