demo/ai-launch-app
This is the kind of report a founder sees after connecting a repo: the health score, the risky files, and the fixes that matter first.
Needs work
The product can ship, but the auth, webhook, and AI-cost risks need attention before real users arrive.
Top findings
A private admin endpoint accepts requests without checking who is calling it. Anyone who finds the route could trigger protected actions.
Add a server-side auth check before running the handler. Return 401 before reading or changing data.
The app can call an AI provider from a user-facing path. Without a usage cap, one busy account could create surprise provider spend.
Tie prompt generation to plan limits, record usage per user, and stop calls once the monthly cap is reached.
The webhook reads payment events without verifying that Stripe sent them. Fake events could mark unpaid accounts as active.
Use the raw request body and stripe.webhooks.constructEvent with your webhook signing secret.
The repo has no clear production error tracking or uptime monitoring. Failures could reach users before you know about them.
Add error tracking, uptime checks, and alerts for failed jobs, payment webhooks, and scan failures.
One free scan. No credit card.
