Product

Introducing Flowpatrol: You Shipped It. Now Make Sure It's Solid.

You built an app in a weekend. Flowpatrol is the five-minute scan that tells you if it's ready for the real world. Here's what it finds and how it works.

Flowpatrol TeamMar 27, 20268 min read

You shipped it

You described an app. The AI built it. Maybe it took an afternoon, maybe it took a weekend. Either way, you've got something real — a working product with a login page, a database, an API, and actual users starting to show up.

That feeling when the deploy goes green? It's the best part.

But here's the thing. The AI that built your app was optimizing for one goal: make it work. And it did. The features are there, the UI looks good, the data flows. What it didn't optimize for is what happens when someone pokes at it sideways. What happens when someone changes the ID in the URL. What happens when someone opens their browser's network tab and starts replaying requests. What happens when someone finds your Supabase service role key sitting in the JavaScript bundle.

That's the gap Flowpatrol closes. Not with a week-long audit. Not with a consultant. With a five-minute scan that tells you exactly where you stand.

What a scan actually looks like

Words are cheap. Here's what happens when you paste a URL into Flowpatrol.

Say you've built a project management tool with Lovable. Users sign up, create projects, add tasks, invite teammates. Everything works. You paste the URL and start a scan.

Five minutes later, you get a report. Here's what Flowpatrol might find:

A Flowpatrol scan report showing findings organized by severity — critical, high, medium — with specific issues like missing RLS and exposed API keys

Finding 1: Missing Row Level Security

Flowpatrol discovers that your tasks and projects tables have RLS disabled. That means any authenticated user can read every row — not just their own.

-- What Flowpatrol found
SELECT tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public';

-- Result:
-- tasks     | false
-- projects  | false
-- profiles  | false

The fix is specific:

ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users see own tasks"
ON tasks FOR SELECT
USING (auth.uid() = user_id);

CREATE POLICY "Users create own tasks"
ON tasks FOR INSERT
WITH CHECK (auth.uid() = user_id);

Flowpatrol doesn't just tell you RLS is off. It tells you which tables, what's exposed, and what the policy should look like.

Finding 2: Broken access control on the API

Flowpatrol tries accessing project data without authentication. It works.

# No auth token, no session — and the data comes back
curl "https://your-project.supabase.co/rest/v1/projects?select=*" \
  -H "apikey: eyJhbGciOi..."

# Response: 200 OK
# [{"id": 1, "name": "Secret Roadmap", "owner_id": "..."},
#  {"id": 2, "name": "Client Portal", "owner_id": "..."}]

Anyone with the anon key (which is public by design) can pull every project in your database. This is the exact pattern behind the Lovable RLS vulnerability (CVE-2025-48757) that exposed 170+ apps.

Finding 3: Service role key in the client bundle

Flowpatrol scans your JavaScript files and finds a Supabase service role key embedded in the client-side bundle.

# Found in /_next/static/chunks/app-d3f8a2b1.js:
# "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS..."
# Pattern match: Supabase service role key

That key bypasses all RLS policies. It's full admin access to your database. Even if you fix every RLS issue, this key makes all of it irrelevant.

Three findings. Three things the AI didn't handle. Three things you can fix in an hour.

How Flowpatrol works under the hood

Traditional scanners work from a rulebook. They match patterns, check headers, and flag known signatures. They're fast, but they're blind to context. They don't understand what your app does or how its pieces fit together.

Flowpatrol works differently. It uses an LLM-powered agent that interacts with your app the way a real person would — but with the mindset of someone trying to break it.

Here's the sequence:

Reconnaissance. Flowpatrol maps your app. It finds pages, forms, API endpoints, authentication flows, and JavaScript files. It reads your app the way a new user would, but it pays attention to what's in the network requests.
Analysis. For every endpoint and resource it discovers, Flowpatrol asks the questions that matter. Can I access this without logging in? Can I access someone else's data by changing the ID? Are there secrets in the client-side code? Is the database enforcing access controls?
Testing. It doesn't just flag theoretical risks. It makes the requests. It changes the parameters. It checks what actually comes back. If it says "broken access control," it has the HTTP response to prove it.
Reporting. You get a report organized by severity. Each finding has evidence — the request, the response, and a clear explanation of what it means. No jargon. No 200-page PDF. Just what's wrong and how to fix it.

The Flowpatrol scanning flow — from URL input through reconnaissance, analysis, and testing to a final report

The whole thing runs in about five minutes. You don't configure anything. You don't write rules. You paste a URL and get answers.

Why this matters right now

The tools for building apps got 100x faster. The tools for checking them didn't keep up.

In January 2026, we analyzed 100 publicly accessible vibe-coded apps. The results were stark:

78% had at least one critical or high-severity security issue
63% had missing Row Level Security on their Supabase tables
42% exposed sensitive API keys in client-side JavaScript
31% had broken access controls that let users see each other's data

These aren't edge cases. These are common, fixable problems in apps built by smart people who moved fast. The AI didn't warn them. The platform didn't block them. Nobody checked before they shipped.

That's the gap. Lovable tells you to "ship your ideas in days." Bolt says "go from insight to prototype in hours." Both are right — and both leave the security step to you.

Flowpatrol is that step.

What Flowpatrol checks

Here's the short list. Every scan covers:

Access controls

Row Level Security enabled and properly configured
Authentication enforced on protected endpoints
Users can't access each other's data (IDOR checks)
Admin endpoints aren't publicly accessible

Secrets and exposure

API keys in client-side JavaScript
Service role keys, database URLs, secret tokens in the bundle
.env files or configuration endpoints publicly accessible
Sensitive data in error messages or debug output

Authentication

Login bypass patterns
Weak session handling
Missing rate limiting on auth endpoints
Token exposure in URLs or logs

Common AI patterns

Default security configurations left unchanged
Test-mode rules deployed to production
Missing input validation on user-facing forms
Unprotected API routes the AI generated but didn't lock down

We built Flowpatrol around the specific patterns we see in AI-built apps — the things Claude, GPT, and Gemini consistently get wrong when generating full-stack applications.

Who this is for

If you're building with Lovable, Bolt, Cursor, v0, Replit, or any AI coding tool — and your app handles real user data, processes payments, or is heading toward a public launch — Flowpatrol is built for you.

You don't need a security background. You don't need to know what OWASP stands for. You need to know if your app is solid before you share it with the world. That's it.

Think of it the same way you think about buying a domain, setting up analytics, or connecting Stripe. Running a scan is a launch step. It takes five minutes and it tells you whether your app is production-ready or has gaps that need closing first.

What you should do right now

You've built something. Here's how to make sure it's ready:

Scan your app. Go to flowpatrol.ai, paste your URL, and run a free scan. Five minutes, no setup, no credit card.
Read the report. Each finding tells you what's wrong, why it matters, and how to fix it. Start with the critical items and work down.
Fix the big stuff first. Enable RLS on your Supabase tables. Move secret keys to server-side code. Add authentication checks to your API endpoints. These three fixes cover the majority of issues we find.
Scan again after you fix. Confirm the issues are resolved. Your report should come back cleaner. That's the feeling you want before you launch.
Make it a habit. Every time you add a feature, create a new table, or integrate a new service — scan again. It takes five minutes. Make it part of your build process, not an afterthought.

You turned an idea into a working app. That's the hard part. Making it solid is the fast part. Five minutes. That's it.

A before-and-after comparison showing a scan report going from multiple critical findings to a clean bill of health

Have questions? Find us on Twitter/X or drop a note to contact@flowpatrol.ai. We're builders too — we'd love to hear what you're shipping.