Launch-readiness for vibe-coded SaaS

Stop guessing whether your AI‑built SaaS is ready to take payments.

Your prototype works. That is not the same as safe to sell. ShipTested shows the failures that hide in working Next.js + Supabase apps — then proves the fix with tests you can run.

You’ll get the checklist, a short 4-email launch-readiness series, and course updates when v1 ships. Unsubscribe anytime.

public example — money-path checks
$ npm run test:launch RLS policy model: user B receives zero rows owned by user A success-page visit creates no entitlement invalid signature is rejected before state changes same signed order webhook five times grants exactly once signed event for an unexpected variant grants nothing5 money-path checks passed

The five money-path checks from the public example test suite, shown passing — the same output you get from a clean clone.

Working ≠ sellable

Three failures that hide in working prototypes

AI tools write the happy path. These are the paths they skip — each one reproduced in our runnable public example, each one caught by a test.

RLS

Any logged-in user can read every user’s rows

The UI filters by user. The database doesn’t. One crafted request and user B is reading user A’s data.

- -- table has RLS disabled
+ create policy "own rows only"
+   on documents for select
+   using (auth.uid() = user_id);

✓ user B receives zero rows owned by user A

Read the teardown →
CHECKOUT

The success page is the only paywall

If landing on /success unlocks the product, anyone who types the URL is a customer. Redirects are not receipts.

- if (params.get('paid')) {
-   grantAccess(user)
- }
+ // access is granted by the
+ // verified webhook — never here

✓ success-page visit creates no entitlement

Read the teardown →
WEBHOOKS

One purchase, two lifetime licenses

Webhook retries are normal and healthy. If your handler isn’t idempotent, every retry hands out access again.

- await grantSeat(order)
+ await grantSeatOnce(order.id)
+ // keyed on the event — replays no-op

✓ same signed webhook five times grants exactly once

Read the teardown →

See all money-path teardowns →

Proof over promises

Every claim ships with a test you can run

No instructor mystique. The material has to survive a clean clone on your machine.

A runnable public example

Vulnerable and fixed versions of the money path, on GitHub, with the tests that tell them apart. Clone it, break it, run it.

Before / after diffs

Every fix is a readable diff against the vulnerable version — not a screenshot of finished code.

Pinned, disclosed versions

Every lesson will record the exact tool versions it was verified against, and when. AI assistance is disclosed, always.

Run the public example on GitHub →

In production

First up: Ship the Last 20%

A text-first course — lessons you can read, code you can run, short demos only where they earn their place. v1 covers the money path: Supabase RLS, server-created checkout, and signed, idempotent webhooks, ending in a launch checklist.

For you if

  • You built a working Next.js + Supabase prototype with v0, Claude Code, Replit, or your own prompts
  • You’re comfortable with basic JavaScript, Git, and environment variables
  • You’re blocked on auth, permissions, payments, or launch confidence

Not for you if

  • You’re brand new to code — this builds on a working prototype
  • You need a formal security certification or an enterprise audit
  • You want promises of guaranteed revenue — we don’t make those
Questions

Before you sign up

Short, honest answers. If something here is unclear, that’s a bug—tell us.

What do I actually get right now?

Two things, both free: the Launch Readiness Checklist (a pass/fail list for the money path of a Next.js + Supabase app), and the public example on GitHub you can clone and run today. The full course is still in production—joining the list gets you first access when it ships.

Is the course available yet?

Not yet. v1 is being built now, covering the money path: Supabase RLS, server-created checkout, and signed, idempotent webhooks. We’re publishing the free proof first and building the paid course around the questions real builders ask. The list hears about it before anyone else.

Is this made by a human or by AI?

AI does most of the writing and code. That’s why every technical claim ships with a test you can run yourself—we don’t ask you to trust an author, we ask you to run npm test on a clean clone. Where AI helped is disclosed, and we don’t invent testimonials or credentials.

Who is this for—and not for?

For builders who already have a working Next.js + Supabase prototype (built with v0, Claude Code, Replit, or your own prompts) and are comfortable with basic JavaScript, Git, and environment variables.

Not for complete beginners, and not a formal security certification or enterprise audit. It hardens one specific thing: the path from signup to paid access.

How do I run the public example?

Clone it, then cd public-example and run npm test. No dependencies to install—it runs on Node 20+. You’ll see the vulnerable version fail and the fixed version pass. See it on GitHub →

How many emails will you send?

The checklist, then a short series of four launch-readiness emails, plus the occasional update when the course ships. That’s the whole plan, and every email has a one-click unsubscribe. No daily blasts, no selling your address.

Free while we build

Get the launch-readiness checklist

The pre-flight list we run before any app takes real money — plus first access to the course when v1 ships.

You’ll get the checklist, a short 4-email launch-readiness series, and course updates when v1 ships. Unsubscribe anytime.