Security Basics Review
QA
60-90 minutes0/5 steps0%
Step 1 of 5
Hunt exposed secrets
The most common AI-build failure: keys where users can read them.
First time here? Paste the Context Pack first so the AI understands your project - open it from the header above.
Prompt Capsule
Audit this app for exposed secrets. Check: all frontend source and env files for API keys/tokens (anything beyond truly public keys); the built bundle if inspectable; backend code for hardcoded credentials that should be env vars; logs printing secrets; repo files (.env committed?). For every finding: move the secret server-side or to env, rotate it if it was exposed, and verify the frontend bundle no longer contains it. List every finding and action.
Paste into EmergentFull Build: complete implementation prompt with explicit requirements
Quick is short. Full Build is recommended for most steps. Strict forces real logic when the AI keeps faking output.
Actual change check
Expected after this step
A findings list with every secret moved, rotated, and re-verified.
Should NOT happen
- An existing feature broke
- A button only logs to console
- Data disappears after refresh
- Errors fail silently with no visible state
This is what should exist before you continue. If reality does not match, do not move on.
Track what changed, failed, or needs follow-up. Notes export with the flow.
Pass the Verify Gate to complete this step