# AI App Audit Checklist

A production-readiness checklist for apps built with Lovable, Cursor, Bolt, and other AI tools.
By KloudGentic — https://www.kloudgentic.com

## Security

AI tools rarely think about security unless pushed, and even then they miss things. These are the gaps that turn into public incidents.

- [ ] No secrets, API keys, or tokens are committed to the repo or shipped in the client bundle.
- [ ] Every server endpoint validates and authorizes the request — the interface is not the security layer.
- [ ] Rate limiting and abuse protection are in place on public and authentication endpoints.
- [ ] Dependencies are pinned and free of known critical vulnerabilities (npm audit or equivalent).
- [ ] User input is validated and sanitized on the server before it reaches the database.
- [ ] Stack traces and internal error details are never shown to end users in production.

## Authentication & access

Generated login screens often look right but enforce nothing underneath. Anyone who knows the pattern can reach data they should not.

- [ ] Authentication is enforced on the server for every protected route and action.
- [ ] Row-level security (or equivalent) restricts each user to their own data — the single most common Lovable and Supabase gap.
- [ ] Roles and permissions are checked server-side, not hidden in the UI.
- [ ] Sessions expire, and password reset and email verification flows actually work.
- [ ] Admin and internal routes cannot be reached by guessing the URL.

## Data & privacy

If you handle personal data in Europe, this is work, and it is not optional.

- [ ] The database has a real schema with constraints, not free-form fields that accept anything.
- [ ] Backups run automatically and a restore has actually been tested at least once.
- [ ] Personal data has a lawful basis and a privacy policy that matches what the app really does (GDPR).
- [ ] You can export and delete a user's data on request.
- [ ] Personal data is not logged in plaintext or sent to third-party tools without consent.

## Tests & quality

Without tests, every AI edit is a gamble — you fix one screen and quietly break another, and you find out from a customer.

- [ ] The flows that make money or hold sensitive data (sign up, payment, core action) have automated tests.
- [ ] There is error handling wherever the app talks to a database, an API, or a payment provider.
- [ ] The app degrades gracefully on bad input, a lost connection, and a double-clicked button.
- [ ] A CI check runs the tests on every change before it ships.
- [ ] Linting and type checks pass; there are no silent runtime type errors.

## Deployment & monitoring

You cannot fix what you cannot see. This is the early-risk floor.

- [ ] Production, staging, and local environments are separated, each with its own config and secrets.
- [ ] Uptime monitoring and error logging alert you before your customers do.
- [ ] Deploys are repeatable — one command or one click — not manual and undocumented.
- [ ] There is a rollback path for when a deploy goes wrong.
- [ ] Performance holds up under realistic load, not just for the first five users.

## Handover & documentation

A prototype lives in one person's head. A product needs to be understood by the next person who touches it, including you in six months.

- [ ] A README explains how to run, test, and deploy the app locally.
- [ ] The main parts of the system and the data model are documented.
- [ ] You own all the source code, accounts, and infrastructure — nothing is locked to a vendor or a single contractor.
- [ ] Environment variables and third-party accounts are inventoried, and access is transferable.
- [ ] Another developer could pick this up in days, not weeks.

---

Not sure how your app scores? KloudGentic runs fixed-scope audits for Lovable and Cursor builds.
See https://www.kloudgentic.com/solutions/lovable-app-audit
