A structured review for AI-built applications.

One fixed-price diagnostic. Twelve categories. Every checkpoint scored against your repository, your running product, and the workflow around it.

See where your repo stands.

We read your existing GitHub repo and email back a scored report — the free first step before a full consultation. Fast, easy, and free.

Get your free Readiness Check

Why a structured review

AI agents are excellent at producing code that looks plausible and consistent. The hard part is deciding which of that code is safe to keep, which is quietly accumulating risk, and which has to change before the next feature lands on top of it. The consultation gives the team an outside read of all three.

Every checkpoint below comes from a pattern we have seen repeatedly in vibe-coded apps that grew faster than their engineering foundations. The goal is not a tidy report. It is a shared picture of what to harden first and what can wait.

What we look at

Twelve categories. Each checkpoint is scored against the repository, the running product, and the workflow around it.

Agent instructions & project constitution

The rules your repository teaches every agent, prompt, and contributor before they touch a line of code.

  • AGENTS.md or CLAUDE.md exists, stays current, and matches how the codebase actually works.
  • Naming, folder structure, and import conventions are written down rather than implied.
  • Forbidden patterns are written down with their reasons, so agents can tell which rules are load-bearing.
  • The verification commands (test, lint, type-check, build) the agent must run are listed and accurate.
  • Hierarchical instruction files cover sub-packages and feature areas, not just the repo root.
  • Per-agent and per-tool instruction files derive from one canonical source instead of drifting apart.
  • The constitution stays small and loads deeper guidance on demand rather than as one wall of text.
  • Safety-critical rules are mechanically enforced rather than left as prose, and the file says which is which.
  • Constitution changes are judged by observed agent behavior, not intuition — and dead rules get pruned.

Architecture & module boundaries

Whether the codebase has shape that future changes can land in, or whether every feature has to rediscover where it belongs.

  • Folder structure maps to business domains rather than framework defaults.
  • Public and private module boundaries are enforceable, not aspirational.
  • Duplicated business logic across screens, routes, and background jobs is identified and consolidated.
  • Dead routes, orphan screens, and abandoned files are inventoried for removal.
  • Monorepo workspaces share one coordinated set of dependency versions.
  • Server-only code cannot be imported into the client bundle.
  • Agents can reach AST and boundary tooling that enforces structure before CI catches it.
  • Circular dependencies are detected and kept out of the build.

Type safety, contracts & static analysis

The mechanical filters that reject plausible-looking, consistent-looking, still-wrong code before it reaches review.

  • Typing is strictly enforced universally, and uses of any, casts, and as escapes are limited and audited.
  • Trust boundaries — forms, API routes, webhooks, queues, env vars — validate at runtime, not just at compile time.
  • Database schemas drive application types instead of being maintained in parallel.
  • State machines use discriminated unions instead of stacks of optional flags.
  • Linters run with a strict, project-specific rule set, and a formatter settles style debates.
  • Naive implementations are avoided and algorithmic complexity is kept under control, with clear, maintainable code.

Testing & quality assurance

Whether the suite proves that important behavior still works after a generated patch, or only chases a coverage number.

  • Critical user journeys — authentication, payments, key writes — have explicit, traceable coverage.
  • Tests are property-based or fuzzed to validate logic against unexpected inputs.
  • The mix of unit, integration, and end-to-end tests is balanced for the product's real risk.
  • Previously fixed bugs are pinned by regression tests so they cannot quietly return.
  • Mocking is reserved for external systems, not for internal modules the team controls.
  • The full suite finishes fast enough that developers actually run it locally.
  • Accessibility (WCAG 2.2) is treated as a core quality bar and tested for regressions.

Security

The non-negotiable protections that should be in place before the app touches a real customer or a real dollar.

  • No secrets, tokens, or .env files are committed to the repository or its history.
  • Secrets and environment variables stay in parity across local, preview, and production.
  • Dependencies are version-pinned, audited, and updated on a known cadence.
  • Authentication is enforced on every protected route, including server actions and API handlers.
  • Authorization and tenant isolation are enforced at the data layer, not only in the UI.
  • Public endpoints have rate limiting and abuse controls sized for the threat model.
  • CSRF, XSS, and SSRF protections are in place, including for AI-driven URL and tool flows.
  • Security headers (CSP, HSTS, Referrer-Policy) and cookie flags (HttpOnly, Secure, SameSite) are configured.
  • Signed commits and a security.txt give researchers a clear way to report vulnerabilities.

Reliability & error handling

How the product behaves when real users, slow dependencies, and bad input meet the happy path the demo never left.

