smith-check
v1.0.3
Published
Scan your AI-built project for common issues before launch — from the Smith rescue community
Maintainers
Readme
smith-check
Scan your AI-built project for common issues before launch.
npx smith-checkNo install. No config. Run it in any project directory and get a rescue score with specific findings and fixes.
What it checks
| Check | Severity | What it catches |
|-------|----------|----------------|
| env-exposure | Critical | Secret keys with NEXT_PUBLIC_ prefix — visible to anyone in DevTools |
| gitignore-env | Critical | .env files tracked by git or missing from .gitignore |
| service-role | Critical | Supabase service role key used in client-side components |
| supabase-rls | Critical | Row Level Security disabled or missing from tables |
| stripe-webhook | Critical | Missing signature verification or request.json() breaking signature check |
| auth-session | High | getSession() used in server components (use getUser() instead) |
| rate-limiting | High | No rate limiting on expensive routes (AI, email, auth) |
| middleware | Medium | Missing Next.js middleware — sessions won't persist across requests |
| auth-callback | High | Missing or incomplete OAuth callback route |
Each failing check links to the Smith rescue guide and the relevant rescue package.
Example output
Smith Rescue Check v1.0.0
Scanning /path/to/my-app
CRITICAL
✗ Secret key exposed to browser via NEXT_PUBLIC_
STRIPE_SECRET_KEY has NEXT_PUBLIC_ prefix — visible to anyone who opens DevTools
Fix: Remove the NEXT_PUBLIC_ prefix. Server-only secrets must never be bundled into client JavaScript.
→ .env.local: NEXT_PUBLIC_STRIPE_SECRET_KEY
Guide: aismiths.cloud/guides/ai-build-security-checklist
✗ Stripe webhook missing signature verification
Webhook handler does not call stripe.webhooks.constructEvent()
Fix: Add: const event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!)
→ app/api/webhooks/stripe/route.ts
Guide: aismiths.cloud/guides/stripe-webhooks-not-firing
HIGH
⚠ getSession() used in server context — use getUser() instead
Found getSession() in 2 server files
→ app/dashboard/page.tsx:14
→ app/profile/page.tsx:8
Guide: aismiths.cloud/guides/fixing-supabase-auth-bolt-new
PASSING (6)
✓ .env files protected by .gitignore
✓ Supabase service role key not exposed to client
✓ Next.js middleware found
✓ Auth callback route found and complete
✓ No rate-limiting issues detected
✓ No Supabase not detected — skipping RLS check
────────────────────────────────────────────────────────
Score: 47/100 — Needs rescue before launch.
2 failing · 1 warning · 6 passing
Get it fixed by a Smith:
→ aismiths.cloud/packages#security-audit
→ aismiths.cloud/packages#payment-fixOptions
npx smith-check # scan current directory
npx smith-check ./my-app # scan a specific directory
npx smith-check --json # JSON output (for CI/tooling integration)Exit codes: 0 = all passing, 1 = one or more failures, 2 = unexpected error.
Use --json to pipe results into other tools or save a report:
npx smith-check --json > rescue-report.jsonUsing in CI
Add to your GitHub Actions workflow to block merges when critical issues are found:
- name: Smith rescue check
run: npx smith-check
# Exits 1 if any check fails — blocks the CI runOr warn-only (don't block):
- name: Smith rescue check
run: npx smith-check || trueContributing a new check
Adding a check takes about 20 minutes. See CONTRIBUTING.md.
Every merged check gets credited in the release notes, and if you're a Smith, your contributor badge appears on your profile.
How checks are structured
Each check is a single TypeScript file that exports one function:
import type { CheckResult, ProjectContext } from "../types.js";
export function checkYourThing(ctx: ProjectContext): CheckResult {
// ctx gives you: root path, source files, env files, gitignore,
// package.json deps, and flags for Next.js / Supabase / Stripe
if (somethingBad) {
return {
id: "your-check-id",
label: "Short label shown in output",
status: "fail", // "fail" | "warn" | "pass"
severity: "critical", // "critical" | "high" | "medium" | "low"
message: "What's wrong, in one sentence.",
detail: "How to fix it.",
locations: ["file.ts:42"],
guide: "guide-slug", // links to aismiths.cloud/guides/[guide-slug]
package: "auth-rescue", // links to aismiths.cloud/packages#[package]
};
}
return {
id: "your-check-id",
label: "All good",
status: "pass",
severity: "critical",
message: "No issues found.",
};
}Then register it in src/checks/index.ts. That's it.
Built by Smith — the AI project completion marketplace.
Found a false positive? Open an issue.
