Five stacks scoped — Lovable, v0, Bolt.new, Cursor, Replit Agent — with human-audited teardowns of real outputs. The companion specialist runs in your Claude Project: it navigates the case files, generates pre-flight checklists, walks through severity grading. It does not audit your code. The first Lovable teardown is in production; index page pending teardown #2.
Each stack's pattern library is scaffolded with the structural template. Pattern claims fill in as teardowns accumulate — a pattern entry requires N=3+ independent teardowns of that stack confirming the same failure shape. Until that threshold is met, observations stay in the individual teardowns and the per-stack pattern files hold the scaffolded structure. Generic AI-audit checklists describe vulnerability classes; this library names tool-default patterns specific to the stack that produced them.
React + Supabase + Tailwind scaffolder. Browser-based, prompt-driven, full-stack output. Pattern library scaffolded; awaits teardown-grounded fill.
UI-first React + Next.js component generator. Server-action surface plus client component output. Pattern library scaffolded; awaits teardown-grounded fill.
In-browser full-stack scaffolder via WebContainers. Preview-environment delta from production deploy. Pattern library scaffolded; awaits teardown-grounded fill.
Agentic Composer mode in the Cursor editor. Mixed human-edited and AI-generated codebase shape. Pattern library scaffolded; awaits teardown-grounded fill.
Cloud-hosted agentic builder in Replit. Hosted-deploy default configuration distinct from self-hosted. Pattern library scaffolded; awaits teardown-grounded fill.
Plus the cross-stack baseline: 12 patterns observed across stacks — a slim baseline so the specialist can cross-reference patterns that recur regardless of which tool generated the code.
Each teardown follows the same structure: header (stack, audit date, app type), severity summary, findings (with rubric application), methodology adherence, consent + disclosure timeline. Template at teardowns/_TEMPLATE.md.
Empty is correct at scaffold time. Pattern claims require N=3+ teardowns per stack before they're added to the per-stack pattern files. When the first teardown lands, the row template is: ID · stack · app type · audit date · highest severity · findings count · read →.
Load the repo into a Claude Project; the specialist holds the register of a trusted senior auditor and routes your request to one of five named jobs. The specialist does not audit your code. The library tells builders what to look for; it doesn't look for them. That refusal is the differentiation moat against the saturated auto-auditor lane.
Trigger phrase: "Brief me on Lovable." Output: ranked failure patterns from patterns/<stack>-default-failures.md, severity-tagged, with the first teardown to read.
Trigger phrase: "Walk me through TD-LV-001." Output: linear walkthrough mirroring the teardown's section order. Anonymized excerpts clarified; fix-pattern shapes surfaced.
Trigger phrase: "Is this finding CRITICAL or HIGH?" Output: the 5-question rubric applied to your scenario top-to-bottom, with verdict per methodology/severity-rubric.md.
Trigger phrase: "Give me a pre-flight for my Lovable SaaS." Output: a personalized checklist with severity tags and "check yourself" vs. "hire someone" markers. Does not run on your code.
Trigger phrase: "How do you do these audits?" Output: overview of the 6-step process, anonymization rules, severity rubric. You pick which document to deep-read.
Gate 1: Never audit user code directly. If you paste your code, the specialist refuses with verbatim language and offers a pre-flight checklist instead. Gates 2–6 cover: never invent findings, never make legal/regulatory determinations, never name real apps, never claim AI replaces human audit, never pre-sell a paid service. Full text in rules.md.
Every teardown follows the same audit protocol. The point isn't to be clever — the point is reproducibility. If you can repeat these six steps on your own scaffold, you can run the audit on your own code (or hand the methodology to someone you hire).
Characterize the app before touching it: stack, data classes, auth shape, payment flow, third-party integrations. Time-box and scope agreed with the owner.
Enumerate the externally-reachable surface. Every route, every request type, what's exposed unauthenticated. The route table is the audit's spine.
Find credentials reachable from the browser or otherwise leaked. Bundle grep, localStorage inspect, JWT decode. Service-role-key-in-client is the canonical finding.
Confirm user A cannot read or write user B's data. Two test identities, direct API calls with mismatched IDs. The longest step on most audits.
For every form / API input: injection payloads, missing/oversized/wrong-type input, rate-limit testing. Webhook signature + idempotency are separate checks.
Fill the teardown template. Anonymization gate before submission: a reader who knows the live app shouldn't recognize it from the teardown alone.
Full methodology at methodology/how-we-audit.md · anonymization + consent at methodology/how-we-anonymize.md · severity rubric at methodology/severity-rubric.md.
The repo loads as-is into a Claude Project. The specialist reads identity.md, rules.md, examples.md, welcome.md, all patterns/*.md, all teardowns/*.md, all methodology/*.md.
git clone https://github.com/<handle>/vibe-code-audits.git
Name it whatever fits. "Vibe Code Audit Navigator" is the canonical name.
The full file set goes into the project. As new teardowns merge, pull from the upstream repo and re-upload to refresh.
The field labeled "Custom instructions" or "Project instructions" depending on Claude version. This is what makes the specialist hold its register and routing-table behavior.
"Brief me on Lovable." "Give me a pre-flight checklist." "Walk me through the methodology." Full menu at welcome.md.
Want to run an audit on your own scaffold? The 6-step methodology above is reproducible by hand. The specialist won't run it on your code; you run it yourself, or you hand the methodology to someone you hire. Patches in teardowns are MIT-licensed — copy, adapt, ship.
Right now there's no paid audit service to sell you. The 6-step methodology is what you'd run yourself, or hand to someone you hire. The library stays free under MIT regardless of what future layers launch.