● v1.0 / Production audits for vibe-coded apps

Sleep
through your
launch.

Valerian audits Lovable, Bolt, and Cursor-built apps for the production issues that bite after launch — broken auth, leaky payments, runaway AI bills, security holes. Found before your users find them.

Book a free audit call View pricing

80-point framework · 7-day turnaround · One PR delivered

valerian · live audit

$ valerian audit ./your-app

Scanning 80 production checks...

✓ Auth RLS configured on user tables

⚠ Auth Magic link expiry too long (24h)

✗ Stripe Webhook signature unverified

✗ Stripe Idempotency missing on handler

✗ Critical Service role key in client bundle

⚠ AI Uncached LLM calls (~$420/mo)

✓ Database RLS enforced on writes

⚠ Database Missing index on users.email

✗ Security CORS wildcard origin

─────────────────────────────

14 issues · 4 critical · 6 high

Audit complete in 2.4s

§ 01 — The problem

Your vibe-coded app
looks production-ready.

Then real users hit it.

01 · Silent security

Holes you can't see until someone exploits them.

Row-level security misconfigured. Service keys exposed in client bundles. Auth that looks fine until a user notices they can read other people's data.

02 · Broken payments

Real money slipping through cracks you never saw.

Stripe webhooks unverified. Idempotency missing on payment handlers. Subscriptions out of sync. Real money, real refunds, real lawsuits.

03 · Runaway costs

Your free app quietly burning hundreds a month.

Uncached LLM calls. No rate limits per user. Database on free tier melting at fifty concurrent users. Your $0 app costs $800/month before you notice.

§ 02 — What's included

80 checks.
7 days.
One PR.

We run your app through the Valerian Production Framework, then ship a pull request that fixes what's broken. Every finding is verified by a human before it lands in your report.

Built for Lovable · Bolt · v0 · Cursor · Replit

Authentication & identity

Supabase RLS audit, session management, OAuth flows, rate limiting on auth endpoints.

Payment infrastructure

Stripe webhook hardening, idempotency, currency handling, subscription sync, tax compliance.

LLM cost & quality

Model selection, response caching, rate limits, prompt injection mitigations, output validation.

Database integrity

Index audit, query patterns, RLS enforcement, backup strategy, connection pooling for serverless.

Security beyond auth

CORS, CSP, input validation, IDOR checks, dependency vulnerabilities, secrets in repo history.

Monitoring & observability

Error tracking installation, structured logs, uptime monitoring, alert routing.

Legal & compliance

§ 03 — How it works

Three steps to
peace of mind.

Day 1 · Discovery

30-minute call.

You walk us through your app. We tell you 2-3 things we'd flag immediately. If it's a fit, we kick off the audit same day.

Days 2-6 · Audit

80 checks. Every one.

AI-assisted scanning, human-verified findings. Progress updates throughout. We don't hide what we're doing.

Day 7 · Delivery

Report + PR shipped.

Severity-ranked findings document. Pull request fixing what's broken. 30 days of email support included.

§ 04 — Pricing

Founding-client
pricing.

Our first cohort gets 33% off in exchange for a public testimonial. Limited to 10 clients.

Production Pass

SGD 800

SGD 1,200 · founding price

7-day audit. PR fixing all critical findings. 30-day support included.

Reserve founding spot →

✓ Full 80-point audit report

✓ Pull request with critical fixes

✓ Severity-ranked findings

✓ 30 days of email support

Best for: pre-launch apps about to onboard real users.

Production Plus

SGD 1,800

SGD 2,400 · founding price

Everything in Pass, plus high-priority fixes and full monitoring stack installed.

Reserve founding spot →

✓ Everything in Production Pass

✓ Critical AND high-priority fixes

✓ Monitoring stack installed

✓ Stripe webhooks hardened end-to-end

✓ 60 days of email support

Best for: apps already taking payments where downtime hurts.

Optional add-on

Valerian Care · SGD 500/month

Quarterly re-audit · dependency updates · priority response · one fix per month included.

Add to engagement →

§ 05 — FAQ

Common
questions.

What kind of apps do you audit?

Apps built primarily with AI coding tools — Lovable, Bolt, v0, Cursor, Replit Agent — running on stacks like Next.js + Supabase + Stripe + OpenAI. If your app uses something different, mention it on the call and we'll tell you honestly if we can help.

How is this different from a code review?

A code review checks if your code is clean. We check if your app will survive contact with real users — security, scale, cost, compliance. Different lens. We're optimizing for production resilience, not code style.

Do you use AI in your audits?

Yes — to accelerate the mechanical parts (scanning code, drafting reports). Every finding is verified by a human before it lands in your report. AI is our tool, not your auditor.

What if you don't find anything serious?

Statistically unlikely on a vibe-coded app, but if every critical and high finding passes, you get a clean bill of health and a public Valerian certification badge. Refunds available within the first 7 days regardless.

Do I have to give you my code?

For a full audit, yes — we'll need read access to your repo and a walkthrough of the app. For the free 30-minute intro call, no. We just talk through your stack and what worries you. Standard mutual NDA available on request.

Are you a real company?

Valerian is operated from Singapore by an independent engineer. Currently running as an independent practice; incorporating once we hit our first 5 paid clients. We're transparent about being early — that's why founding clients get 33% off.

§ 06 — Begin

Sleep
better.

Free 30-minute audit call. No pitch. We'll point out two or three things we'd flag immediately on your app — useful whether or not you hire us.

Book a free audit call Send us your repo instead →

Or email hi@tryvalerian.com with your stack and what worries you most.

Sleep through your launch.

Your vibe-coded app looks production-ready.