AI ships fast.
Now keep it safe and healthy.

LumioGuard watches your code and live services, catches problems before your users feel them, and readies the fixes.

Now in private beta · free while we build lumioguard.dev/access
app.lumioguard.dev / acme-saas / stack-health

acme-saas — main · last checked 2m ago

scan complete · 4 connectors · 1 critical · 3 high · evidence attached
0
Stack health Needs attention 1 critical and 3 high to clear. Fixes are ready to review. 1 critical · 3 high
Findings
RLS disabled on public.invoices — any signed-in user can read every tenant's rows
supabase · table public.invoices · evidence: 2 code refs
supabase:db:rls_disabled
Service-role key exposed in client bundle via NEXT_PUBLIC_SUPABASE_SERVICE_ROLE
vercel · build env · reachable from the browser
secret-in-client-prefix
Missing FK index on orders.customer_id — slows every tenant-scoped query
supabase · fix ready · breakage analysis attached
supabase:db:possible_missing_fk_index
Security58
Performance74
Cost80
Deployment78
Reliability70
Engineering72
Supabase Neon Vercel Cursor Claude Code Lovable

Everything you need to keep production running at 100%.

Reads your live stack, not just your code

One scan reads your code, then your live stack: Supabase advisors and error logs, Vercel deploy health, Neon consumption, GitHub security alerts. Over 240 checks, each mapped to a failure you'd recognize — outage, breach, surprise bill, broken deploy.

Supabase advisors + error logs
security · performance · 24h of postgres errors
live
Vercel deploy health
deploy states · OOM count · last error code
live
240+ checks · code and live service config · weekly schedule or on demand

Production degrades, a fix is prepared

When production drifts — errors climbing, latency past its budget — a finding opens on its own, scrubbed of anything personal at the edge. And it never arrives empty-handed: a step-by-step guide, ready-to-run SQL, or a reviewable pull request when the fix is safe to automate.

5xx rate 7.4% over the last hour
high · threshold 5% · opened automatically
high_error_rate
sourcelive production traffic · PII scrubbed at the edge
windowhourly rollup · also watching latency, web vitals, cache
fixprepared: step-by-step guide · est. 5 min
fix attached before anyone noticed

A pull request you read before anything changes

Low-risk fixes arrive as pull requests on a stackguard/fix/* branch — never your default branch, never a silent write. Database fixes are reversible SQL you run yourself; riskier changes come as drafts or guides. Every fix carries a breakage analysis. You merge in-app.

Add FK index on orders.customer_id
safe-pr · breakage analysis: none expected
safe-pr
Move service-role key out of client env
draft · review required
draft
Enable RLS + policies on public.invoices
guide · 3 steps
guide
merges happen in-app · default branch never touched · SQL stays yours to run

Every merged fix is watched in production

The moment a fix lands, a two-hour watch opens on production — first check two minutes in. Every check compares the new deploy against the last one: healthy, failing, or needs attention. One bad reading never fails a deploy — and if the watch ends badly, the finding flips to needs attention instead of counting as fixed.

14:02 — production deploy READY
vs previous deploy: no regression
healthy · high
14:17 — still READY
checks continue through the window
healthy · high
watch passed · fix stays on track
2-hour window · first check at 2 minutes · verdicts: healthy / failing / attention

"Fixed" is a re-scan result, not a claim

Apply a fix and a re-scan confirms the finding is actually gone before it counts — a code-only scan can't "confirm" a database fix. And every finding is fingerprinted: if a resolved issue ever creeps back, it reopens itself.

RLS enabled on public.invoices
re-scan: no longer detected → resolved
verified
Spend cap removed again
same fingerprint returned → reopened
regression
verify scans matched to the claim · fingerprinted findings · resolved ≠ forgotten

Hear about it the day it appears

Something new turns up, the alert goes out — email or signed webhook, filtered by the severity threshold you set. Quiet hours hold the noise; a daily digest rolls up the rest. And three shareable reports are one click away.

Severity thresholdall · high+ · critical only
Quiet hoursholds alerts until morning
Daily digestopen findings · top 5 by severity
Signed webhookHMAC-signed deliveries
Alert: "acme-saas — 1 critical needs attention (rls_disabled)" · email + signed webhook
Still on the way — Slack alerts · MCP for Cursor & Claude Code · Copilot Q&A
Six pillars · one health score

Scored the way production actually judges you.

Every scan rates six pillars from 0 to 100, and your stack health score is the mean of six. No green-light theater — each number is backed by specific checks and the code or service config that triggered them. And one critical flips the verdict to "Needs attention," no matter how good the average looks.

