Logo

Built fast with AI. Launch safely with b-nova.

App Launch Guard – the production-readiness check for AI-built apps

Built in days with Cursor, Lovable, Bolt, v0 or Claude Code – but is it safe enough for real users? b-nova reviews security, hosting, auth, database, backups and monitoring before your app goes live.

Book App Launch Guard

What we review

Security & Hardening

Secrets, API keys, input validation, security headers, dependency vulnerabilities and unsafe AI-generated code patterns.

Hosting & Deployment

Hosting configuration, HTTPS, DNS, staging vs. production, CI/CD pipeline, rollbacks and deployment risks.

Auth & Access Control

Login, sessions, cookies, role model, horizontal and vertical privilege escalation, admin routes, OAuth configuration.

Monitoring & Backups

Uptime monitoring, error tracking, logs, alerts, backups and tested restore processes — so you notice when something breaks.

Real problems. Real fixes.

What we found — and fixed — on real AI-built apps.

Lovable + Supabase Critical
Row-level security disabled on four tables.

What we found

  • Anonymous users could read every customer row.
  • service_role key was visible in the browser bundle.
  • No audit logs for data access.

Fix

  • RLS policies defined per table and per role.
  • Service key moved server-side, old key rotated.
  • Rate limit and audit log added at the Edge Functions layer.
v0 + OpenAI Critical
OpenAI API key embedded directly in the client bundle.

What we found

  • $4,000 in unauthorized usage within 24 hours.
  • No rate limit, no per-user quota, no monthly budget cap.
  • Sensitive user input sent to the API unfiltered.

Fix

  • Server-side proxy with user authentication implemented.
  • Per-user rate limit and monthly cost cap configured.
  • Prompt sanitization and logging with PII filter.
Bolt SaaS admin panel High
Admin routes guarded by frontend role only — backend trusted client state.

What we found

  • /admin was reachable for any logged-in user.
  • Backend trusted the role field from frontend state.
  • No audit log for administrative actions.

Fix

  • Server-side RBAC middleware with JWT role claims.
  • Route guards enforced in both frontend and backend.
  • Audit log for every admin action with user, time and IP.
Cursor + Vercel + Supabase High
No staging, no backups, manual deploys from main.

What we found

  • Tests were run locally, never in CI.
  • Database had no scheduled backups configured.
  • Production secrets shared the same .env as development.

Fix

  • Staging branch with separate Vercel preview and Supabase project.
  • Daily Supabase backups with a tested restore process.
  • GitHub Actions pipeline with lint, test and approval gate.

How the check works

Four structured steps — fixed price, fixed timeline.

1

Intake & Access

You complete our short intake form and grant read access to the repository, hosting provider and test accounts. No plain-text production secrets required.

2

Review against the checklist

We review your app systematically against our production-readiness checklist: hosting, secrets, auth, authorization, database, API exposure, deployment, monitoring, backups — and AI-specific risks where relevant.

3

Report with severity & fix plan

You get a written report with executive summary, findings rated by severity (Critical / High / Medium / Low / Info), a prioritized remediation roadmap and a clear launch decision: Ready, Ready after fixes or Not ready.

4

Debrief & optional implementation

In a debrief call we walk through the most important findings and align on what must be fixed before launch. On request, b-nova handles the implementation as part of our Harden & Fix package.

Free · No signup

Is your app safe to launch?

10 simple questions. 2 minutes. Get an instant risk score before you talk to us.

The 2-minute Launch Readiness Check

No technical jargon. Just 10 plain-English questions about your app — like 'if your database got wiped tomorrow, could you restore it?'. You get an instant risk score and a clear next step.

  • ~2 minutes
  • 10 questions
  • Stays in your browser

Question 1 / 10

Are all your API keys, passwords and secret tokens kept on the server — never embedded in the code that users download to their browser?

Question 2 / 10

Can each user only see and change their own data — never another user's records?

Question 3 / 10

Is your admin area protected on the server side — not just hidden from the menu?

Question 4 / 10

If someone discovered your AI features and called them in a loop all night, would there be a hard limit that stops your bill from blowing up?

Question 5 / 10

Are the keys you use for your live app different from the ones you used while developing — and stored in a different place?

Question 6 / 10

If your database got accidentally wiped tomorrow morning, could you restore yesterday's data within an hour?

Question 7 / 10

If your app crashed at 3am, would you find out automatically — before your users start complaining?

Question 8 / 10

When you publish a change, does an automated check run before the change reaches your live users?

Question 9 / 10

Do you have a 'practice' copy of the app where you can try changes safely before they go live?

Question 10 / 10

If a customer asked 'who deleted my data and when?', could you find the answer?

Your answers stay in your browser. We never see them unless you decide to book a call.

Packages & Pricing

From a CHF 290 Quick Scan to ongoing protection after launch.

