What's shipped.

Homepage redesign + dedicated /feed page

Homepage

Cut the kitchen-sink design. The form is now the single focal point above the fold — centered, ~720px max width, full-width URL input with inline submit, two clean checkboxes, one trust line ("15 detector families · 135 rules · 22 articles · agent-ready"). Cut the right-column case-file canvas, the 5-cell stats strip, the 3-up coverage cards, the "Why this exists" wall of text, and the dogfood callout (lives at /blog/dogfooding-vibecheck for anyone who wants the full story). Below the fold: feed (6 rows + "Full feed →"), agent-skill callout, FAQ. Three sections instead of nine.

New page: /feed

Dedicated full-feed view. Pulls up to 50 findings from /api/feed, with severity filter (All / Critical / High / Medium / Low+Info) and platform filter (Pages / Vercel / Bolt / Netlify / Other). Privacy-note section explicitly enumerates what we persist and what we don't. Linked from the homepage and the footer.

Numbers

Sitemap: 163 → 164 URLs. Tests: 103/103. The redesign cuts ~250 lines from the homepage source.

Live findings feed — KV-backed

Persistence

New vibecheck_scans KV namespace bound. Each /api/scan call writes anonymized finding rows in the background via ctx.waitUntil() — best-effort, never blocks the scan response. Privacy contract documented in functions/_shared/feed.ts: persisted fields are rule, severity, ts (unix seconds), and platformShape (e.g. *.pages.dev, *.vercel.app, *.com). No URLs, no PII, no host names. 14-day TTL per row. Vibecheck's own dogfood scans are excluded so the feed isn't dominated by self-tests. Per-scan cap of 8 most-severe findings prevents one noisy app from overwhelming the feed.

Endpoint

New GET /api/feed?limit=N (cap 50, default 25). Returns { findings: [...], count: N } with public CORS so agents and dashboards can ingest it. Documented in /skill.md.

Homepage

Findings feed is now live. Page renders curated fallback rows server-side, then JS replaces them on load if /api/feed returns ≥3 rows. Still falls back gracefully to the curated set if the API is empty or unreachable. Footer status text auto-switches between "Anonymized to rule + severity + platform-shape" (fallback) and "Live data — N of the most recent findings" (real).

Smoke

New check: /api/feed must return a JSON object with a findings array. 28 → 29 smoke checks.

Numbers

Tests: 103/103. Sitemap unchanged. The feed surface is the first dynamic state vibecheck has — every previous version was stateless.

Agent skill manifest, homepage redesign, header standardization, findings feed

Agent skill — /skill.md

New self-contained markdown manifest at /skill.md that a coding agent can ingest in one fetch to learn how to invoke vibecheck on a user's behalf. Covers when to scan, free-tier POST /api/scan invocation, paid-tier escalation via Authorization: Bearer, plain-English consequence translations for surfacing critical findings to a human, and full agent-loop examples. Linked from the homepage hero, the /agents page, llms.txt, llms-full.txt, and the sitemap. _headers sets Content-Type: text/markdown on this path.

Homepage redesign

Greyline-style hero with deep-pine background and two-column layout: scan form left, sample case-file canvas mockup right (Grade F report with five plausible findings). New stats strip, anonymized findings feed, three-up coverage cards, agent-skill callout, dogfooding callout pointing at the public self-scan grade D writeup, all anchored to the existing site.css design tokens.

Header standardization

Bug fix: the nav-links block on every page was a different set. Standardized to a canonical Blog · Fix guides · Breaches · Agents · Pricing across all 34 HTML pages via a one-shot tsx replacement script. Link in the footer to skill.md.

Findings feed

Curated, anonymized list of recent findings on the homepage. Domains redacted, platform shape preserved (*.pages.dev, *.bolt.new, *.vercel.app, etc.). Each row links to the per-rule /fix/<rule> page. KV-backed real findings come in a future iteration once we add scan persistence.

Numbers

Sitemap: 162 → 163 URLs. Tests: 103/103. Article count unchanged. The /skill.md manifest is a non-blog content piece.

