I take vibe-coded MVPs — Lovable, Cursor, Bolt, Replit, Claude — and close the gap between "demos well" and "safe in production." The catch: the AI that wrote the bug can't be trusted to find it. In one real app, the commit literally titled "Protect PII" was the breach.
Fully async. No calls, no timezones. You share the repo, I return a written audit and production-ready code — every finding and every change explained in writing.
You shipped an MVP and got traction — first users, maybe an investor. Now it crashes under load, you're afraid to touch the code, there are no tests, the secrets are probably in the repo, and a senior hire is a six-week commitment you can't make this month.
You don't need a rewrite. You need someone senior to make what you already have safe to run in front of real people. That's the only thing I do.
Five AI-built apps, five stacks. Seven critical flaws. Four of five were one query from a breach. One was genuinely solid — and I said so.
Targets anonymized by stack and domain. Full named reports with file:line remediation go privately to each owner, under responsible disclosure. The point isn't that AI code is bad — it's that telling a real flaw from a false alarm is senior judgment, not a scan.
Not a junior patching symptoms, and not a scanner dumping 200 findings. I find the one structural weakness, then the line of code that proves it. The five audits above are the résumé.
I use AI agents to move fast across a whole codebase. Every architectural call is still human judgment — that's the part that can't be prompted.
I rebuild your real authorization model from the database, not the surface. That's how the five flaws above were found — and how false alarms were dismissed.
Every finding and change is explained in prose you can forward to your team or investor. You keep the knowledge, not just a diff.
The repo (read-only is fine) and three short answers about what's breaking.
I run the audit and send a written P0 / P1 / P2 list, cited at file:line — free, yours to keep.
If you go further: hardening, critical refactors, test coverage, CI/CD, handoff docs.
Confident it holds, with a written record of exactly what changed and why.
Async is the feature: you read deliverables when it suits you, keep a permanent paper trail, and nothing waits on a slot that works across two timezones.
Read-only access. NDA before access if you want one. Never stored beyond the engagement, never shared, never used to train anything.
The teardown is free — you see real findings before paying. If a paid pass surfaces nothing actionable, you don't pay for it.
Want to see the depth before you send anything? Ask for a redacted sample report — a real audit, one of the five above, with the actual findings.
file:lineWhat's breaking right now?
What happens to the business if it isn't fixed in two weeks?
A link to the repo (read-only is fine), or a description of the stack.