vibe-prooflisted

Security-focused hardening for vibe-coded full-stack apps. Runs parallel audits across frontend, backend, and config layers, then fixes issues systematically by severity. Covers injection, PII exposure, missing headers, error leakage, dead code, and credential hygiene.
HermeticOrmus/ormus-vibe-proof · ★ 0 · AI & Automation · score 75

Install: claude install-skill HermeticOrmus/ormus-vibe-proof

# Vibe-Proof: Security Hardening for Full-Stack Apps **Purpose:** Systematically audit and fix security vulnerabilities in vibe-coded full-stack applications through parallel multi-agent analysis and guided remediation. ## When to Use - After vibe-coding an MVP with API routes, databases, or payment integrations - Before first real deployment or first real customer - When you suspect "it works but is it safe?" - Any Express/React/Next.js/Nuxt/full-stack app with a backend ## The Seven Security Checks ### 1. Injection Vectors - [ ] No user input in SQL/query strings without parameterization - [ ] Sort columns, filter fields use allowlist validation - [ ] No `eval()`, `new Function()`, or template literal injection - [ ] URL params parsed with bounds checking (parseInt with min/max) - [ ] Enum fields (gender, status, role) validated against const allowlists ### 2. PII & Secret Exposure - [ ] No hardcoded addresses, phone numbers, names in source - [ ] No hardcoded passwords or "backdoor" auth strings - [ ] API tokens in headers (Authorization), never in URL params - [ ] Admin endpoint secrets use `Authorization: Bearer` header, not query params - [ ] No `.env` files tracked in git (check `git ls-files | grep env`) - [ ] No secrets in client-side code or `VITE_*` / `NEXT_PUBLIC_*` vars that shouldn't be public - [ ] `.env.example` documents all required variables (sync secrets, third-party API keys, etc.) - [ ] No `localhost` URLs in production allowlists (ALLOWED_ORIGINS,