CSRF edge cases — five-pattern article

Content

New /blog/csrf-edge-cases-vibe-coded — 11 min auth/CSRF article. Five edge cases vibe-coded apps consistently get wrong even when the obvious basics (SameSite cookies) are in place: state-changing GETs slipping through SameSite=Lax, CSRF tokens compared with === (timing-attackable), parent-domain cookies surviving subdomain takeovers, bearer-token auth (Supabase / Firebase / Clerk) sidestepping CSRF but creating XSS-amplification risk, and permissive content-type handling on JSON endpoints.

Plus the 2026-default CSRF stack: SameSite=Lax + state changes through non-GET methods + JSON-only endpoints with content-type checks + bearer-token apps paired with strict CSP. Cross-links into the JWT, CORS, and CSP posts that handle adjacent surfaces.

Numbers

Article count: 21 → 22. Sitemap: 161 → 162 URLs. Tests / rules / detectors unchanged.

Cutover to vibecheck.themeridianlab.com

vibecheck now lives at vibecheck.themeridianlab.com as a Meridian Lab subdomain (matching greyline.themeridianlab.com's pattern). All ~1,400 in-source references — canonical URLs, JSON-LD mainEntityOfPage, breadcrumb item URLs, OG tags, sitemap entries, llms.txt — switched in one pass. Smoke 28/28 against the new domain. The bare vibecheck-32f.pages.dev URL continues to serve as a fallback.

Operationally: drops the "buy a domain" item from the pre-launch HANDOFF list and saves the registrar fee. Reversing later (acquiring a separate apex like vibecheck.dev and 301-redirecting) is cheap if we ever want it.

Sourcemap leaks — new rule + paths-finding cross-linking + article

Detection

New exposed_sourcemap rulebook entry with full per-bundler fix reference (Vite, Next.js, webpack, esbuild, Rollup). Paths detector now emits the rule on sourcemap finds, and the renderer cross-links sourcemap findings to /fix/exposed_sourcemap via a new optional rule field on PathFindingType. Other path findings (env files, .git/HEAD, etc.) can opt into the same cross-linking by adding their own rule names later.

Content

New /blog/sourcemap-leaks-vibe-coded — 8 min build/sourcemaps article. Three-minute attack walkthrough (curl → fetch map → source-map-cli decode → grep), per-bundler config reference, post-leak response, three legitimate reasons to ship maps anyway (Sentry-style monitoring, customer-support tooling, open-source apps).

Numbers

Catalogue: 134 → 135 rules. Sitemap: 160 → 161 URLs. Article count: 20 → 21. Tests still 103.

service_role production runbook — the third Supabase pillar

Content

New /blog/service-role-in-production — 12 min runbook covering correct server-side use of Supabase service_role. Three pieces now form a complete service_role lifecycle: incident response when leaked, RLS patterns for cases where service_role isn't needed, and this new piece for when it is. Sections: when to use service_role, where it lives in runtime config, the per-request authorization layer, the webhook verification-first pattern, audit logging discipline, rotation strategy.

Cross-linking

New piece linked from the leak-response article ("what to do with the new key after rotation"), the RLS pillar ("when service_role isn't needed"), the webhook secrets post (verification-first pattern), and the JWT mistakes post (auth-side patterns this builds on).

Numbers

Article count: 19 → 20. Sitemap: 159 → 160 URLs.

Dogfooding write-up — public self-scan documentation

Content

New /blog/dogfooding-vibecheck — 5 min operations post documenting what vibecheck's smoke runs against vibecheck's own deploy returns, why the current grade is D, and what the smoke gate enforces. Direct follow-up to the v1.13 CSP detector flagging vibecheck's own CSP. Self-scan output is reproducible by anyone via curl.

Numbers

Article count: 18 → 19. Sitemap: 158 → 159 URLs. Tests / rules / detectors unchanged.

