Local-first · read-only · nothing leaves your machine

Your RLS is on. We still read your data.

You vibe-coded an app with Lovable, Bolt, v0 or Cursor. Ms. Vibecode runs the breach for you — it grabs the public key that ships in your frontend and actually tries to read your tables, then catches the secrets leaking into your live bundle. Read-only, on your machine, before you ship.

14-day free trial · no signup · no cloud account · macOS & Windows

ms-vibecode · audit · your-app
HIGH

2 tables are readable with your public key

users (read 1 row), orders (read 1 row) — RLS is on, but a policy allows anonymous reads.

CRITICAL

Stripe secret key exposed in your live bundle

Found sk_live_… in the JavaScript served at app.js.

Launch-readiness audit

We prove the breach — we don't just read a flag

Supabase's dashboard tells you a switch is on. That misses the case that actually leaks vibe-coded apps: RLS on, but a policy quietly leaves the door open. Ms. Vibecode fetches the public key that ships in your frontend and tries the door.

Reads your data with your public key

It runs the exact request a stranger could — “read 1 row from posts using only your anon key” — catching Row Level Security left off and the permissive policies a config check sails past.

Finds anonymous write access

Inspects your policies for tables the public role can insert, update or delete — and separates a truly open policy from the standard auth.uid() pattern. Read-only; no write is ever attempted.

Catches secrets in your live site

Scans your deployed bundle for sk_live_, service-role keys and private keys — while ignoring the publishable keys that are meant to be public, so it never cries wolf.

This isn't a penetration test. A clean run means no known misconfigurations found — not a guarantee. Every finding ships with the evidence and a one-line fix.

When something breaks

Answers, not another dashboard

You vibe-coded the app; you shouldn't need to be a backend engineer to fix it. Ms. Vibecode points straight at the failing piece — and stops you shipping a secret you'd regret.

A Ms. Vibecode project view: a Stack Profile reading 'an AI-powered static or frontend site', with per-service cards showing Claude and GitHub healthy, their API keys masked to the last four characters, and a plain-language note on what each check does.

Is it your key, or your code?

When something breaks, you shouldn't have to guess. Hit check and Ms. Vibecode makes a real authenticated call to each provider, then tells you in plain English whether the key works, the service is down, or the problem is somewhere in your code.

Catch leaked secrets before you deploy

Pick your framework — Vite, Next.js, Astro, SvelteKit — and Ms. Vibecode flags any secret wearing a browser-exposed prefix like VITE_ or NEXT_PUBLIC_: the classic footgun that bakes an API key into your public JavaScript.

Your whole stack, one view

Stripe, GitHub, Vercel, your database, your email — see healthy / degraded / down at a glance, grouped by project.

Checks you trigger

Status checks run only when you ask, straight from your machine to your providers. Nothing polls in the background, nothing phones home.

Keys encrypted on-device

Every API key is AES-256-GCM encrypted on your own machine. The UI only ever shows the last 4 characters.

Add any custom service

Not in the built-in catalog? Add a custom endpoint with your own auth header and Ms. Vibecode will watch it too.

Ms. Vibecode's environment-variable check: after you pick a framework, it flags any secret wearing a browser-exposed prefix that would leak into your public bundle, and suggests browser-safe names for keys like ANTHROPIC_API_KEY and GITHUB_TOKEN.

Private by design

Your keys are your business

Ms. Vibecode is built so your secrets physically can't leak through us — there's no "us" in the data path.

Encrypted at rest

Keys are AES-256-GCM encrypted. The encryption key lives in your OS keychain — never in the database, never in a .env file.

Loopback only

The local API binds to 127.0.0.1 on a random port. Nothing is reachable from off your machine — not even your own network.

No cloud, no signup

No account to create, no server holding your data. The only outbound calls are your status checks and a license check.

How it works

Up and running in three steps

Download & open

Install the app and open it. No account, no setup wizard — you land straight in Mission Control.

