Step 1 of 5
Hunt exposed secrets
The most common AI-build failure: keys where users can read them.
Audit this app for exposed secrets. Check: all frontend source and env files for API keys/tokens (anything beyond truly public keys); the built bundle if inspectable; backend code for hardcoded credentials that should be env vars; logs printing secrets; repo files (.env committed?). For every finding: move the secret server-side or to env, rotate it if it was exposed, and verify the frontend bundle no longer contains it. List every finding and action.
Expected after this step
A findings list with every secret moved, rotated, and re-verified.
Should not happen
- ✕API keys sitting in frontend env or bundle
- ✕Backend routes trusting the UI to gate access
- ✕Password hashes or emails returned in API responses
- ✕IDs guessable and records readable across users
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !API keys sitting in frontend env or bundle
- !Backend routes trusting the UI to gate access
- !Password hashes or emails returned in API responses
- !IDs guessable and records readable across users
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
A key remains client-side because 'the calls need it'. Move that call to a backend endpoint that holds the key and have the frontend call your API instead.