CSP weakness analysis — 6 rules + 11 tests + bypass-walkthrough article

Detection

Headers detector now parses Content-Security-Policy and Content-Security-Policy-Report-Only headers and emits findings for six specific weaknesses:

• csp_unsafe_inline_scripts (high) — 'unsafe-inline' in script-src
• csp_unsafe_eval (high) — 'unsafe-eval' in script-src
• csp_wildcard_script_src (high) — *, https:, or http: in script-src
• csp_data_uri_in_script_src (high) — data: in script-src
• csp_missing_default_src (medium) — no default-src and no script-src
• csp_report_only (info) — Report-Only without enforced policy

script-src falls back to default-src per the CSP spec when the former is absent — the analyzer respects this. New parseCsp() exported from the headers module so other consumers can use it.

Content

New /blog/csp-bypass-vibe-coded — 11 min headers/CSP article. Each weakness explained, the attack each enables, and the strict-CSP recipe at the end (with notes on why each directive in the recipe is the way it is). Cross-links from the CORS article since they pair as the two header-side bug categories.

Tests

103 tests (was 92). 11 new CSP tests covering: parseCsp directive normalization, each weakness emission, default-src fallback for script-src, Report-Only suppression when enforce mode is also set, and the strict-CSP no-findings case.

Numbers

Catalogue: 128 → 134 rules. Sitemap: 157 → 158 URLs. Article count: 17 → 18.

RLS patterns deep-dive — second pillar article

Content

New /blog/rls-patterns-vibe-coded — 16 min RLS pattern reference. Eight patterns with the actual policy SQL: per-user ownership, public-readable with owner-write, tenant-scoped via membership table, profile pattern, member-of-conversation, soft-delete, append-only audit log, visibility levels. Each section includes the gotcha that always trips people up (the WITH CHECK on UPDATE policies, service_role bypass, JWT claim staleness, performance pitfalls with subquery-heavy policies). Plus a three-level testing strategy (psql role-switching, integration tests, vibecheck active probing).

Cross-linking

New article cross-linked from the vibe-coding security guide (pillar), the Moltbook breach case study, and the supabase service_role leak post. The new article links to /fix/supabase_anon_only_no_rls, the Moltbook case study, and the platform-specific articles (Lovable, Firebase) that cover related material.

Numbers

Sitemap: 156 → 157 URLs. Article count: 16 → 17. Sitemap priority of new article: 1.0 (matches the existing pillar guide — both are top-of-funnel authority pages).

Active CORS probing — 3 rules + 6 tests + middleware-fix article

Detection

Headers detector now sends two active CORS probes per scan: one with Origin: https://attacker.example and one with Origin: null. Inspects the response's Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers and emits up to three findings:

• cors_origin_reflected (high) — server reflects arbitrary Origin in ACAO
• cors_origin_reflected_with_credentials (critical) — same + Allow-Credentials: true (the lethal CORS bug)
• cors_null_origin_allowed (high; critical with credentials) — server accepts Origin: null from sandboxed iframes / data: URLs / file:

Existing cors_acao_wildcard_with_credentials rule gets cross-links to the new entries.

Content

New /blog/cors-misconfig-vibe-coded — 9 min headers/CORS article. The five CORS patterns vibecheck flags, the attack each enables (with the cross-origin authenticated-data-theft walkthrough), and copy-paste middleware fixes for Express + cors, Hono, Next.js Route Handlers. Plus the unanchored-regex footgun.

Tests

92 tests (was 86). 6 new CORS-probe tests using vi.fn to mock fetch by sent Origin header — covers reflection with/without credentials, null-origin acceptance with/without credentials, properly-allowlisted origins, and no-CORS-response cases.

Numbers

Catalogue: 125 → 128 rules. Sitemap: 155 → 156 URLs. Article count: 15 → 16.

Webhook secret detection — 3 patterns + 4 tests + provider-by-provider article

Detection

Three new context-aware secret patterns: github_webhook_secret (critical) for GITHUB_WEBHOOK_SECRET / GH_WEBHOOK_SECRET assignments; slack_signing_secret (critical) for the SLACK_SIGNING_SECRET 32-hex pattern; webhook_secret_generic (high) for the catch-all WEBHOOK_SECRET / HOOK_SECRET shape. Variable-name context disambiguates these from generic random-string matches.

