Skip to content

lucioamor/lovable-portfolio-audit

Repository files navigation

NEXT LEVEL Lovable Portfolio Audit

The self-audit security toolkit for Lovable builders β€” by Lucio Amorim, Lovable Ambassador.

A self-service audit tool for Lovable.dev users to review their own projects for exposed credentials, misconfigured Supabase RLS policies, and sensitive data left in source code or chat history.

Run it against your own account. Get a clear report. Fix what needs fixing.

Built and maintained by Lucio Amorim β€” Lovable Ambassador β€” the same hands behind the Lovable Skills catalog (/wireframe, /debate, /unbot). This project is part of a wider toolkit for builders who don't just ship Lovable apps β€” they verify, harden, and stand behind them.

Author: Lucio Amorim Role: Lovable Ambassador License: Apache 2.0

Why this exists

As low-code and AI-assisted development tools gain adoption, credential leakage, data exposure, and access-control gaps have become a common class of risk across the whole ecosystem. When developers move fast, it's easy to leave API keys hardcoded, skip RLS configuration, or forget that chat history may be readable beyond its intended scope. These are general security pitfalls that apply to any platform, not faults specific to one.

This tool doesn't place blame β€” it places the solution in your hands. Instead of waiting for a platform to alert you, you audit yourself, find what's exposed, and fix it. That's it.

What it does

πŸ” Detection Engine

Component What it catches
πŸ”‘ Secret Patterns Supabase service_role, OpenAI sk-*, Anthropic sk-ant-*, Stripe sk_live_*, AWS AKIA*, GitHub ghp_*/gho_*/ghs_*, Firebase/Google AIza*, SendGrid SG.*, Slack xox*, Twilio, Resend, Postgres connection strings, JWT/PEM private keys, and more
πŸ‘€ PII Patterns Email addresses, LinkedIn profiles, CPF/CNPJ (Brazilian tax IDs), credit card numbers (Luhn-shaped), phone numbers, US SSN, Stripe customer IDs (cus_*)
πŸ›‘οΈ BOLA/IDOR Test Probes file and chat endpoints to verify whether your project returns 200 OK without ownership validation β€” a baseline access-control check aligned with the OWASP API Security Top 10 (BOLA). The CLI supports an optional dual-probe mode (--audit-token) that confirms cross-account exposure instead of inferring it from a single request
πŸ—„οΈ Supabase RLS Audit Non-invasive check against common table names using only the anon key, plus a copy-paste deep-RLS SQL checklist whose pasted result the CLI classifies into DB-003/DB-004/DB-005/DB-008/DB-009 findings β€” no automated SQL is ever run against an external Supabase
πŸ“¦ Bundle / Source-map Scan The CLI fetches a target URL's HTML and JS chunks (read-only, bounded), flags exposed source maps and missing Subresource Integrity, and extracts a hardcoded Supabase URL + anon key to correlate with an RLS gap into a compound_risk finding

The exact pattern set differs slightly between the two channels because they evolved against different rule catalogs:

  • Chrome Extension (extension/lib/data-patterns.js): 24 secret patterns + 7 PII patterns.
  • CLI (packages/cli/src/engines/patterns.ts): 27 secret patterns + 8 PII patterns.

πŸ“Š Analysis & Reporting

Component What it does
🎯 Risk Scoring (0–100) Weighted formula combining BOLA exposure, secret/PII counts, RLS status, source-map exposure, and project recency β€” auto-classifies as Catastrophic / Critical / High / Medium / Low / Clean
🧾 Reproducible Rationale Every score ships with a rationale breakdown (which signals contributed how many points) so the number is auditable, not a black box
Remedy Guidance Findings are enriched with structured fix guidance in English, Portuguese, and Spanish. CLI JSON/SARIF include remedy metadata; Markdown/HTML and the extension panel render the steps inline
πŸ–₯️ Extension Dashboard Dark side-panel UI with risk rings, severity badges, scan history, and per-finding remediation guidance
πŸ” Baseline & Drift Both channels persist a fingerprinted baseline (CLI: .nxlv-baseline.json) and report new / unchanged / resolved findings between runs
πŸ“¦ Demo Mode The extension can explore the full interface with realistic sample data β€” no token needed

