Production-ready
vibe-coded apps

Code from tools like Claude Code, Cursor, v0, Bolt, and Copilot compiles and passes ESLint — but is it ready for production? 52 checks across security, reliability, performance, and AI quality.

GitHub →
~/my-ai-project

TypeScript compiles. ESLint passes.
Your vibe-coded app still isn't production-ready.

Vibe coding tools generate syntactically valid code — passes type-checks and linting. But hardcoded secrets, missing auth, SQL injection, exposed env vars aren't caught by ESLint.

eslint src/app/api/users/route.ts

✓ 0 errors, 0 warnings

All rules passed

prodlint src/app/api/users/route.ts

CRIT No authentication check

WARN Request body used without validation

INFO No rate limiting

45%of AI code fails security tests[Veracode 2025]
86%XSS failure rate in AI code[Veracode 2025]
52rules — zero config

52 production readiness checks.

Every check flags something that breaks in production — not style nits.

ESLint covers code quality and style. prodlint has 52 checks for production readiness — the patterns vibe coding tools get wrong.

🔒 Security27 rules

secretsHardcoded API keys (Stripe, AWS, Supabase, OpenAI, GitHub)
auth-checksAPI routes without authentication (middleware-aware)
sql-injectionSQL queries built with template literals or string concat (ORM-aware)
See all 27 rules

Reliability11 rules

hallucinated-importsImports of packages not in package.json (AI hallucinations)
error-handlingAsync operations without try/catch
redirect-in-try-catchredirect() inside try/catch — Next.js redirect throws, catch swallows it
See all 11 rules

🚀 Performance6 rules

no-n-plus-oneDatabase calls inside loops
no-unbounded-query.findMany() / .select('*') with no limit
no-sync-fsreadFileSync in API routes blocks the event loop
See all 6 rules

AI Quality8 rules

ai-smellsany types, console.log spam, TODOs, commented-out code piling up
placeholder-contentLorem ipsum, example emails, "your-api-key-here" left in production
hallucinated-api.flatten(), .contains(), .substr() — methods AI invents
See all 8 rules
See all 52 production readiness rules

There is no demand for average.

Everyone can build an app now. Vibe coding tools turned product ideas into working code overnight. The App Store was already crowded — what's coming is a tsunami.

Which means “it works” is table stakes. Users don't pick the app that compiles. They pick the one that doesn't leak their data, doesn't crash at 2 AM, and loads before they lose interest. The best apps will keep getting better because the engineers behind them catch the bugs early, harden the edges, and ship with confidence.

That's the gap prodlint fills. Not style, not formatting — production readiness. The 52 things between “it runs on my machine” and “it runs in production without waking you up.”

Inspired by Naval's “A Motorcycle for the Mind”

Minimal false positives.

prodlint understands your project structure — not just your code.

--AST parsing Babel AST for 12 rules — imports, redirects, SSRF, catch blocks, HTML injection — with regex fallback
--Monorepo support npm, yarn, pnpm workspace deps resolved automatically
--Framework awareness Prisma, Drizzle, Supabase, Knex, Sequelize whitelists prevent false flags
--Middleware auth Clerk, NextAuth, Supabase middleware detected — auth findings downgraded
--Path aliases @/, ~/, custom tsconfig paths aren't flagged as hallucinated
--Route exemptions Auth, webhook, health, cron routes exempt from auth/rate-limit rules
--Fix suggestions Actionable fix hints with remediation code
--Test awareness Lower severity for test/script files
--Inline suppression // prodlint-disable per-line or per-file

Different tools, different focus.

prodlint catches what ESLint and SonarQube weren't built for. Use them together.

CheckprodlintESLintSonarQube
Hallucinated imports
Hallucinated APIs (.flatten, .contains)
AI placeholder content
Next.js server action checks
Supabase missing RLS
Hardcoded secrets
SQL injection (ORM-aware)~
Insecure cookies
Dead code detection~
Style & formatting
Zero config
SARIF output~
MCP server for AI editors

~ = partial coverage

CLI, CI/CD, and AI editors.

Runs anywhere — your terminal, your CI pipeline, or inside your AI coding tool.

GitHub Action

uses: prodlint/prodlint@v1

Auto-comment scores on PRs. Fail builds below your threshold.

MCP Server

npx prodlint-mcp

Works with Cursor, Claude Code, and Windsurf via MCP protocol.

Site Score CLI

npx prodlint --web example.com

Scan any deployed site for AI agent-readiness. 14 checks, scored out of 100.

Programmatic API

import { scan } from 'prodlint'

Import and use in your own tools, scripts, or CI pipelines.

prodlintbotjust now

Production Readiness: 64/100

CategoryScoreIssues
🔴 Security40/1005
🟡 Reliability70/1002
🟢 Performance95/1001
🟢 AI Quality88/1001

Scanned 142 files in 87ms

Example PR comment from the GitHub Action

FAQ

What does prodlint check?
prodlint runs 52 checks across four categories: security (hardcoded secrets, missing auth, SQL injection), reliability (unhandled promises, missing error boundaries), performance (N+1 queries, sync filesystem calls), and AI quality (hallucinated imports, placeholder content, dead exports). Every check flags a real production issue — not a style nit.
How is prodlint different from ESLint?
ESLint focuses on code style and formatting. prodlint checks for production readiness issues commonly found in AI-generated code — hardcoded secrets, missing authentication, hallucinated imports, insecure cookies, and more. They complement each other: use ESLint for style, prodlint for production readiness.
Does prodlint work with Cursor, Copilot, and v0?
Yes. prodlint scans whatever code is in your project, regardless of which tool generated it. For real-time feedback inside AI editors, use the MCP server (npx prodlint-mcp). For CI/CD, add the GitHub Action to check production readiness on every pull request.
Is prodlint free?
Yes. prodlint is free and open source under the MIT License. No account, no API key, no usage limits. Run npx prodlint and you're done.
How do I add prodlint to CI/CD?
Add the GitHub Action to your workflow: uses: prodlint/prodlint@v1. It automatically comments a score breakdown on every PR and can fail builds below your threshold. No configuration required.

Is your site ready for AI agents?

prodlint checks your code. Site Score checks your deployed site. 14 AI agent standards, scored 0-100.

Scan your site →free, no signup

Ship your vibe code with confidence.

One command. Your production readiness score. Free and open source.

GitHub·npm·MIT License