Security

Is your data and access safe? Catches RLS turned off, RLS on with no policies, service-role keys shipped to the client, and long-lived auth OTPs — before real users hit them.

rls_disabled · otp_long_expiry · secret-in-client-prefix
Performance

Will it scale under load? Flags missing foreign-key indexes, large sequential scans on growing tables, and a disabled connection pooler — the query shapes that get slower with every tenant you add.

possible_missing_fk_index · large_table_seq_scan · pooler_disabled
Cost

Is spend under control? Surfaces no spend cap set, scale-to-zero left disabled, and consumption patterns that turn a busy day into a surprise invoice — named before the statement lands.

no_spend_cap · scale_to_zero_disabled · consumption
Deployment

Pipeline and release safety. Checks for unprotected preview deploys, fork builds running with secrets, and an end-of-life Node runtime — the release gaps that ship straight to production.

no_preview_protection · fork_builds_unprotected · eol_node
Reliability

Errors, logging, and recovery. Watches for production errors or stale deploys, a firewall left disabled or log-only, and missing statement timeouts that let one slow query stall the rest.

prod_error_or_stale · firewall:disabled_or_log_only · no_statement_timeout
Engineering

Tests and code quality. Reads GitHub secret-scanning, Dependabot, and code-scanning alerts plus branch-protection posture — so the safeguards you think are on are actually on.

secret-scanning · dependabot · code-scanning
Before / after

From hoping it's fine to seeing that it is.

Before LumioGuard

RLS on or off — the app looks identical either way
Secrets leak silently
Slow queries surface in production
The bill surprises you
"Will this fix break it?"

After LumioGuard

Your stack, checked after every change
New criticals alert you the day they appear
Missing indexes caught in the scan
A health trend you can show, not guess
Every fix arrives with a breakage analysis
see where your stack stands Get early access
How it works

From connected to healthy, and kept there.

Connect read-only, run a scan in an isolated sandbox, read findings backed by your own code and services, and merge the fixes you approve — then it keeps watching. Four steps, no agent loose in your repo.

01 · Connect
Connect read-only
Install the GitHub App and add Supabase, Neon, or Vercel with read-only scopes. Connecting only reads — nothing scans until you say so. Pick your access level: code only, service API, or an optional deep DB scan.
02 · Scan
Run your first scan
A Claude Code agent runs in a fresh, single-tenant sandbox: reading your repository, sorting real issues from noise, then scoring your stack and getting safe fixes ready. Read-only, no general outbound network, nothing kept afterward.
03 · Score
Scores and evidence
Six pillars roll into one stack health score, 0 to 100. Filter findings by severity, open the drawer for the evidence that proves each one, and export to CSV when you need to share.
04 · Fix
Fix and keep it healthy
Safe fixes arrive as reviewable PRs, riskier ones as drafts or guides. Merge in-app; a re-scan confirms it. Then the loop continues: a re-check after every change you ship, an alert on each new critical, a trend on the timeline.
Connectors

Plugs into the stack you already built on.

Four connectors are live today, all read-only. GitHub gives the repo plus secret-scanning, Dependabot, and code-scanning alerts; Supabase, Neon, and Vercel read schema, config, and stats — never your rows. Connect what you use; LumioGuard only ever reads what each scope allows.

GitHub
source · live
Supabase
database · live
Neon
database · live
Vercel
hosting · live
Stripe
payments · soon
Clerk
auth · soon
Coming soon — Stripe · Resend · Clerk · Firebase · Upstash · Sentry · PostHog

Built from the ground up for security & privacy.

Tenant isolation, encrypted secrets, a tamper-evident audit trail, and throwaway sandboxes aren't add-ons — they're the floor everything else stands on.

01 Fail-closed tenant isolation Postgres row-level security scopes every workspace at the database, not just the app. If a check fails, you get zero rows — never another tenant's data.
02 Encrypted, read-only secrets Connector tokens are AES-256-GCM envelope-encrypted with per-row keys. Scopes are read-only and least-privilege, and you can revoke any connection at any time.
03 Tamper-evident audit log Every action — connect, scan, recommend, apply — is written to an append-only, HMAC-chained audit log that the tenant role cannot forge or rewrite.
04 Ephemeral, isolated sandboxes Each scan runs in a single-tenant Fargate sandbox with separate UIDs and one controlled path — the only way in or out. It carries the reads the scan needs and the findings it reports back; nothing else moves. Your code is fetched on demand and nothing is retained between runs.
05 Three opt-in access levels Start code-only. Add read-only service scopes when you're ready, or an optional deep database scan that reads system catalogs and stats — never your customers' rows. Every level is least-privilege, and revoking a connection removes its access in one click.
Pricing

Simple pricing, free while we build.

Start free, scale when you're ready. Every plan is read-only and every fix is yours to review. No card, no contract, no setup fees — nothing to uninstall but a connection.

Planned pricing — free during private beta. You won't be charged while we're in beta.
Free
$0

For your first project and a look around.

  • 1 project
  • Weekly GitHub-only scan
  • Basic stack health report
  • Evidence-cited findings
Get early access
no card · free forever for one project
Indie
$19/mo

For solopreneurs and freelancers shipping for real.