πŸš€ Output & Actions

Component What you get
πŸ“₯ JSON / SARIF / Markdown / HTML The CLI emits structured JSON, GitHub-ready SARIF 2.1.0, a Markdown report, or a single self-contained HTML file (--format json|sarif|markdown|html|all). JSON/SARIF carry remedy metadata; Markdown/HTML show the fix steps
πŸ” Signed Evidence Pack The extension exports an HMAC-SHA256 signed report for tamper-proof forensic documentation (see verification below)
🌐 Trilingual UI πŸ‡ΊπŸ‡Έ English (default) Β· πŸ‡§πŸ‡· PortuguΓͺs Β· πŸ‡ͺπŸ‡Έ EspaΓ±ol β€” switch instantly, no reload

Two ways to run it

🧩 Chrome Extension (recommended)

Runs in your browser, reads your own lovable.dev session β€” no manual token handling required.

  1. Open Chrome β†’ chrome://extensions
  2. Enable Developer mode (top right toggle)
  3. Click Load unpacked and select the extension/ directory from this repo
  4. Pin the icon to your toolbar, open the side panel, and run a scan

πŸ–₯️ CLI (@nxlv-ai/lovable-audit)

A standalone Node CLI (Node β‰₯ 20) for terminal and CI use. It needs your Lovable Bearer token, which it reads from --token or the LOVABLE_TOKEN environment variable.

# Scan your account (interactive / local)
npx @nxlv-ai/lovable-audit scan --token <bearer>

# Or via env var
LOVABLE_TOKEN=<bearer> npx @nxlv-ai/lovable-audit scan

# Machine-readable / shareable output
npx @nxlv-ai/lovable-audit scan --token <bearer> --format json   --output results.json
npx @nxlv-ai/lovable-audit scan --token <bearer> --format sarif   --output results.sarif
npx @nxlv-ai/lovable-audit scan --token <bearer> --format markdown --output report.md
npx @nxlv-ai/lovable-audit scan --token <bearer> --format html    --output report.html

# Scan a deployed URL's headers, source maps, and bundle
npx @nxlv-ai/lovable-audit scan --token <bearer> --url https://myapp.lovable.app

# Confirm token validity only
npx @nxlv-ai/lovable-audit verify --token <bearer>

Getting your token: open lovable.dev while logged in, open DevTools (F12) β†’ Network, filter for api.lovable.dev, and copy the Authorization: Bearer <token> value.

Useful flags: --deep (download and scan file contents locally, behind a consent prompt), --audit-token (dual-probe BOLA confirmation), --baseline / --update-baseline (drift tracking), --rls-checklist (print the copy-paste deep-RLS SQL), --rls-result <file> (classify a pasted RLS result), --no-chat / --no-files / --no-rls / --no-headers (scope the scan).

CI mode

The ci subcommand is optimized for pipelines: it writes SARIF and exits non-zero when critical or catastrophic findings are present.

LOVABLE_TOKEN=<bearer> npx @nxlv-ai/lovable-audit ci --output nxlv-audit.sarif

A ready-to-use GitHub Action workflow lives in .github/workflows/nxlv-audit.yml, and the published privacy policy is in PRIVACY.md.

More commands

# Regenerate a report from a saved JSON result β€” no re-scan
npx @nxlv-ai/lovable-audit report results.json --format html --output report.html

# Extract the copy-paste AI fix prompts from a saved result
npx @nxlv-ai/lovable-audit fix-prompt results.json --output prompts.md

# Verify the HMAC signature of an exported evidence pack
npx @nxlv-ai/lovable-audit verify-evidence pack.json --passphrase <device-key>

# Track drift vs a baseline and POST a summary to a webhook
# (payload carries only counts + finding identifiers β€” no tokens, no raw bodies)
npx @nxlv-ai/lovable-audit scan --token <bearer> --baseline --webhook https://example.com/hook

Developer tooling

  • Pre-commit token guard β€” npm run hooks:install wires a dependency-free git hook (.githooks/pre-commit) that blocks committing token-shaped strings or code that logs secrets. Bypass with NXLV_SKIP_TOKEN_SCAN=1 when needed.
  • Package the extension β€” npm run package:ext produces a Chrome Web Store zip under dist/.
  • Pattern drift gate β€” npm run check:drift fails if the extension and CLI rule catalogs diverge.