Quick Scan

CHF 290

Within 24 hours

Per public URL · each additional URL CHF 290

Best for

First-time founders, weekend builds, prototypes

Included

  • Automated security scan of your public URL
  • Top exposure check: secrets, headers, dependencies
  • 1-page red-flag report with the most urgent issues
  • 15-minute walkthrough call (optional)
  • Fully credited toward Launch Guard if you upgrade within 30 days
Flagship

Launch Guard

from CHF 2,400

4–6 working days

For 1 app in standard scope · definition below

Best for

Public MVPs, SaaS, customer-facing apps

Included

  • Full production-readiness review
  • Auth, authorization, database, API, rate limiting
  • Hosting, deployment, backup and monitoring review
  • Severity-rated findings with remediation roadmap
  • 60-minute debrief call and launch decision

Launch Guard Plus

from CHF 4,800

7–10 working days

For 1 app in standard scope · definition below

Best for

Apps with payments, sensitive data or multiple roles

Included

  • Everything in Launch Guard
  • Deeper role and permission testing
  • Business-logic abuse and API misuse scenarios
  • AI-specific risks, payment flows, admin functions
  • Retest of critical and high findings
  • 90-minute debrief workshop

Harden & Fix

Based on findings

Fixed-price quote after review

Best for

Teams that want fixes, not just a report

Included

  • b-nova implements the agreed findings
  • Secret rotation, auth fixes, RBAC, RLS, rate limiting
  • Backups, monitoring, CI/CD hardening, security headers
  • Retest after implementation
  • Fixed-price quote based on number & severity of findings

Ongoing Shield

Modular from CHF 90/month

Monthly · from 1 module

Best for

Apps in production — continuous protection, not just a one-off check

Included

  • Modular subscription — pick exactly the modules you need
  • From dependency scan (CHF 90/month) up to support pool (CHF 720/month)
  • Extendable with vulnerability report, incident priority, retests
  • Volume discount: −10% from 3 modules, −15% from 5, −20% for all 8

How Harden & Fix is priced

Per-finding fixed price — quoted directly in the review report. You pay only for the fixes you commission.

1 · Review first

The Launch Guard review identifies every finding and estimates the effort needed to fix each one.

2 · Fixed price per finding

Every finding in the report gets its own fixed price — retest included. No hourly rates, no open T&M bill.

3 · You pick à la carte

You decide which fixes to commission. Your total is the sum of the fix prices for the findings you select.

Requires a Launch Guard or Launch Guard Plus review first. You only pay once you've signed off on the selected fix prices.

How to assemble Ongoing Shield

Per-module fixed price. You subscribe only to what you need — from CHF 90/month.

Just want a monthly dependency check? Subscribe to exactly that. As your needs grow, add modules flexibly.

Module Price per month
Dependency scan + CVE alerts
Weekly scan of your npm, PyPI or Go-module dependencies. Automatic email or Slack alerts when new CVEs are published.
 CHF 90
Uptime + security-header monitoring
1-minute uptime checks, monthly SSL/TLS and security-header report, alerts on outages or expiring certificates.
 CHF 90
Hardening call (30 min/month)
Monthly live call with a b-nova engineer to discuss new risks, upcoming releases and configuration questions.
 CHF 150
Monitoring & log review
Once a month we review your Sentry errors, logs and alerts and send a short note with anomalies and recommendations.
 CHF 250
Vulnerability report (written, monthly)
1–2-page report with prioritized findings from dependencies, configuration and new threats relevant to your stack.
 CHF 350
Incident priority
Response within 4 h during business hours. First 2 h of engineering per incident included; additional hours at CHF 220/h.
 CHF 400
Quarterly retest
Every 3 months we verify that the critical and high findings from your last review are still closed. Written retest report included.
 CHF 500
Support pool (4 h/month)
4 h of engineering time for small fixes, updates or advice. Up to 2 h roll over to the next month; additional hours at CHF 220/h.
 CHF 720

Minimum term 3 months, then monthly cancellable. Volume discount: −10% from 3 modules · −15% from 5 modules · −20% for all 8 modules. Applied automatically to your monthly invoice.

What "1 app" means — and when the price grows

Applies to Launch Guard and Launch Guard Plus. List prices for these two packages cover one standard app; as scope grows, the add-ons below apply. (Quick Scan is billed per public URL, Harden & Fix per finding, Ongoing Shield per module.)

Standard scope of one app

An "app" in the context of Launch Guard and Launch Guard Plus consists of:

  • 1 frontend
  • 1 backend / API
  • 1 production environment
  • 1 database
  • Up to 3 user roles
  • Up to 5 key workflows
  • Up to 3 third-party integrations
Scope add-ons
Additional environment (e.g. staging) + CHF 450
Additional app or frontend + CHF 950
Additional backend / API + CHF 950
More than 3 user roles + CHF 450
Payment integration (e.g. Stripe) + CHF 750
File upload flow + CHF 550
AI / LLM workflow review + CHF 950
Per additional key workflow (>5) + CHF 300
Mobile app review Custom quote
Express review within 48h + 50% surcharge

We finalize the price after a 20-minute scoping call — no commitment, no obligation.

What you get out of it

Fewer avoidable security mistakes

Find and fix the most common AI-generated code mistakes before they hurt in production.

Safer hosting setup

HTTPS, DNS, environment separation, secrets handling and deployment pipeline configured cleanly.

Clear picture of launch risks

You know exactly what must be fixed before launch and what can wait.

Prioritized remediation plan

Critical, High, Medium, Low and Info — with effort estimate per finding. Drop-in-ready for Jira, Linear or GitHub Issues.

Faster path to production

From prototype to production-ready service in days, not weeks — without skipping the safety step.

Optional implementation support

Fix it yourself — or have b-nova do it as part of Harden & Fix. Your call.

Ready to launch safely?

Tell us briefly about your app — we recommend the right package and give you a fixed price.