beforeship
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Warn
- process.env — Environment variable access in examples/flawed-next-supabase-app/lib/supabase-client.ts
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Open-source launch gate for vibe-coded apps: CLI + MCP pre-deploy checks for auth, payments, secrets, Supabase, and production readiness.
BeforeShip
Your AI coding agent says the app is done. BeforeShip checks if it is safe to deploy.
BeforeShip is an open-source launch gate for solo founders and vibe coders building apps with Cursor, Claude Code, Codex, Replit, Lovable, Bolt, v0, and other AI coding tools.
It scans AI-built SaaS apps for the production basics coding agents often skip:
- auth and authorization gaps
- exposed secrets and unsafe env usage
- Supabase RLS/database isolation issues
- Stripe/Razorpay webhook safety
- rate limits, CORS, validation, and security headers
- missing smoke tests and deployment readiness
- risky AI-agent diffs like deleted tests, huge rewrites, or auth/payment changes without verification
The goal is simple:
Run one command before deploy. Know if your vibe-coded app is safe to ship.
Quickstart
Run BeforeShip directly from npm:
npx beforeship@latest scan
Scan another local app:
npx beforeship@latest scan /path/to/your-app
Generate the highest-priority fix prompt:
npx beforeship@latest fix-prompts /path/to/your-app
Run BeforeShip in GitHub Actions:
name: BeforeShip
on:
pull_request:
jobs:
launch-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- run: npx beforeship@latest scan . --no-color --fail-on high --min-score 90
Generate HTML, Markdown, JSON, and fix-prompt reports:
npx beforeship@latest scan /path/to/your-app
Reports are written into the scanned project:
.beforeship/
launch-report.html
launch-report.md
findings.json
fix-prompts.md
Status
BeforeShip is currently a local-first CLI beta.
npx beforeship@latest scan
Current checks:
- basic stack detection for Next.js, Supabase, Neon/Postgres, Stripe/Razorpay, Vercel, and env files
- committed env-file warning
- secret-like token detection for OpenAI, Supabase JWT-style keys, Stripe, and Razorpay
- Next.js API route auth-guard and trusted-user-id heuristics
- Stripe/Razorpay webhook signature and idempotency heuristics
- Supabase service-role, RLS, owner-policy, and public-bucket heuristics
- API safety checks for wildcard CORS, auth-route rate limits, and input validation
- Next.js deploy-readiness checks for tests, health routes, and
.env.example - score/verdict engine
- markdown and JSON reports under
.beforeship/ - bounded verification loop with named terminal states and loop memory
- agent-ready fix prompts
- confidence and "fixed when" guidance for evidence-aware findings
Current limitations:
- deterministic only; no AI review yet
- focused mainly on Next.js/SaaS launch risks
- findings are conservative and may need review
- GitHub Action support is currently a copy-paste workflow; no packaged action yet
- no MCP server yet
Demo fixture:
npx beforeship scan examples/flawed-next-supabase-app --no-report
The fixture should return DO NOT SHIP and show the launch blockers BeforeShip is designed to catch.
Repository-level scans respect .beforeshipignore, which excludes this intentionally flawed fixture.
The intended MVP is:
CLI first + MCP server + optional GitHub Action
Initial target stack:
Next.js + Supabase + Stripe/Razorpay + Vercel
Why BeforeShip?
AI coding tools make it easy to create working apps, but hard to verify production readiness.
A vibe-coded app can look 90% done while missing the dangerous invisible pieces:
- payment webhook signature verification
- database row-level security
- server-side auth checks
- safe API key handling
- rate limiting
- rollback and smoke tests
- deployment env separation
BeforeShip is the missing pre-deploy gate between:
"It works locally"
and:
"It is safe to launch"
Product thesis
Coding agents optimize for making code run. BeforeShip checks whether the generated app is safe to ship.
BeforeShip is not meant to replace Semgrep, Snyk, CodeQL, Gitleaks, or human review.
It is meant to orchestrate and explain the checks solo founders actually need before deploying an AI-built SaaS app.
CLI
npx beforeship init
npx beforeship scan
npx beforeship scan --json
npx beforeship scan --output .beforeship
npx beforeship scan --fail-on high --min-score 90
npx beforeship fix-prompts
npx beforeship loop --max-iterations 3
npx beforeship --version
Use From This Repo
npm install
npm test
npx beforeship --version
npx beforeship init .
npx beforeship scan . --no-report
npx beforeship scan . --json --no-report
npx beforeship scan . --output .beforeship
npx beforeship fix-prompts examples/flawed-next-supabase-app
npx beforeship loop . --max-iterations 3
Commands
| Command | Purpose |
|---|---|
init [path] --name <name> |
Create beforeship.config.yml and add .beforeship/ to .gitignore |
init [path] --no-gitignore |
Create config without editing .gitignore |
ignore [path] |
Add .beforeship/ to .gitignore |
scan [path] |
Scan a local app and write reports |
scan [path] --no-report |
Print results without writing report files |
scan [path] --json --no-report |
Print machine-readable JSON |
scan [path] --output <dir> |
Write reports to a custom directory |
scan [path] --fail-on high |
Fail CI when a high-or-higher finding is present |
scan [path] --min-score 90 |
Fail CI when the score is below the threshold |
fix-prompts [path] |
Print the highest-priority focused prompt |
fix-prompts [path] --all |
Print every focused prompt |
loop [path] --max-iterations 3 |
Run a bounded verification loop |
--version |
Print CLI version |
Use --no-color or set NO_COLOR=1 to disable ANSI styling.
