Public repo launch-readiness

Vibe/Agent Repo Safety Audit

A lightweight review for public GitHub repos built fast with AI tools. Catch tenant-isolation gaps, exposed secret patterns, webhook mistakes, MCP trust-boundary confusion, and launch-readiness debt before the first serious user arrives.

Request a fit check Star / fork the repo

24-48h typical turnaround

No credentials public repo only

Open source star, fork, or run locally

Why this now

The failure pattern is getting clearer: fast demos, weak trust boundaries.

Recent public builder threads keep naming the same practical blockers: Supabase/RLS confusion, IDOR/BOLA mistakes, leaked keys, webhook validation gaps, and MCP tool permissions that were never reviewed as a launch surface.

Vibe-coded app review patterns Payment intent discussion MCP security projects MCP signing discussion

What gets checked

Catch boring launch mistakes before they become expensive.

Secrets and env handling

Obvious leaked-secret patterns, risky env examples, and client-side secret names.

Tenant isolation

Public code paths that suggest missing ownership checks, broad policies, or IDOR risk.

Public readiness

README, license, security policy, gitignore, CI, dependency metadata, and examples.

Agent workflow risk

Agent instructions, MCP configs, skill files, and workflows that pass untrusted text into agents.

Webhook and browser risk

Signature prompts, wildcard CORS, static CSP gaps, and launch-facing browser defaults.

Use it yourself

Run the lightweight audit locally, then star the repo if it saved time.

FreeCodex is public by design. Builders can run the deterministic checks before asking for a paid report, and the repo stays useful even when a buyer is not ready yet.

git clone https://github.com/bmtriet/FreeCodex.git
cd FreeCodex
python3 scripts/validate_repo.py
python3 scripts/repo_audit.py audit --path . \
  --output local-audit.md

Open the GitHub repo

Deliverable

One concise markdown report with a prioritized fix list.

HighPossible frontend secret exposure

MediumStatic header config missing obvious CSP

LowSecurity policy missing reporting path

Evidence is redacted. Uncertain items are labeled for manual review.

Simple pricing

Start with the report. Scope fixes only after facts are clear.

Validation slots

First 3 free

For strong-fit public repos while the workflow is being validated.

Report only

USD 49

One public repo, concise markdown report, redacted findings, prioritized fixes.

Report + small fixes

USD 199+

Only after report delivery, confirmation, and bounded scope.

Payment destination after scope confirmation: ko-fi.com/freecodex.

Request

Send a public repo URL and launch context.

Do not send secrets, passwords, tokens, cookies, private keys, or account access. Private repos need explicit permission and a separate scope discussion.

Open fit-check issue Sample report

The booking path is a public GitHub issue form. First contact stays public-safe, and payment happens only after a positive reply, scope confirmation, and consent to proceed.

Boundary

This is a lightweight launch/readiness audit. It is not a certified penetration test, legal advice, compliance guarantee, or proof that a repository is secure.