  • Errors are typed and surfaced to users with intent and to operators with the context to act.
  • External calls have timeouts, retries with backoff, and graceful degradation when a dependency is down.
  • Background jobs and payment paths are idempotent end to end, with retry and dead-letter handling.
  • Webhook handlers verify signatures, reject replays, and are safe to retry.

Data & persistence

Whether the data the product is trusted with survives migrations, outages, and deletion requests.

  • Database migrations are verified for forward-compatibility before merge, not after deploy.
  • Retention and deletion are scheduled, covering backups, soft-deleted rows, exports, and persisted LLM context.
  • Backups are real, restores are tested, and there is a disaster-recovery plan.

CI/CD & release pipeline

The external standard that decides whether a generated change is ready to move forward, even when the local demo looks convincing.

  • Every pull request runs build, type-check, lint, and the full test suite as required gates.
  • Production deploys are reproducible from a single tagged commit, with no manual steps.
  • Infrastructure is defined in code and version-controlled, with automated deployments and rollbacks.
  • Preview environments get production-like data instead of a shared staging database.
  • Risky changes ship behind flags or canaries rather than all at once.
  • Builds are cached, and the deploy artifact carries supply-chain provenance.

Observability & operations

How quickly the team can tell that something is wrong in production, and what it would take to fix it.

  • Logs are structured, carry a request or correlation ID, and survive across services.
  • Errors are captured with source maps and breadcrumbs sufficient to reproduce.
  • Uptime and latency monitoring is wired to the critical paths, not just the home page.
  • Requests can be traced end to end with OpenTelemetry or equivalent.
  • On-call, alerting, and runbooks are mature enough that real incidents get a response.
  • Service-level objectives and error budgets are defined and tracked.

AI & LLM systems

Whether the AI inside the product is deliberate, bounded, and observable — or a black box wired straight to production.

  • Product-side prompts and system messages are versioned and reviewed like code.
  • LLM output is validated as a trust boundary before it is used or acted on.
  • Model and provider choices are deliberate, with a tested fallback if one goes away.
  • Model calls have timeouts, retries, circuit breakers, and token budgets.
  • AI use is checked against the OWASP Top 10 for LLMs, including prompt injection and data exfiltration.
  • Personal data is redacted before it enters prompts, tool inputs, logs, and analytics — and the redaction is tested.
  • LLM cost, hallucinations, and token usage are observable per feature and per user.
  • High-impact AI actions have a human in the loop and an override path.
  • An eval harness gates prompt and model changes before they merge.

Privacy, legal & compliance

The obligations a product takes on the moment it stores data about a real person, including what it hands to a third-party model.

  • The applicable regulatory regime (GDPR, CCPA, PDPA, sector-specific) is identified, and the privacy policy reflects what the application actually collects, stores, and shares.
  • Data subject rights — access, deletion, export, correction — have a working mechanism behind them, not a promise in a help article.
  • A sub-processor inventory tracks every vendor that touches user data, with the agreements to match.
  • A breach-notification plan exists before it is needed.

Developer experience & workflow

Whether the next contributor — human or agent — can be useful in their first hour without breaking something.

  • README explains what the product is, how the stack fits together, and where to start reading.
  • Definition of done is explicit and verifiable by both humans and agents before merge.
  • Approval workflows and review protocols are well established, and tooling is in place to improve speed and accuracy.
  • Recurring bugs are converted into types, tests, or lint rules rather than retried with a longer prompt.
  • Skills, hooks, and MCP servers the agent relies on are catalogued.
  • A new clone reaches a running app in roughly one command.
  • The inner loop — hot reload, tests, type-check — is fast enough to keep flow.
  • Complex agent work runs through a plan or spec before implementation.

What you receive.

The consultation ends with artifacts the team can act on the following Monday, not a slide deck that lives in a shared drive.

Scored checklist
Every checkpoint above marked pass, partial, or gap, with file references and short evidence so the team can verify each call.
Prioritized risk register
The gaps ranked by business impact and likelihood, so the next sprint focuses on the work that actually removes risk.
Rewrite-versus-remediate plan
A call on each problem area: keep and harden, refactor in place, or rebuild deliberately — with the reasoning behind it.
30-60-90 day sequencing
A practical schedule that orders the work to reduce risk fastest, not the work that is easiest to start.
Updated guardrails
Concrete edits to AGENTS.md, lint configuration, and review checklists so the recommendations survive the next agent session.
Debrief call
A working session with engineering, product, and leadership to align on what to change first and who owns it.

Fixed-price consultation · $649

Find out where the risk is, before the next feature lands on top of it.

Book the consultation and we will schedule a kickoff within a few business days. Most engagements deliver the scored checklist and risk register within two weeks of repository access.