Content

New /blog/webhook-secrets-leaked — 8 min incident-response guide. Provider-by-provider rotation walkthroughs (Stripe, GitHub, Slack, generic), the universal incident-response shape, and the prevention rule (distinct env-var names per provider, build-time grep, pre-commit hook). Each section links to its dedicated /fix/<rule> page.

Tests

86 tests (was 82). 4 new pattern tests: GitHub / Slack / generic webhook detection plus a negative test confirming we don't match bare variable names without an assigned value.

Numbers

Catalogue: 122 → 125 rules. Sitemap: 153 → 155 URLs. Article count: 14 → 15.

JWT test fixture + about/index/press detector-count refresh

New /test-fixture/leaky-jwt.html with five hand-crafted JWTs that each trigger one rule (alg=none, hardcoded admin claims, no-exp, long-lived, expired). Smoke gains a check that scans the fixture and asserts all 5 jwt_* rule names appear in the output. Smoke total: 27 → 28 checks.

Stale "14 detectors" / "Three families" / "Ten patterns" copy on /about, /index, and /press updated to current numbers (15 detector families, 60+ secret patterns, BaaS coverage no longer "queued"). FAQ JSON-LD on /index updated to match visible HTML.

JWT detector — 5 rules + 11 tests + article

Detection

New JWT detector decodes every JWT-shaped string in the bundle and emits up to 5 rules per token: jwt_alg_none (critical) for unsigned tokens, jwt_admin_in_client (high) for hardcoded privileged claims (role: "admin", service_role, is_admin: true, etc.), jwt_no_expiration (high) for missing exp, jwt_long_lived (medium) for exp > 30 days out, jwt_expired_in_client (info) for stale fixtures. Safe public-issuer tokens (Supabase anon) are skipped — covered by their own detector.

Detector mechanics

Decodes header + payload via base64url, inspects alg in header and iss / exp / role fields in payload. Privilege detection covers role-string fields (role, scope, scopes) and boolean flags (is_admin, isAdmin, is_superuser, is_owner, is_staff). Tokens are deduplicated within a scan; outputs always carry a redacted form, never the live token.

14 detectors → 15. Catalogue: 117 → 122 rules. Sitemap: 147 → 153 URLs.

Content

New /blog/jwt-mistakes-vibe-coded — 9 min auth/JWT article. Five patterns vibecheck flags, with the actual jose and jsonwebtoken verifier code to copy. Covers algorithms: ["RS256"] pinning, the access/refresh-token split, build-guards against admin-claim leakage.

Tests

82 tests (was 71). 11 new JWT tests covering decode, malformed inputs, alg=none, role/is_admin detection, missing/long/expired exp, Supabase issuer skip, redaction, and dedup of repeated tokens.

API

ScanReport gains a jwts: JwtFinding[] field. /api/spec, /scan-output-schema.json updated. Renderer adds a "JWTs in the bundle" section with rule cross-links.

OpenAI / Anthropic incident-response post + cross-link backfill

Content

New /blog/openai-anthropic-key-exposure — 7 min incident-response guide for leaked sk- and sk-ant- keys. Five-step response (rotate, scope via Restricted Keys / Workspaces, audit usage anomalies, find every commit and CI log, prevent the next one with a server proxy). Mirrors the Stripe and Supabase response-post shape readers already know.

Cross-linking

Every platform article (Lovable, Bolt, v0, Replit, Convex, Appwrite, Pocketbase) now links to the comparison post in its Related section. Cross-platform links between BaaS articles (Convex ↔ Appwrite ↔ Pocketbase ↔ Firebase). Pillar guide and Stripe / Supabase response posts now reference the comparison + Moltbook breach. Moltbook article links to the comparison; /breaches Moltbook entry links to the case study.