Add a project & keys

Create a project for your app, then paste in the API keys for the providers it uses. They're encrypted the moment you save.

Check the vitals

Hit check and Ms. Vibecode pings each provider and reports back — healthy, degraded, or down, with the last error if there is one.

Cutting-edge visualization technology

Your whole stack, rendered as a tiny town

Most tools would hand you another table of green dots. Ms. Vibecode has a totally high-tech graphical visualizer: hit Visualize and your project becomes a little town — one building per service, each with its own tiny worker. Healthy services stay busy and their workers wave; when something breaks, that worker downs tools and the lights go out. You'll spot what's wrong at a glance — and yes, we spent a suspicious amount of time on the trees.

The Ms. Vibecode visualizer: each connected service is a building in a small town — healthy services busy with their workers waving, a broken one downing tools in red, and unchecked ones greyed out.

Works with what you already use

24 providers built in

StripeGitHubVercel SupabaseNetlifyRender NeonPlanetScaleFirebase AppwriteRailwayFly.io ResendSendGridPostmark ClerkOpenAIClaude GeminiLemon SqueezyPaddle SquarespaceWebflowFramer

…plus any custom service you add with its own endpoint and auth header.

Pricing

Try it free, then own it

Start with a full-featured 14-day trial. When you're ready, a single license unlocks the app for good.

Free trial

$0 / 14 days

Every feature, no card, no signup.

  • Unlimited projects & services
  • All 24 built-in providers
  • Custom services
Download & start trial

FAQ

Questions, answered

Do my API keys ever leave my computer?

No. Keys are encrypted on your machine with AES-256-GCM and stored in a local database. The only outbound traffic is the status checks you trigger (which go straight to your providers) and a license validation call. There's no Ms. Vibecode server holding your data.

Is there a cloud account or signup?

None. You download the app and open it — that's it. There's a single local user: whoever is at the keyboard.

What does a status check actually do?

When you click check, the app makes an authenticated request from your machine to that provider's API and reports whether it's healthy, degraded, or down — including the last error message if something's wrong.

How does the launch-readiness security audit work?

It reuses the credentials you already connected and runs read-only checks for the misconfigurations that actually breach vibe-coded apps. For Supabase it fetches your project's public key and actually tries to read each table with it — so it catches Row Level Security left off and permissive policies that a config-flag check misses. It also flags anonymous write policies, scans your deployed site for secrets in the bundle, and checks headers and key hygiene. Nothing is ever written to your stack, and no data leaves your machine.

Is a clean audit a guarantee my app is secure?

No — and Ms. Vibecode will never claim it is. A clean run means no known misconfigurations were found. It isn't a penetration test and doesn't audit your application logic. Every finding comes with the evidence and a one-line fix, and when a check can't run, it says so instead of showing a false pass.

What's the "service town" visualizer?

It's a picture of your project instead of a list. Each connected provider becomes a themed building — a server rack for hosting, a data-cylinder stack for your database, a shop for payments, a post office for email — with data flowing along paths between them. Colour and motion show health: healthy services are lit and busy, anything down goes still and dark. It's the fastest way to understand a whole stack at a glance, especially if the underlying services are new to you.

Can it stop me leaking a secret?

That's one of the things it's best at. Tell Ms. Vibecode your framework — Vite, Next.js, Astro or SvelteKit — and it names each service's env vars with the right browser-safe prefix, and loudly flags any secret carrying a public prefix like VITE_ or NEXT_PUBLIC_. That's the mistake that bakes an API key into your public JavaScript, where anyone can read it — caught before you deploy instead of after.

Which platforms are supported?

macOS and Windows. The app is the same local-first design on every platform — your keys are encrypted on-device either way.

What happens when my trial ends?

The app prompts for a license key. Enter one and it unlocks for good and keeps working offline after activation. Your projects and keys are untouched the whole time.

Can I add a service that isn't built in?

Yes. Add a custom service with its own check endpoint and auth header, and Ms. Vibecode will track it alongside the 24 built-in providers.