Verifying an Evidence Pack

The Signed Evidence Pack export (lpa-evidence-*.json) includes an hmac_sha256 signature. This allows third parties to verify that the report was generated by this tool and has not been tampered with.

To verify using Node.js:

const { webcrypto } = require('crypto');
const fs = require('fs');

async function verify() {
  const file = JSON.parse(fs.readFileSync('./lpa-evidence-123.json', 'utf-8'));
  const payloadStr = JSON.stringify(file.payload, null, 2);
  const passphrase = 'your-passphrase-or-device-key';

  const enc = new TextEncoder();
  const base = await webcrypto.subtle.importKey('raw', enc.encode(passphrase), { name: 'PBKDF2' }, false, ['deriveKey']);
  const key = await webcrypto.subtle.deriveKey(
    { name: 'PBKDF2', salt: enc.encode('lpa-evidence-v1'), iterations: 100000, hash: 'SHA-256' },
    base, { name: 'HMAC', hash: 'SHA-256' }, true, ['verify']
  );

  const sigBytes = new Uint8Array(file.hmac_sha256.match(/.{2}/g).map(h => parseInt(h, 16)));
  const isValid = await webcrypto.subtle.verify('HMAC', key, sigBytes, enc.encode(payloadStr));

  console.log('Signature Valid:', isValid);
}
verify();

The CLI can also verify packs programmatically; the Node snippet above remains the portable, dependency-free reference.

Architecture

The project is a Chrome Extension (Manifest V3, plain JS) plus a standalone TypeScript CLI. There is no longer a web app β€” that earlier Vite demo has been removed.