Firebase detection — RTDB / Firestore / Storage probes + 4 rules + article

Detection

Firebase detector rewritten to emit 4 new rules across the three Firebase data surfaces: firebase_project_exposed (info), firebase_rtdb_open (critical), firestore_collection_public_read (high), firebase_storage_public_list (high). Each finding wraps with a /fix/<rule> cross-link in the scan report. Catalogue total: 117 rules (was 113).

Detector mechanics

Project ID extraction from projectId, databaseURL, storageBucket, and Firestore REST URLs. Probes (read-only): RTDB /.json?shallow=true; Firestore /v1/projects/<id>/databases/(default)/documents/<collection> for 7 common collection names; Storage /v0/b/<bucket>/o list endpoint. Default-bucket inference (<project>.appspot.com) so apps that omit explicit storageBucket still get probed.

Content

New /blog/firebase-rules-vibe-coded — 10 min platform article. Six checks before going public: RTDB rules, Firestore rules, Storage rules, Auth providers (anonymous-auth gotcha), App Check enforcement, and what's actually safe to ship in the client config. Includes copy-paste rule blocks for each surface.

Tests

71 tests (was 63). 8 new Firebase detector tests covering ID extraction, project_exposed emission, RTDB open detection, RTDB-locked-down behaviour, Firestore collection probes, Storage bucket list, and the no-projects no-op.

Comparison post + Moltbook breach case study

Content

New /blog/lovable-vs-bolt-vs-v0-vs-replit — 11 min comparison covering hosting model, RLS posture, secrets handling, sourcemaps, and CI defaults across the four major AI app builders. The matrix readers ask for when picking between them.

New /blog/anatomy-of-a-moltbook-breach — 12 min forensic case study of the January 2026 Moltbook breach. Timeline from launch tweet to data dump, the JWT-fingerprint mechanism, and the four lines of SQL that would have prevented it.

Site

Both posts wired into /blog index, functions/sitemap.xml.ts, and llms-full.txt. OG images added to the build manifest. Sitemap grew to 141 URLs.

BaaS rules + 3 fixtures + /api/rules + JSON Schema + Dockerfile + security.txt

Detection

Five new BaaS-specific rules emitted by the Convex/Appwrite/Pocketbase detector: convex_deployment_exposed, convex_function_no_auth, appwrite_collection_public_read, pocketbase_collections_metadata_public, pocketbase_list_rule_blank. Each finding wraps with a rulebook cross-link to /fix/<rule>. Catalogue total: 113 rules (was 108).

Test fixtures

Three new in-repo HTML fixtures (/test-fixture/leaky-cookies.html, /test-fixture/leaky-headers.html, /test-fixture/leaky-paths.html) so the smoke script has stable, high-signal targets for cookie / headers / framework / prompts / leaks / redirect detectors.

Endpoints

New /api/rules — full rule catalogue as JSON, supports ?fields=, ?severity=, ?q= filters. Cached 5 min / 1 hr edge. New /scan-output-schema.json — full JSON Schema (draft 2020-12) for the /api/scan response shape, validates every finding type and severity enum. For programmatic validation by downstream consumers.

Distribution

Dockerfile for the CLI package — drop-in container for CI environments without a Node toolchain. Plus /.well-known/security.txt for inbound vulnerability reports.

10 more secret patterns + reusable GitHub Action + Appwrite/Pocketbase guides

Detection

Added 10 secret patterns: Plaid (financial), Twilio Auth Token (paired with Account SID), HubSpot, Asana, Atlassian (Jira/Confluence/Trello), Auth0 Management API token, Datadog Application Key, Brevo, Stripe Connect Account ID (info), Supabase personal access tokens (`sbp_*`).

Distribution

New `.github/workflows/scan.yml` — a drop-in reusable GitHub Action workflow. Two jobs: gating scan that exits non-zero on critical findings; full-report capture as a workflow artifact for post-merge review.

Content

Added Appwrite security article (Platform · Appwrite); Pocketbase security article (Platform · Pocketbase); public `/changelog` page; marketing/ directory with launch-tweet templates, cold-email templates, KOL outreach list, SEO target keywords.

