Auth and permissions
Protected routes, admin screens, user data separation, session expiry, password reset, and redirect loops.
Lovable, Bolt, Replit, Cursor, v0, Base44
AI app rescue for founders who got 80% done and then hit production.
I triage AI-built apps when the preview looks fine but real users, real payments, real auth, or real deployment starts breaking.
What gets checked
A practical production pass, not a vague code review.
Secrets and server calls
Public keys, private keys, browser-only leaks, environment variables, test/live credentials, and API route boundaries.
Payments and webhooks
Stripe modes, webhook verification, duplicate fulfillment, retry handling, failed checkout states, and subscription access.
Database rules
Supabase/Firebase access rules, table ownership, unauthenticated reads, cross-user reads, and destructive mutations.
Deploy and runtime
Build scripts, missing variables, server/client mismatch, broken preview-to-production assumptions, and log-based debugging.
Maintainability
Large generated files, repeated logic, dead mock data, weak error states, and the smallest refactor needed before growth.
Free repo scanner
Shipcheck catches common AI-app launch risks before a manual review.
Secrets and env names
Looks for private-looking keys, public frontend env vars that should not be public, and Supabase service-role references.
Payments and data rules
Flags Stripe webhook handlers without visible signature checks, missing Firebase rules, and Supabase projects without RLS evidence.
Launch leftovers
Checks for debug API routes, missing AI usage guardrails, weak release hygiene, and handoff gaps that slow down cleanup.
npx --yes shipcheck-cli .Open the Shipcheck tool page for npm, GitHub, report export, and paid review options.
Pricing
Small first commitment, then a focused repair.
Risk check
$99Repo/live-app triage, risk notes, reproduction steps where possible, and a ranked fix plan. Best when you are unsure what is broken.
Pay after scope confirmationRescue sprint
$299+One focused repair path: deploy failure, auth issue, payment bug, database rule cleanup, or a critical user flow that must ship.
Open deposit linkProduction hardening
$750+Broader cleanup for apps with users: security pass, error handling, key flows, test checklist, deploy notes, and maintainability fixes.
Boundary
I fix authorized apps. I do not poke around other people's systems.
Your repo or your live app
You can send a repo, invite me to a project, paste logs, or share a public link you control.
Defensive review
I can review configuration, code, rules, deploy logs, headers, and normal user flows for launch risk.
Unauthorized testing
No credential guessing, data scraping, invasive scanning, or probing systems without clear permission.
Start with the blocker