About

A security inspector for AI-generated apps. Part of The Meridian Lab.

The Meridian Lab is a small studio building infrastructure for what comes after general-purpose generative AI. Each product is narrow, opinionated, and shipped with the same restraint. vibecheck is the inspector.

What we do

Read-only inspection of what the browser receives.

vibecheck fetches a deployed app and runs fifteen families of read-only inspections against the public surface — bundles, headers, schemas, probes against backend services discovered in client code. We surface what an attacker would find in their first five minutes.

For every finding, we link to a per-rule remediation page at /fix/<rule> and (where applicable) generate corrective SQL or middleware config the operator can paste in.

We never write, modify, or persist anything we don't have explicit consent for. We never use a discovered service_role key — its presence is the finding; using it would be exfiltration.

  • 23 detector familiesSupabase RLS, Firebase + BaaS, secrets, JWTs, OAuth, paths, headers + CSP, framework + dev, prompts, defaults, leaks, redirects, subdomains, SRI, iframes, Service Workers, postMessage, URL-tokens, /.well-known/, GraphQL, password forms, CSP effective-mode, CORS
  • 173 rules in the catalogueEvery rule has a dedicated /fix/<rule> page with remediation code
  • 22 long-form articlesTwo pillars (vibe coding security guide, RLS patterns), platform-specific deep-dives, incident-response runbooks, the Moltbook breach forensic
  • Agent-readySelf-contained /skill.md manifest for Claude Code, Cursor, Cline, Codex CLI, custom agents

The Meridian Lab

Three narrow tools. Same skeleton.

vibecheck shares its design vocabulary, voice, and foundations with two sister products. Each has a different accent and a different metaphor, but they're all built on the same shape.

vibecheckThe building inspector

The product on this page. Read-only security inspection for vibe-coded apps. Free to run; the report is yours.

vibecheck.themeridianlab.com →

AgentProofThe postal inspector

Detects AI agents in your inbox. Verifies whether senders are humans, autonomous agents, or sequence-generated emails. Stamps each message: HUMAN, AGENT, or SEQUENCE.

agentproof.themeridianlab.com →

GreylineElectronic countermeasures

A reverse proxy that detects autonomous AI agents probing your API and deploys a counter-agent to interrogate, delay, or mislead them — before a single request reaches real infrastructure.

greyline.themeridianlab.com →

What stays the same across all of them

Five constants.

  • Read-only by defaultWe never write, modify, send, or persist anything we don't have explicit consent for. The free tier requires zero account creation.
  • Single accent per productDrawn from the master palette: vermillion (AgentProof), patina (Greyline), amber (vibecheck). No gradients, no rounded corners, no decorative imagery.
  • Two registers of typographyInter for product UI, Courier Prime for the parent voice — labels, byline metadata, the small-caps section markers.
  • Sharp editorial disciplineDeclarative copy. No marketing fluff. No "revolutionize", "leverage", "unlock", "AI-powered". We say what the product does and stop talking.
  • One narrow problem per productEach tool solves one thing completely instead of being a platform. No dashboard with everything in it. No bundles. No add-ons.

Get in touch

Two emails.

For general inquiries, press, partnerships: [email protected]. For security disclosures: [email protected]. We acknowledge within 24 hours.

For everything else, the Lab is at themeridianlab.com.

Run an inspection Read /skill.md