Read-only by design
VibeCheck checks public pages, client bundles, source-map references, exposed infrastructure paths, headers, bounded CORS preflights on referenced APIs, public schema/debug routes, Firebase web config, client hydration payloads, and owner-authorized Supabase read/storage probes.
Modern leak coverage
It looks for exposed AI-era secrets, over-fetched client data, public OpenAPI or GraphQL surfaces, weak browser defenses, and access-control self-check signals, including client_data_exposure, debug_schema_surface, and firebase_config findings.
Evidence stays redacted
Reports store fingerprints and sanitized metadata, not raw secrets, source maps, source code, database rows, cookies, sensitive query strings, or raw PII samples.