← ClaudeAtlas

saas-preflightlisted

Audit a vibe-coded or AI-generated SaaS for security and payment failures before it ships, focused on the Next.js + Supabase + Stripe stack. Use this whenever the user is about to deploy, launch, or "ship" a web app that handles authentication, user data, or payments. Trigger on phrases like "is my app secure", "can someone read other users' data", "is my Stripe integration safe", "will someone get a free subscription", "review my SaaS before launch", "I'm going to production", or any review of API routes, server actions, Supabase RLS policies, Stripe webhooks, or middleware in a SaaS, even if the user never says the word "audit". Prefer this skill over an ad-hoc code read whenever real users or real money are about to touch the code.
Comoco235/saas-preflight · ★ 2 · API & Backend · score 75
Install: claude install-skill Comoco235/saas-preflight
# saas-preflight A pre-ship security and payment audit for SaaS built fast with AI, on the Next.js + Supabase + Stripe stack. It finds the failure modes that AI-generated code ships by default: a stranger reading another user's data, a stranger getting a paid plan for free, a webhook that silently fails so subscriptions never activate, a middleware that fails open. This skill is **defensive only**. It detects weaknesses in the user's own codebase so they can be fixed. It never writes exploit code, never produces an attack payload, and never targets a system the user does not own. ## The 7 lenses Every finding maps to one of these lenses. They are the spine of the audit. Run through all seven; do not stop at the first scary thing. 1. **Auth / authz**: Is every protected route, server action, and data query actually checking who the caller is and whether they own the thing they touch? 2. **Atomicity**: Can a half-finished operation leave money charged but access not granted, or two writes that should be one? 3. **Idempotency**: If a webhook or request is delivered twice, does the app do the work twice (double-grant, double-charge, double-email)? 4. **Degraded mode**: When Stripe, Supabase, or an email provider is slow or down, does the app fail safe or fail open? 5. **Input validation**: Is untrusted input validated and bounded before it hits the database, the filesystem, an outbound fetch, or the DOM? 6. **Config drift**: Do secrets, price IDs, redirect URL