Remain calm. Fix these before launch.

Cymero watches AI-built apps for the mistakes that turn a clean demo into a public incident: exposed customer data, fake auth, leaked keys, and unbounded AI usage.

Latest deploy 8f42a91

Do not launch2 blockersDemo data

Your app is currently blocked.

A real user could access data they should not see, and one AI endpoint can be called repeatedly without a session check.

Supabase RLS

Blocked

Browser secrets

Clean

AI spend abuse

Fix first

Runtime guard

Watching

Active monitor

Live risks

Projected AI exposure

$128

Deploy checks

Why monthly?

Every push, preview deploy, schema change, and AI route can introduce a new launch-ending risk.

Fix first

Ranked by what could hurt a real launch fastest.

criticalsupabase/migrations/202605041830_customers.sql

Anyone can read your customers table

A Supabase rule change made customer records readable by anonymous users.

criticalsrc/app/api/chat/route.ts

AI endpoint accepts anonymous requests

The chat endpoint can call OpenAI without login or a per-user quota.

highsrc/app/api/stripe/webhook/route.ts

Stripe webhook is missing signature verification

A webhook handler accepts event payloads without verifying Stripe's signature header.

high.env.production

OpenAI key found in browser bundle

A private-looking model provider key appears in the deployed JavaScript bundle.

Recent deploys

Cymero checks each deploy like a launch gate.

Production8f42a91

Critical Supabase drift is live

Mikyle - 12 min ago

Previewc71a0de

Stripe webhook check needs review

Cymero Bot - 38 min ago

Production19fd771

Safe to launch

Mikyle - Yesterday