  • 3 projects
  • Weekly scans + Supabase
  • 3 fix PRs / month
  • Reports + advisor checks
Get early access
free during beta · cancel anytime
Promost popular
$49/mo

For small teams launching on a schedule.

  • 10 projects
  • Daily scans
  • 20 fix PRs / month
  • CI/CD checks + alerts
Get early access
free during beta · CI/CD checks live now · Slack & MCP on the way
Agency
$149/mo

For agencies shipping client apps at scale.

  • 50 projects
  • Team workspaces
  • White-label reports
  • Audience-aware client reports
Get early access
free during beta · per-client reporting built in

Enterprise. Need SSO, custom rules, audit-log export, or a private deployment? Enterprise is custom-priced and shaped around how your team ships.

Talk to us
How it compares

A linter reads code. Neither one watches your whole stack.

A linter reads your code. A dashboard advisor reads your database. Neither scores your whole stack's health, keeps watching it, or fixes what it finds.

LumioGuard Generic linters & dashboard advisors Doing it manually
Checks tenant isolation (RLS) is real proven code only if you remember
Catches secrets leaked to the client flagged partial rarely
Reads your code in context, not just patterns AI agent regex / rules only n/a
Ships a breakage analysis with each fix with every fix no you guess
Opens reviewable fix PRs safe-pr no by hand
One stack health score across the stack 0–100 no no
Runs in an isolated, no-retention sandbox ephemeral n/a n/a
FAQ

The questions a careful builder asks.

Straight answers on access, retention, breakage, and what actually gets checked.

01 Will this touch my production database?

No writes, ever, without your approval. Service connections use read-only scopes, and the optional deep scan only reads system catalogs and pg_stat — never your customers' rows. Fixes come back as pull requests you review and merge yourself.

02 Do you keep my code?

No. Each scan runs in a fresh, single-tenant sandbox that reaches the outside world through one controlled path only — the path that carries the reads the scan needs and the findings it sends back. It runs the checks, then the sandbox is thrown away. Nothing about your repo is retained between scans.

03 What if a fix breaks my app?

Every fix comes with a breakage analysis, and fixes are classified by risk: safe ones become reviewable PRs on a stackguard/fix/* branch, riskier ones come as a draft or a step-by-step guide. You approve and merge in-app, never on your default branch, and a re-scan confirms the issue is actually gone before it counts as fixed.

04 How long does setup take?

A couple of minutes. Install the read-only GitHub App and connect Supabase, Neon, or Vercel with OAuth — then run your first scan when you're ready. Connecting alone never kicks one off, and you don't have to wire up CI or change how you deploy.

05 What does it actually check?

8 rule packs and over 240 checks across six pillars — security, performance, cost, deployment, reliability, and engineering. That includes RLS gaps, service-role keys in client bundles, missing FK indexes, no spend cap, unprotected preview deploys, and GitHub secret-scanning alerts — each with the evidence attached. The checks are run by a Claude Code agent that reads your code in context, not a fixed set of regexes.

06 Is my data secure?

Connector tokens are AES-256-GCM envelope-encrypted, every workspace is isolated at the database with fail-closed row-level security, and every action is written to a tamper-evident audit log. You can revoke any connection at any time.

07 Can I start for free?

Yes. LumioGuard is free during private beta, and the Free plan stays free for one project after that — a weekly GitHub-only scan with a basic report. No card to begin.

08 Does it work with Cursor and Claude Code?

Today LumioGuard scans the code those tools produce, whatever editor you used. CI/CD checks are already live — the posture and checks page is in the app, with PR pass/fail verdicts rolling out. A published MCP server that plugs directly into Cursor and Claude Code, Slack alerts, and in-app Copilot Q&A are still on the way.

09 Is this just for launch day?

No. Your stack keeps moving as you ship, so LumioGuard keeps watching: re-scan on a schedule, alerts the day a new critical appears, and a health trend on the timeline. Launch readiness is one report among three — the go/no-go you can pull when you need it — not the whole point.

10 Will this replace my engineers?

No. LumioGuard is a second pair of eyes that never sleeps — it catches the stack-health gaps a busy team misses, then hands you the fix. Every change is a pull request a human reviews and merges; it never writes to your code on its own.

11 What if my stack isn't on the connector list?

The code-only scan works on any GitHub repository, whatever you built it with — so you get findings and fixes from day one. The deeper service checks cover Supabase, Neon, and Vercel today, with more connectors on the way. Connect only what you use; everything else still gets the code scan.

12 What happens when the beta ends?

You won't be charged during the beta. Before any pricing starts, we'll give you notice — no surprise bills. And the Free tier stays free for one project.

Get early access

See what state your stack is really in.

Connect a project in a couple of minutes, read-only, and get your first stack health score with the evidence attached — and it keeps watching after. Free while we're in private beta.