Site

JSON-LD Organization data on the Meridian Lab footer for entity recognition. Fix-guide search/filter box on `/fix`. New `/api/spec` endpoint documenting the response JSON shape for downstream consumers.

Operations

Added docs/HANDOFF.md — permanent record of every task that requires the operator's auth or judgment, separately from chat-history memory.

CLI package + 4 docs + 3 pages + Convex article + integrity tests + ops

Engineering

New @vibecheck/cli npm package — zero-deps Node CLI, --format human|json|github-actions, --exit-on critical for CI gating. Documented at /agents.

New endpoints: /api/health (operational liveness), /api/version (build version + rule count + protocol identifier).

New scripts/smoke.sh — 27-check post-deploy verification.

Tests grew 35 → 63 across two new files: test/rulebook.test.ts (16, integrity) + test/autofix.test.ts (12, RLS pattern coverage). Renderer hardened with jsonForScript() to prevent JSON-LD context breakout (XSS hardening, with explicit test).

Content

New /press with fact sheet, citation-ready stats, ready-to-paste copy (one-liner + 30s pitch + tweet + 50w + 100w boilerplates with copy buttons), brand assets gallery.

New /compare — vibecheck vs Wiz vs Snyk vs Lovable's scan. Honest comparison table + per-tool "use when" callouts.

New /blog/convex-security — 7-min platform article, 6 checks for any Convex app.

Documentation

New docs/MCP.md — MCP server reference. New docs/RUNBOOK.md — operational runbook for deploy / verify / rollback / secrets / incident response.

MCP tests + enriched rulebook + /breaches + OG images

18-test MCP suite covering JSON-RPC protocol surface (initialize, tools/list, tools/call validation, batch support, error codes) using vi.mock to stub the network layer.

Five high-traffic rulebook entries got framework-specific snippets: cookie-flag entries (covers all 3 cookie rules) — Express, Next.js Route Handlers, Hono, Fastify, Remix/SvelteKit; supabase_service_role_in_client — admin client init for Next.js, Express, Hono/Workers, Edge Functions; stripe_webhook_secret — constructEvent/constructEventAsync per framework; exposed_env_file — block-the-path config for CF Pages, Vercel, Netlify, Nginx, Apache.

New /breaches public tracker with 5 entries (Moltbook breach, Lovable security crisis, SupaExplorer 20K-app population scan, SymbioticSec 1,072-app scan, Wiz Research 20% finding). ItemList JSON-LD; per-incident "Lesson" callouts linking to relevant /fix/<rule> pages.

New scripts/build-og-images.ts generates 106 1200×630 OG PNGs at build time using @resvg/resvg-js: 1 site default, 98 per-rule, 7 per-blog-article. Wired og:image + twitter:image tags into every page.

Comprehensive docs + static-rendered fix pages

Eight production-grade docs in /docs/ covering engineering reference (ARCHITECTURE, DETECTORS, RULEBOOK, DEPLOYMENT), Meridian Lab patterns to copy across the family, marketing positioning + audiences + comparison + banned-words list, the launch-checklist with channel-by-channel ready-to-paste copy (Product Hunt + HN + X + LinkedIn + IH + Reddit + cold-pitch), and the public CHANGELOG.

Static-rendered the 98 /fix/<rule> pages at build time. The runtime Pages Function now serves only as fallback for typos and rules added between deploys. Edge cache hit rate improved dramatically.

Rulebook expanded 19 → 98 entries, full cross-linking

Every emitted detection rule now has a corresponding /fix/<rule> page, plus conceptual entries (RLS not working, Supabase storage bucket public) that aren't tied to a single rule but are valuable SEO targets. Helpers leakedKey() and cookieFlag() keep the catalogue DRY.

Slug alignment fixed so cross-linking actually works: scan reports now link findings (rule names in secrets, headers, framework, prompts, leaks) to /fix/<name>. Sitemap auto-grew to 112 URLs.

