Vibe Check - Full Security Audit

Scan your project for common security issues that plague vibe-coded projects.

Usage: /vibe-check

First Run Disclaimer

Before running any checks, verify if .vibecheck/acknowledged file exists in project root.

If NOT exists, display this disclaimer and use AskUserQuestion:

DISCLAIMER

Vibe Check is a helpful guide for common security pitfalls - NOT a replacement for professional security audits.

By using this tool you acknowledge:
- This is educational guidance, not a comprehensive security audit
- Passing all checks does NOT guarantee your app is secure
- You are solely responsible for your application's security
- Vibe Check and its creators assume no liability

For production apps handling sensitive data, always get a professional security review.

Do you understand and accept these terms?

Options:

• "Yes, I understand - continue"
• "No, I do not accept"

If user accepts:

• Create .vibecheck/acknowledged file with timestamp
• Continue with audit

If user declines:

• Do not run any checks
• Suggest they revisit when ready to proceed

For subsequent runs, skip disclaimer if .vibecheck/acknowledged exists.

---

What Gets Checked

1. Secrets - Hardcoded API keys, exposed env vars, .env in git
2. Supabase RLS - Missing or weak Row Level Security policies
3. Auth - Unprotected API routes, missing session checks
4. Dependencies - Known vulnerabilities via npm audit

Instructions

Run all security checks in priority order:

Step 1: Secrets Scan

Use Grep to search for hardcoded secrets:

Patterns to search:
- SUPABASE_.*KEY
- OPENAI_API_KEY
- AWS_(ACCESS|SECRET)
- STRIPE_(SECRET|PUBLISHABLE)_KEY
- DATABASE_URL
- PRIVATE_KEY
- -----BEGIN.*PRIVATE KEY-----
- gh[pousr]_[A-Za-z0-9]{36,}
- sk-[A-Za-z0-9]{48}

Check if .env files are tracked in git:

git ls-files | grep -E '\.env($|\.)'

Check for NEXT_PUBLIC_ vars that shouldn't be public.

Step 2: Supabase RLS Analysis

If supabase/ folder exists:

• Read migration files in supabase/migrations/
• Look for CREATE TABLE without corresponding RLS policies
• Flag policies using USING (true) or WITH CHECK (true)
• Check supabase/config.toml for auth settings

Offer browser check if Claude Chrome extension available.

Step 3: Auth Review

Scan API routes:

• app/api/**/route.ts (App Router)
• pages/api/**/*.ts (Pages Router)

Flag routes missing:

• getServerSession / auth() calls
• NextAuth middleware
• Custom auth checks

Step 4: Dependency Audit

Run npm audit:

npm audit --json 2>/dev/null

Parse and categorize by severity.

Step 5: Generate Report

Create VIBE_CHECK.md at project root with:

# Security Audit Report
Generated: [date] | vibe-check v1.0.0

## Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |

## Deploy Readiness: X/100

## Findings
[List each finding with severity, file, issue, risk, and fix]

Severity Classification

Level	Criteria
Critical	Exposed prod secrets, no auth on sensitive endpoints
High	Missing RLS, auth bypass possible
Medium	Weak patterns, potential issues
Low	Best practice violations

Output

• Console summary with color-coded findings
• VIBE_CHECK.md report file
• Suggested fixes for each issue