β”œβ”€β”€ extension/                     # Chrome Extension (Manifest V3)
β”‚   β”œβ”€β”€ manifest.json              # Permissions + service worker config
β”‚   β”œβ”€β”€ background.js              # Service worker β€” audit orchestrator + message bus
β”‚   β”œβ”€β”€ content.js                 # Page collectors (state / route / DOM-sink scans)
β”‚   β”œβ”€β”€ interceptor.js             # Passive fetch/XHR hook (masked extraction in page context)
β”‚   β”œβ”€β”€ popup.html                 # Quick-view popup
β”‚   β”œβ”€β”€ sidepanel.html/js/css      # Full dashboard in the side panel
β”‚   β”œβ”€β”€ devtools.html/js           # DevTools bridge
β”‚   β”œβ”€β”€ devtools-panel.html/js     # Live findings / endpoints / routes panel
β”‚   β”œβ”€β”€ icons/                     # Extension icons
β”‚   └── lib/                       # Core modules (plain JS)
β”‚       β”œβ”€β”€ api-client.js          # Lovable API + chrome.cookies auth
β”‚       β”œβ”€β”€ audit-engine.js        # Inspection orchestrator
β”‚       β”œβ”€β”€ data-patterns.js       # 24 secret + 7 PII patterns
β”‚       β”œβ”€β”€ masking.js             # Secret masking + line numbers
β”‚       β”œβ”€β”€ health-scorer.js       # Scoring algorithms
β”‚       β”œβ”€β”€ remedy.js              # Structured remediation catalog
β”‚       β”œβ”€β”€ evidence-pack.js       # HMAC-signed evidence export
β”‚       β”œβ”€β”€ logger.js              # Logging helper
β”‚       β”œβ”€β”€ passive-endpoints.js   # Endpoint normalization (5th-endpoint candidate detection)
β”‚       β”œβ”€β”€ i18n.js                # Trilingual translations
β”‚       └── skills/                # Security "skills" modules
β”‚           β”œβ”€β”€ token-vault.js     # AES-GCM + PBKDF2 token vault (lock/unlock)
β”‚           β”œβ”€β”€ consent-gate.js    # L0/L1/L2 consent + legal first-run
β”‚           β”œβ”€β”€ secret-hasher.js   # SubtleCrypto SHA-256 hashing + dedupe
β”‚           β”œβ”€β”€ structured-logger.js  # JSON logger with secret redaction
β”‚           β”œβ”€β”€ rationale-logger.js   # Frozen signal weights + verifiable score rationale
β”‚           β”œβ”€β”€ dual-probe.js      # ownerΓ—audit BOLA signature matrix
β”‚           β”œβ”€β”€ scan-history.js    # Run history + delta comparison
β”‚           β”œβ”€β”€ rls-checklist.js   # Deep-RLS copy-paste checklist classifier
β”‚           └── pattern-catalog.js # Dynamic rule catalog (remote fetch + toggle + TTL cache)
β”‚
β”œβ”€β”€ packages/cli/                  # Standalone CLI (@nxlv-ai/lovable-audit, TypeScript)
β”‚   └── src/
β”‚       β”œβ”€β”€ index.ts               # CLI entry β€” scan / verify / ci commands
β”‚       β”œβ”€β”€ commands/scan.ts       # Scan orchestrator
β”‚       β”œβ”€β”€ engines/
β”‚       β”‚   β”œβ”€β”€ patterns.ts        # 27 secret + 8 PII patterns
β”‚       β”‚   β”œβ”€β”€ lovable-client.ts  # Lovable API client + response-signature classifier
β”‚       β”‚   β”œβ”€β”€ supabase-engine.ts # RLS probe + security headers
β”‚       β”‚   β”œβ”€β”€ rls-checklist.ts   # Deep-RLS SQL + pasted-result classifier
β”‚       β”‚   β”œβ”€β”€ bundle-scan.ts     # Remote bundle / source-map / SRI scan
β”‚       β”‚   β”œβ”€β”€ scorer.ts          # Weighted risk score + rationale
β”‚       β”‚   └── baseline.ts        # Fingerprinted baseline + drift
β”‚       β”œβ”€β”€ remedy/index.ts        # Structured remediation catalog
β”‚       β”œβ”€β”€ reporters/index.ts     # console / json / sarif / markdown / html output
β”‚       └── util/logger.ts         # Redacting structured logger
β”‚
└── package.json                   # Root scripts: test (vitest), build:cli, check:drift

Principles

  1. Tokens never leave your browser β€” never transmitted to external servers
  2. Response bodies stay local β€” only metadata and masked findings are retained in the report
  3. Read-only β€” only GET requests against api.lovable.dev, never POST/PUT/DELETE
  4. Rate limited β€” sustained request throttling to avoid overloading the API
  5. Identified β€” requests include an X-Client identifier

Scope

This tool is for auditing your own account. The Chrome Extension operates only on projects belonging to the authenticated user's session, and the CLI only on the account behind the token you provide. It is not designed for, and cannot be used for, inspecting projects belonging to other accounts.

Authorship and maintenance

This project was created by Lucio Amorim, Lovable Ambassador.

When reusing, redistributing, or citing this work, keep the attribution credits and include a link to this repository.

License

Licensed under Apache 2.0.

In plain terms: use it freely β€” including commercially β€” but if you reproduce it, redistribute it, or fold any part of it into a product of your own, you must credit Lucio Amorim as a contributor, link back to his LinkedIn, and link to the license.

Suggested attribution line:

Includes work by Lucio Amorim (Lovable Ambassador) β€” https://linkedin.com/in/lucioamorim β€” licensed under Apache 2.0.

About

Security infrastructure for Lovable portfolios. Detects authorization gaps, credential exposure, RLS misconfigurations, and PII leakage at the scale vibe-coded operations demand. Built for operators running dozens to hundreds of Lovable projects in production.

Topics

Resources

License

Stars

4 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors