Your RLS is on. We still read your data.
You vibe-coded an app with Lovable, Bolt, v0 or Cursor. Ms. Vibecode runs the breach for you — it grabs the public key that ships in your frontend and actually tries to read your tables, then catches the secrets leaking into your live bundle. Read-only, on your machine, before you ship.
14-day free trial · no signup · no cloud account · macOS & Windows
2 tables are readable with your public key
users (read 1 row), orders (read 1 row) — RLS is on, but a policy allows anonymous reads.
Stripe secret key exposed in your live bundle
Found sk_live_… in the JavaScript served at app.js.
Launch-readiness audit
We prove the breach — we don't just read a flag
Supabase's dashboard tells you a switch is on. That misses the case that actually leaks vibe-coded apps: RLS on, but a policy quietly leaves the door open. Ms. Vibecode fetches the public key that ships in your frontend and tries the door.
Reads your data with your public key
It runs the exact request a stranger could — “read 1 row from posts using only your anon key” — catching Row Level Security left off and the permissive policies a config check sails past.
Finds anonymous write access
Inspects your policies for tables the public role can insert, update or delete — and separates a truly open policy from the standard auth.uid() pattern. Read-only; no write is ever attempted.
Catches secrets in your live site
Scans your deployed bundle for sk_live_, service-role keys and private keys — while ignoring the publishable keys that are meant to be public, so it never cries wolf.
This isn't a penetration test. A clean run means no known misconfigurations found — not a guarantee. Every finding ships with the evidence and a one-line fix.
When something breaks
Answers, not another dashboard
You vibe-coded the app; you shouldn't need to be a backend engineer to fix it. Ms. Vibecode points straight at the failing piece — and stops you shipping a secret you'd regret.
Is it your key, or your code?
When something breaks, you shouldn't have to guess. Hit check and Ms. Vibecode makes a real authenticated call to each provider, then tells you in plain English whether the key works, the service is down, or the problem is somewhere in your code.
Catch leaked secrets before you deploy
Pick your framework — Vite, Next.js, Astro, SvelteKit — and Ms. Vibecode flags any secret wearing a browser-exposed prefix like VITE_ or NEXT_PUBLIC_: the classic footgun that bakes an API key into your public JavaScript.
Your whole stack, one view
Stripe, GitHub, Vercel, your database, your email — see healthy / degraded / down at a glance, grouped by project.
Checks you trigger
Status checks run only when you ask, straight from your machine to your providers. Nothing polls in the background, nothing phones home.
Keys encrypted on-device
Every API key is AES-256-GCM encrypted on your own machine. The UI only ever shows the last 4 characters.
Add any custom service
Not in the built-in catalog? Add a custom endpoint with your own auth header and Ms. Vibecode will watch it too.
Private by design
Your keys are your business
Ms. Vibecode is built so your secrets physically can't leak through us — there's no "us" in the data path.
Encrypted at rest
Keys are AES-256-GCM encrypted. The encryption key lives in your OS keychain — never in the database, never in a .env file.
Loopback only
The local API binds to 127.0.0.1 on a random port. Nothing is reachable from off your machine — not even your own network.
No cloud, no signup
No account to create, no server holding your data. The only outbound calls are your status checks and a license check.
How it works
Up and running in three steps
Download & open
Install the app and open it. No account, no setup wizard — you land straight in Mission Control.
Add a project & keys
Create a project for your app, then paste in the API keys for the providers it uses. They're encrypted the moment you save.
Check the vitals
Hit check and Ms. Vibecode pings each provider and reports back — healthy, degraded, or down, with the last error if there is one.
Cutting-edge visualization technology
Your whole stack, rendered as a tiny town
Most tools would hand you another table of green dots. Ms. Vibecode has a totally high-tech graphical visualizer: hit Visualize and your project becomes a little town — one building per service, each with its own tiny worker. Healthy services stay busy and their workers wave; when something breaks, that worker downs tools and the lights go out. You'll spot what's wrong at a glance — and yes, we spent a suspicious amount of time on the trees.
Works with what you already use
24 providers built in
…plus any custom service you add with its own endpoint and auth header.
Pricing
Try it free, then own it
Start with a full-featured 14-day trial. When you're ready, a single license unlocks the app for good.
Free trial
Every feature, no card, no signup.
- Unlimited projects & services
- All 24 built-in providers
- Custom services
Lifetime license
One machine, yours forever. $49 for early adopters.
- Everything in the trial, unlocked for good
- Works offline after activation
- Locked-in price — all future v1 updates included
FAQ
Questions, answered
Do my API keys ever leave my computer?
No. Keys are encrypted on your machine with AES-256-GCM and stored in a local database. The only outbound traffic is the status checks you trigger (which go straight to your providers) and a license validation call. There's no Ms. Vibecode server holding your data.
Is there a cloud account or signup?
None. You download the app and open it — that's it. There's a single local user: whoever is at the keyboard.
What does a status check actually do?
When you click check, the app makes an authenticated request from your machine to that provider's API and reports whether it's healthy, degraded, or down — including the last error message if something's wrong.
How does the launch-readiness security audit work?
It reuses the credentials you already connected and runs read-only checks for the misconfigurations that actually breach vibe-coded apps. For Supabase it fetches your project's public key and actually tries to read each table with it — so it catches Row Level Security left off and permissive policies that a config-flag check misses. It also flags anonymous write policies, scans your deployed site for secrets in the bundle, and checks headers and key hygiene. Nothing is ever written to your stack, and no data leaves your machine.
Is a clean audit a guarantee my app is secure?
No — and Ms. Vibecode will never claim it is. A clean run means no known misconfigurations were found. It isn't a penetration test and doesn't audit your application logic. Every finding comes with the evidence and a one-line fix, and when a check can't run, it says so instead of showing a false pass.
What's the "service town" visualizer?
It's a picture of your project instead of a list. Each connected provider becomes a themed building — a server rack for hosting, a data-cylinder stack for your database, a shop for payments, a post office for email — with data flowing along paths between them. Colour and motion show health: healthy services are lit and busy, anything down goes still and dark. It's the fastest way to understand a whole stack at a glance, especially if the underlying services are new to you.
Can it stop me leaking a secret?
That's one of the things it's best at. Tell Ms. Vibecode your framework — Vite, Next.js, Astro or SvelteKit — and it names each service's env vars with the right browser-safe prefix, and loudly flags any secret carrying a public prefix like VITE_ or NEXT_PUBLIC_. That's the mistake that bakes an API key into your public JavaScript, where anyone can read it — caught before you deploy instead of after.
Which platforms are supported?
macOS and Windows. The app is the same local-first design on every platform — your keys are encrypted on-device either way.
What happens when my trial ends?
The app prompts for a license key. Enter one and it unlocks for good and keeps working offline after activation. Your projects and keys are untouched the whole time.
Can I add a service that isn't built in?
Yes. Add a custom service with its own check endpoint and auth header, and Ms. Vibecode will track it alongside the 24 built-in providers.