How a Solo Founder Avoided a $50k Breach with One Vibe-Eval Scan

The Build

Stack: Cursor + Next.js + Supabase + Stripe.
Context: founder added “instant refunds” via AI-generated admin UI and a helpdesk chatbot.
Risk: no dedicated security review; shipping fast to keep early users happy.

Cross-tenant refunds — Agents switched org cookies and replayed refund POSTs to charge other tenants.
Unsigned webhooks — Stripe handler trusted request body without verifying signatures; replay attacks succeeded.
Prompt injection — Chatbot rendered system logs when prompted to “show all tickets in markdown.”
Missing rate limits — Refund route had no per-user/IP throttling; brute-force attempts were free.

Enforced org_id from server session on every refund mutation; rejected mismatches.
Added Stripe-Signature verification and idempotency keys; logged failed attempts.
Escaped AI bot output with a sanitizer and removed stack traces from context.
Dropped @upstash/ratelimit middleware on auth and refund endpoints.

Breach risk removed before launch; no customer impact.
Founder kept shipping features but turned on Vibe-Eval scans for every preview deploy.
Added a README “red flag” checklist and a weekly red-team scan to catch regressions.

6 minutes to discover $50k worth of vulnerabilities in AI-generated code
Cross-tenant IDOR allowed refunding other organizations’ transactions - always enforce org_id server-side
Unsigned webhooks trusted Stripe request bodies without signature verification - always validate webhooks
Prompt injection in chatbot leaked system logs and customer data - sanitize all AI output
Missing rate limits on refund endpoints enabled brute-force attacks - add rate limiting everywhere
Solo founders need automation - can’t afford dedicated security teams but can wire Vibe-Eval to preview deploys
<1 hour to fix all critical issues - catch early before customers are affected
Weekly red-team scans catch regressions after code regeneration