Cymero found launch risks in your AI-built app.
A focused safety console for repo scans, deploy gates, and runtime abuse signals. Fix the blockers, verify the patch, then ship.
Current verdict
Do not launch yet.
2 critical blockers are open. The highest risk is customer data exposure, followed by an AI route that can be called without a user session.
2
3
$128
Data access
Auth checks
Secrets
AI abuse
Issue stream
Ranked by launch impact and live exploitability.
Anyone can read your customers table
A Supabase rule change made customer records readable by anonymous users.
supabase/migrations/202605041830_customers.sql:18
AI endpoint accepts anonymous requests
The chat endpoint can call OpenAI without login or a per-user quota.
src/app/api/chat/route.ts:9
Stripe webhook is missing signature verification
A webhook handler accepts event payloads without verifying Stripe's signature header.
src/app/api/stripe/webhook/route.ts:14
OpenAI key found in browser bundle
A private-looking model provider key appears in the deployed JavaScript bundle.
.env.production:4
Admin access is protected only in React state
The admin page renders protected controls before a server-side role check.
src/app/admin/page.tsx:31