vibe-security

Audits AI-generated "vibe-coded" applications for the security mistakes LLMs consistently introduce — hardcoded secrets, secrets exposed via `NEXT_PUBLIC_`/`VITE_`/`EXPO_PUBLIC_` prefixes, broken Supabase RLS / Firebase rules / Convex auth, weak JWT/middleware/Server Action protection, missing rate limits, client-side price manipulation, unverified Stripe webhooks, insecure mobile token storage, unsafe LLM API keys/output, and SQL/ORM input flaws. Loads relevant `references/*.md` files only when the codebase uses that technology and reports findings ordered Critical → High → Medium → Low with file:line and before/after fixes.