watch fizzgig audit your code before you ship.
this happens inside your editor. your AI ships a migration; fizzgig catches the policy that lets every user read every row. claude tells you, before you deploy.
tools that make your code production-ready.
you ship without running every check because there are too many tools, you're in a hurry, and you'll do it 'after lunch'. you don't do it after lunch. you find out about the issue in a customer email.
the pre-launch ritual. Fan-out via Cloudflare service bindings to every other Fizzgig tool in parallel, aggregates findings, surfaces the top 20 by severity, returns a single ship/don't-ship verdict (ready / not_ready / incomplete) with a headline the AI surfaces verbatim — the user's emotional anchor before deploy.
make the deploy call with one number instead of triaging twenty dashboards. sticky — run before every deploy.
the AI ran your supabase migration, the app works, you ship. three weeks later someone reads a user table they shouldn't because the policy was USING (true) and you never noticed. the AI scaffolds RLS like a checkbox: gets the structure right, gets the auth scoping wrong.
scans SQL migrations for 8 RLS misconfiguration patterns: tables with RLS not enabled, RLS explicitly disabled, USING (true) policies, USING with no auth scoping, INSERT/UPDATE missing WITH CHECK (the row-reassignment bug), policies attached to the public role, auth.role() vs auth.uid() confusion, SECURITY DEFINER functions bypassing RLS. Returns ranked findings with copy-paste fix SQL.
run before every migration. the 8 shapes account for the vast majority of vibe-coded supabase leaks.
you paste a key from supabase to test something. the AI scaffolds your code around it. three commits later the live key is in your public repo. by the time github's secret scanner catches it, it's already on someone's screen.
scans against 29 distinct credential patterns: auth providers (Supabase JWT/secret/publishable), payment processors (Stripe live/test/restricted), AI APIs (OpenAI, Anthropic), code hosting (GitHub PAT/fine-grained/app), cloud providers (AWS access+secret, GCP service account), communications (Slack, Twilio, SendGrid, Mailgun, Resend), cryptographic primitives (PEM keys, JWT bearers), database URIs (postgres://, mongodb+srv://), framework footguns (NEXT_PUBLIC_-prefixed admin keys), plus a generic catch-all.
don't be the founder whose stripe live key sits in the readme. runs before the commit lands — sticky tool, before every deploy.
the AI adds @vercel/analytics + posthog + sentry + clerk to the package.json. each is a sub-processor under GDPR. your privacy policy mentions none of them by name. the policy was written six months ago, the deps drifted, you haven't noticed.
13 checks across policy structure (privacy / terms / data-rights routes present), structural compliance (cookie banner presence, withdrawal mechanism, granular consent), and the killer feature: cross-references npm dependencies against the privacy-policy text to name specific undisclosed sub-processors.
keep the policy actually current with the stack. the AI ships dependencies; this checks they're disclosed.
the AI scaffolded /dashboard, /admin, /api/admin — all the protected routes you asked for. it didn't gate any of them. you ship. anyone with the URL is in.
heuristic auth-flow audit. Flags protected-shaped routes (/admin, /dashboard, /account, /api/admin, /api/private) without detectable auth gating — pass files with `// path`-style markers and it names the exact unprotected handler files (per-file attribution); webhook routes without signature verification (stripe constructEvent / crypto.createHmac / svix); auth library drift (mixing next-auth + clerk + supabase + auth0 + iron-session + lucia in one source).
ship knowing every /admin route is actually protected. catches the canonical 'AI scaffolded the route, AI forgot the guard' bug.
the AI scaffolds the page. the title is 'Untitled Page', the meta description is missing, the URL has a query string from a tracking parameter, the canonical points at staging, the h1 doesn't exist. google indexes none of it the way you'd want.
42 checks across URL slug quality (length, depth, casing, stopwords, hash / query canonical traps), head meta (title, meta-description, viewport, canonical, hreflang, robots-meta), security headers (HSTS, CSP), schema.org markup (Article, Organization, WebSite, BreadcrumbList JSON-LD), body content structure (h1, hierarchy, image alts / dimensions, internal linking), sitemap + canonical correctness.
the page is shaped the way search engines expect. catches the 42 cumulative tweaks that move you from 'indexed badly' to 'indexed well'.
super easy. super simple.
one config line into your AI editor's MCP file. cursor, claude code, windsurf, vs code, lovable, bolt — anywhere your AI already works. takes 30 seconds.
your AI sees a focused kit of audit tools and calls the right one at the right moment. you don't think about which tool — claude does.
review the findings, implement the suggested fixes, ship with confidence. one number instead of triaging twenty dashboards.
also: see what you're running.
every fizzgig tool emits architecture facts as a side effect. stack-map aggregates them into a live, status-aware diagram of your project — what platforms you depend on, which are currently degraded, where one outage is silently bottlenecking another.
one place to monitor the health of your project. built into the audit suite. nothing extra to wire up.
see stack-map →vibe coders helping vibe coders.
i run a consultancy — we vibe-build custom tools for clients. and we kept hitting the same challenges. code drift between sessions. rls policies that looked right but weren't. memory loss across long claude code conversations. the same pre-deploy gotchas every project.
so i built fizzgig to surface and fix them. it's how my team works internally — now it's how anyone with an AI editor can work.
vibe coders helping vibe coders produce production-ready platforms — using the tools you already have.