MCP server, Convex function probing, /fix programmatic SEO

New /api/mcp endpoint speaking JSON-RPC 2.0 per the MCP spec. Three tools exposed: vibecheck_scan, vibecheck_secrets, vibecheck_rls_sql. Connect from Claude Code with three lines of config.

Convex detector now extracts api.<module>.<func> names from client bundles and POSTs each as a query to detect anonymous-readable functions.

New open-redirect detector (probes redirect-shaped query params with sentinel external URLs). New security.txt absence check. 8 new secret patterns: Anyscale, Modal, fal.ai, Deepgram, ElevenLabs, Perplexity, HF legacy, Azure Storage, Bearer tokens.

Programmatic SEO: src/rulebook.ts rule catalogue + /fix/[name] Pages Function rendering markdown to HTML with TechArticle JSON-LD.

BaaS detectors + deep-scan tier + 3 new articles

New backend-as-a-service detector covering Convex (function probing), Appwrite (collection listing), Pocketbase (records + metadata).

New deep-scan tier: subdomain enumeration via Certificate Transparency logs. Gated behind ?deep=1. Adds 5–30s.

Three new long-form articles: v0 by Vercel security, Replit Agent security, Stripe live key emergency response.

Three new detector families + GitHub App webhook scaffold + Bolt article

LLM prompt template detector. Default-credentials detector covering 14 self-hosted platforms (Jenkins, Grafana, phpMyAdmin, Portainer, etc.). Information leaks detector (internal IPs, staging hostnames, dev comments).

Sourcemap content scanning: when paths detector finds a .map, scanner re-runs the secrets detector against the unminified source.

GitHub App webhook scaffold at /api/github/webhook. HMAC-verified, refuses requests until GITHUB_WEBHOOK_SECRET is set.

8 detector families, agent SDKs, paywall scaffold, AEO discoverability

Cloud storage probes (S3, GCS, Azure Blob, R2 listing detection). Cookie flag analysis (Secure / HttpOnly / SameSite missing on auth-shaped cookies). Framework detector (generator tags, Next.js dev mode, React/Vue/Redux DevTools enabled in production, verbose error stack traces, robots.txt analysis).

17 new secret patterns: AI inference platforms, deploy platforms, transactional email, observability tokens.

New /pricing with 4 tiers; new /agents documenting 4 integration shapes (JSON API, MCP, CLI, Claude Skill bundle); new /api/waitlist.

AEO discoverability: Link: rel="llms" HTTP header, <link rel="alternate"> tags, <meta name="llms-txt"> on every page.

3 new detector families + Meridian Lab integration + self-harden

Path probes (.env, .git/HEAD, .DS_Store, source maps, common backup files). API surface detector (GraphQL introspection, OpenAPI/Swagger spec exposure, Swagger UI / ReDoc). Response-headers detector (password fields over HTTP, missing HSTS/CSP, mixed content, CORS wildcard+credentials).

New /about page positioning vibecheck within The Meridian Lab. Sister-product links (AgentProof, Greyline) in every footer. Self-harden via _headers: vibecheck's own deploy now passes its own header inspection.

Meridian Lab design system rebuild

Complete visual redesign per the canonical Meridian Lab design system v1.0. Cream paper background, olive-charcoal ink, Inter (product UI) + Courier Prime (parent voice) typography, sharp corners everywhere, amber accent (#D68B38), "Building inspector" material metaphor, "CASE VC-001" finding identifiers.

Autofix UI + demo + 3 articles + AEO foundation

RLS auto-fix wired into scorecard. New /demo page. Three long-form articles: vibe coding security guide (pillar), Supabase service_role key emergency response, Lovable security checklist. Landing FAQ with 6 Q/A pairs backed by FAQPage JSON-LD. /llms.txt + /llms-full.txt. Sitemap referenced from robots.txt.

TypeScript port live on Cloudflare Pages

The original Python CLI ported to TypeScript and deployed on Cloudflare Pages with Pages Functions. Three detector families: Supabase (JWT decode + RLS probe), Firebase (RTDB), generic secrets (10 patterns). 10 unit tests. Live at vibecheck-32f.pages.dev.