Exit codes:
0 SHIP / command succeeded
1 tool error
2 launch gate blocked
Create a config:
npx beforeship init /path/to/app --name my-app
Example config:
project:
name: my-app
stack:
- nextjs
- supabase
scan:
exclude:
- "node_modules/**"
- ".next/**"
- "dist/**"
verdict:
fail_on_critical: true
minimum_score: 70
caution_score: 90
output:
directory: ".beforeship"
formats:
- markdown
- json
- html
Reports written by scan:
.beforeship/
launch-report.md
launch-report.html
findings.json
fix-prompts.md
loop-memory.json
Example output:
BeforeShip launch gate
Score: 42/100
Verdict: DO NOT SHIP
Stack: nextjs, supabase, stripe
Top findings:
- [CRITICAL] Stripe webhook does not verify its signature
app/api/stripe/webhook/route.ts
- [CRITICAL] Supabase service role appears in client-reachable code
lib/supabase-client.ts
Counts: 2 critical, 3 high, 4 medium, 1 low
Next steps:
1. Run `beforeship fix-prompts` to generate focused agent prompts.
2. Fix critical findings one at a time.
3. Rerun `beforeship scan` before deploy.
Planned MCP tools
BeforeShip should expose a small number of high-leverage MCP tools, not a huge overloaded tool list.
before_ship_scan
before_ship_explain
before_ship_fix_plan
before_ship_gate_deploy
Optional:
before_ship_agent_policy
Planned checks
Secrets
.envcommitted- API keys in frontend bundle
NEXT_PUBLIC_misuse- Supabase service role exposed
- OpenAI/Anthropic/GitHub keys exposed
- Stripe/Razorpay secrets exposed
- Cursor/agent context includes secret files
Auth
- API routes without session/auth guard
- admin pages without server-side protection
- user ID trusted from body/query
- IDOR patterns
- auth middleware exists but is unused
- role checks performed client-side only
Supabase / database
- RLS disabled
- tables with user data and no owner policy
- service role used outside server
- public anon key misuse
- migration drift
- unsafe storage buckets
Payments
- Stripe/Razorpay webhook signature missing
- missing idempotency
- subscription status trusted from frontend
- price/plan selected client-side
- billing country/currency not server-validated
- entitlement table missing
- payment success page grants access without verified webhook
API safety
- wildcard CORS
- no rate limiting
- no input validation
- no CSRF for cookie auth flows
- verbose errors
- insecure file uploads
- missing security headers
- SSRF patterns
Deploy readiness
- no health endpoint
- no smoke tests
- no rollback note
- missing env vars
- Vercel serverless timeout risks
- critical routes lack logging
- no staging/prod separation
AI-agent-specific checks
- huge AI-generated files
- repeated full-file rewrites
- deleted tests
- new dependency added without reason
- changed auth/payment/db files without tests
- destructive scripts/migrations
- no
AGENTS.md/CLAUDE.md - agent touched files outside declared scope
- diff contains temporary auth bypasses
- tests modified to fit broken code
Planned report files
.beforeship/
config.yml
launch-report.md
findings.json
fix-prompts.md
evidence/
Example finding:
{
"id": "payment.webhook.signature_missing",
"severity": "critical",
"file": "web/src/app/api/razorpay/webhook/route.ts",
"title": "Razorpay webhook does not verify signature",
"why_it_matters": "Anyone can fake a payment success event and unlock access.",
"fix_prompt": "Add Razorpay webhook signature verification using RAZORPAY_WEBHOOK_SECRET. Reject unsigned or invalid payloads. Add a regression test."
}
How OpenAI fits
BeforeShip should use deterministic checks first and OpenAI reasoning second.
OpenAI can help with:
- stack-aware risk triage
- founder-friendly explanations
- fix prompt generation
- test plan generation
- false-positive reduction
- deploy-gate reasoning for AI agents
It should not rely only on LLM judgement for security.
Repository structure
Current repository is documentation-first.
Planned implementation shape:
beforeship/
packages/
cli/
core/
mcp/
github-action/
docs/
research.md
product-spec.md
roadmap.md
examples/
flawed-next-supabase-app/
Contributing
BeforeShip is intended to be open source.
Good first contribution areas:
- add stack-specific checks
- add examples of common vibe-coded app failures
- improve scoring rules
- add tests for detectors
- add MCP client setup docs
- add GitHub Action workflow
- improve report UX
See CONTRIBUTING.md.
Docs
- Quickstart
- Detectors
- False positives
- Beta test checklist
- Beta loop
- Release checklist
- v0.1.0 release notes
License
MIT — see LICENSE.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found