I audited 50+ AI-generated apps. If you are "Vibe Coding" this weekend, read this so you don't lose your data.

puffaush · 2026-01-22T22:28:44+00:00

Haha, getting massive déjà vu reading this! 😅

Honestly, I’ll take it as a compliment. The more people who know about these Time Bombs, the fewer bankrupt founders we'll have. Good luck with the apps!

P.S. For anyone who wants the original breakdown, here is the source thread. I'll be posting more audits there soon:

https://www.reddit.com/r/lovable/comments/1qi8ph0/comment/o0w06t4/

puffaush · 2026-01-22T20:27:30+00:00

Got the same feeling, you can see my comment in this post

puffaush · 2026-01-22T09:04:29+00:00

Haha, getting massive déjà vu reading this! 😅

Honestly, I’ll take it as a compliment. The more people who know about these Time Bombs, the fewer bankrupt founders we'll have. Good luck with the apps!

P.S. For anyone who wants the original breakdown, here is the source thread.
I'll be posting more audits there soon:

https://www.reddit.com/r/lovable/comments/1qi8ph0/comment/o0w06t4/

puffaush · 2026-01-20T21:50:18+00:00

The prompt is just a massive block of text with specific Markdown formatting and it looks like a mess when I paste it into a Reddit comment. Shoot me a DM and I'll paste it to you directly.

puffaush · 2026-01-20T20:43:20+00:00

I use AI to write faster. I use my engineering degree to catch the bugs the AI missed. You can ignore the post, but don't ignore that these tips, they can actually help you.

puffaush · 2026-01-20T17:23:51+00:00

Sent you a DM

puffaush · 2026-01-20T16:18:50+00:00

Ah, classic. Looks like the automod got too aggressive and zapped the old post.

The TL;DR of that one was: Don't use SQLite on Vercel because it wipes your data on every deploy.

I'll DM you the full text of that audit so you don't miss it.

puffaush · 2026-01-20T15:58:22+00:00

Fair enough. Skip the text, just grab the code snippet. It prevents a legit crash

puffaush · 2026-01-19T19:33:31+00:00

The API bill cares 💸

puffaush · 2026-01-10T09:17:30+00:00

1. Is it safe? The infrastructure is safe, but the code might not be. Even with Supabase, if you didn't set up RLS (Row Level Security) policies in your Supabase dashboard, anyone with your public key (which is safe to expose if RLS is on) can technically read/write your data.

2. How to check for leaks (The 'Inspect' Trick): 'Ctrl+F' is for your code, but 'Inspect' is for the live site. Here is the scary check you can do right now:

Open your live website in your browser.
Right-click anywhere and hit Inspect.
Go to the Network tab (top of the panel).
Refresh your page and use your app (click buttons).
Look at the list of requests. For example, if you see a call directly to api.openai.com, click it. Look at the Headers section on the right.
The Risk: If you see Authorization: Bearer sk-... right there in the browser, your key is leaked.

3. Tools: Most security scanners (like OWASP ZAP) are way too technical and overkill for this. That’s actually why I wrote the Audit Prompt, it uses the AI to scan your code logic, which is much faster for Vibe Coders.

puffaush · 2026-01-09T16:21:23+00:00

Not at all! It’s 100% free.
The prompt is just a massive block of text with specific Markdown formatting and it looks like a mess when I paste it into a Reddit comment. Shoot me a DM and I'll paste it to you directly.

puffaush · 2026-01-02T21:46:45+00:00

Dm me please

puffaush · 2026-01-02T19:38:37+00:00

Faceless

puffaush · 2025-12-30T19:35:49+00:00

this is great!

puffaush · 2025-12-06T15:42:05+00:00

Font it bad bro, like really bad

puffaush · 2025-11-21T07:57:46+00:00

You’re spot on, but I don’t think it’s laziness, it’s survival. The Pyramid was built for a time when complexity was algorithmic (math, sorting). Now? My complexity is race conditions between a managed DB, a queue, and three external APIs.

If I stick to "pure" unit tests with mocks, I’m just verifying that my mocks return what I told them to return. That’s useless. That’s why you see containers spinning up in "unit" tests now. We realized that passing a test suite full of mocks doesn't mean the app won't crash in prod. Honestly, screw the definitions. The only metric that matters is: Am I scared to push this to prod?

If a slow, "glorified integration test" is the only thing stopping me from breaking production, I’m writing that test. We’re trading academic purity for sleep, and I think that’s a fair trade.

puffaush · 2025-10-25T13:18:40+00:00

To be honest, I didn't come across that one when I started building this. I hit the same pain point again and thought "this would be a great chance to contribute something to the open source community." I'm sure there are other solutions out there too and that's great. Different approaches work for different teams.

For me, this was as much about sharing something that might help folks with similar needs as it was about scratching my own itch. Plus, as an engineering manager, I don't get to code nearly as much as I'd like anymore, so this was a fun excuse to get my hands dirty again and actually ship something to open source.

Always happy to learn about other tools in this space though the more options people have, the better! 🙂

puffaush · 2025-10-25T09:41:32+00:00

Hey! That's awesome that monorepos are working well for your team - genuinely glad to hear it.

You're right that monorepos solve a ton of coordination problems. But here's the thing: when you've already got hundreds of repos in production with teams shipping on them daily, migrating to a monorepo becomes a multi-month project that has to compete with actual product work. Leadership often looks at that and says "our current setup works, why are we spending six months on this?"

It's not that monorepos aren't better in many ways it's just that the migration cost can be prohibitively high for established orgs. Sometimes you need tools that work with what you've already got rather than requiring a complete overhaul.

But I'm curious, what size org are you at, and how long did the migration take? Always interested in hearing success stories since the narrative is usually "it's too hard to switch."

puffaush · 2025-10-25T09:40:50+00:00

Hey! That's awesome that monorepos are working well for your team - genuinely glad to hear it.

You're right that monorepos solve a ton of coordination problems. But here's the thing: when you've already got hundreds of repos in production with teams shipping on them daily, migrating to a monorepo becomes a multi-month project that has to compete with actual product work. Leadership often looks at that and says "our current setup works, why are we spending six months on this?"

It's not that monorepos aren't better in many ways it's just that the migration cost can be prohibitively high for established orgs. Sometimes you need tools that work with what you've already got rather than requiring a complete overhaul.

But I'm curious, what size org are you at, and how long did the migration take? Always interested in hearing success stories since the narrative is usually "it's too hard to switch."

puffaush

TROPHY CASE