Pre-launch security · Built for vibe-coded apps

Vibe-coded it fast?
StackShield checks it before launch.

StackShield is a pre-launch safety net for apps you've shipped fast with vibe-coding tools like Lovable, Bolt, v0, Cursor, or Replit. Connect your Supabase, GitHub, or Vercel — one of them or all three — and it runs the simple checkups that catch the boring stuff (leaked keys, broken RLS, open CORS) before your first real user does. Not a full pentest — just the basics, done before you go live.

Least-privilege tokens PRs, never silent merges First scan under 90 seconds
stackshield-agent
live
$ stackshield scan --surfaces=supabase
⚡ [Agent] Authenticating with service role…
⚡ [Agent] Enumerating public schema (12 tables)
🚨 [Alert] 'profiles' has RLS DISABLED
🚨 [Alert] 'orders' grants anon SELECT
🛡️ [Fixed] Added owner-scope policy on profiles
🛡️ [Fixed] Revoked anon, applied admin-only on orders
✓ Scan complete — receipt rcpt_8f2a1c4 ready

Connects to the surfaces you already use

Supabase
GitHub
Vercel
How it works

Four steps. No surprises.

StackShield isn't a dashboard you have to learn. It's an agent you turn on, watch, and verify.

01

Connect what you've got

One surface or all three. Database only? Fine. Just the repo? Also fine. StackShield scopes to what you authorize.

02

Watch the agent work

A live terminal streams every check, finding, and patch. No mystery. No black box.

03

Get a signed receipt

Every change is atomic, reversible, and recorded. Audit-ready out of the box.

04

Verify with your own eyes

Step-by-step instructions to confirm each fix inside Supabase, GitHub, and Vercel — no trust required.

What it actually catches

The pre-launch checkup vibe-coded apps skip.

When you build fast with an AI tool, the boring security basics are what get missed — RLS left off, an API key pasted into a component, CORS wide open. StackShield runs the simple checks before launch so those don't ship with you.

Supabase

  • RLS disabled on user-facing tables
  • Anon SELECT on PII columns
  • Missing has_role() admin policies
  • Public storage buckets

GitHub

  • Hardcoded Stripe / OpenAI / AWS keys
  • Committed .env files
  • PRs opened — never silent rewrites
  • Branch protection misconfigs

Vercel

  • Wildcard CORS in vercel.json
  • Missing CSP / strict-origin headers
  • Plaintext env vars
  • Stale exposed preview deployments
Atomic, auditable, reversible

Every change comes with a receipt.

No silent merges. No mystery diffs. StackShield shows you what it changed, why, where, and how to roll back — in plain language.

  • Before / after state for every fix
  • Reversible inside a single transaction
  • Receipt ID you can share with your team
  • Signed and timestamped for audit trails

Remediation Receipt

all resolved
TargetBeforeAfter
public.profiles RLS Disabled RLS Enforced
public.orders Anon SELECT Admin Only
Checkout.tsx Key Exposed PR Opened
vercel.json CORS: * Strict CORS

Check it before you launch it.

Run your first pre-launch scan in under two minutes — even if all you've got so far is a Supabase project with the RLS toggle still off.

Start a scan