What is Vibefixing and what does it scan?

Vibefixing is a runtime supervisor and security scanner for AI agents. It statically analyzes your codebase to find unsafe tool calls your AI agent can execute before they reach production: unguarded Stripe charges, raw database mutations, filesystem writes, and shell commands.

How does Vibefixing prevent prompt injection in AI agents?

Vibefixing identifies tool calls that lack input validation or guardrails, which are the primary attack surface for prompt injection. By flagging every path where an LLM output can trigger an irreversible action without a human confirmation step, it eliminates the conditions that make injection exploits dangerous.

Is Vibefixing safe to use for vibe coders shipping with AI-generated code?

Yes. Vibefixing is designed for vibe coders: developers shipping fast with AI assistants like Claude, Cursor, or Copilot. It catches risky patterns LLMs commonly generate: unguarded API calls, database deletes without confirmation, and credential exposure in tool call arguments.

Does Vibefixing work with any AI agent framework?

Vibefixing analyzes your repository at the code level, so it works with any agent framework: LangChain, LlamaIndex, CrewAI, custom OpenAI function-calling, Anthropic tool use, or plain Python scripts. No instrumentation or runtime hooks required.

I'm not building an AI agent — does Vibefixing still help?

Yes. The same patterns an agent can misuse — Stripe checkout sessions, account mutations, webhook handlers that re-deliver and double-charge — are what get exploited by prompt injection, a careless contractor, or a runaway script. Vibefixing flags them whether or not an LLM is in the call chain. Supported stacks include Next.js App Router (route handlers and Server Actions), Stripe (TypeScript and Python), Supabase (service-role writes and row-level security checks on migrations), Prisma, and SQLAlchemy.

What unsafe actions does Vibefixing detect?

Vibefixing detects: Stripe charges, refunds, subscription changes, and customer portal sessions (TypeScript and Python); raw SQL mutations and Supabase writes that bypass row-level security; Next.js Server Actions and API route handlers; webhook handlers that replay database writes on retry; filesystem deletes; shell execution; emails sent without per-call confirmation. Each finding includes the file, line, and a one-line wrap.

How long does a Vibefixing scan take?

A public repository scan typically completes in under 60 seconds. Vibefixing uses static analysis and does not run your code or require an API key for the scan. Results include a risk score, a list of unsafe actions, and copy-paste guardrail code for each finding.

Does Vibefixing scan every pull request automatically?

Yes. Install the Vibefixing GitHub App on your repo and every pull request gets scanned automatically. Within 5 seconds of opening a PR, vibefixing diffs the head ref against your previous scan and posts a comment listing only the new unsafe call-sites. Clean PRs get nothing — no spam. Free for public repos; private repos and CI integration are part of Builder ($29/mo), while team workflows, SSO, and org-level controls start at Pro ($99/workspace/mo).

How is Vibefixing different from regular code review or static analysis?

Code review and SAST tools catch bugs in code your tests already cover. Vibefixing catches what your tests cannot: actions an LLM can fire at runtime in ways no test case anticipated. Refunds the model decides to issue, files it decides to delete, emails it decides to send. Each detector maps to a runtime guard you can drop in with one line.

How is Vibefixing different from Snyk or Semgrep for AI agents?

Snyk and Semgrep are built for human-written code vulnerabilities: CVEs, dependency audits, known patterns. Vibefixing is built specifically for LLM-driven execution paths — the tool calls an AI agent fires at runtime based on user input. It understands agent shapes (tool-using, chatbot, RAG, MCP-server) and surfaces risk framed around what the model can do, not what a human wrote incorrectly.

Does Vibefixing replace runtime monitoring tools like LangSmith?

No — they are complementary. LangSmith and similar tools observe what your agent does at runtime after deployment. Vibefixing runs before deployment, on your static codebase, to catch unsafe tool call patterns before they ever reach production. Use Vibefixing in CI to prevent risky code from shipping, and runtime monitoring to observe behavior after it ships.

← all field notes

Field note · May 26, 2026 · data privacy

Your agent just emailed the wrong customer's invoice

A B2B SaaS we know runs a billing agent that emails monthly invoices. On a Tuesday morning, eleven customers received an invoice belonging to a different customer. Different company names. Different amounts. Different line items. The agent didn't do anything dramatic — it ran the same template it had been running for six months. The change was three lines deeper in the stack, in a query the LLM had quietly refactored.

The fix isn't at the email layer. By the time the agent has a row in hand, the privacy bug has already happened. The fix is one wrap at the data layer.

The query the agent shipped

The billing agent reads outstanding invoices and emails one per recipient. The original query was tenant-scoped:

# before
def outstanding_invoices(tenant_id: str) -> list[Invoice]:
    return (
        db.query(Invoice)
          .filter(Invoice.tenant_id == tenant_id)
          .filter(Invoice.status == "outstanding")
          .all()
    )

Then the engineer asked Cursor to add a sort by due-date and a limit. The model refactored the function, and the new version came back without the tenant_id filter:

# after — what shipped
def outstanding_invoices(tenant_id: str) -> list[Invoice]:
    return (
        db.query(Invoice)
          .filter(Invoice.status == "outstanding")
          .order_by(Invoice.due_date.desc())
          .limit(50)
          .all()
    )
# tenant_id parameter still there. WHERE clause gone.

The function signature still demanded a tenant_id, so every caller still passed one — code review didn't flag it because the call sites looked unchanged. Tests passed because the seeded test DB only had one tenant. Production has a hundred.

Why the email-layer guard wouldn't have helped

The instinct after an incident like this is to put a check right before send_invoice_email — verify the recipient's tenant matches the invoice's tenant. That guard is fine. It doesn't solve the problem.

By the time you're at the email step, the cross-tenant read has already happened. The agent has the wrong row in memory. Now it's in the LLM's context. Now it's in whatever logging service captures function arguments. Now it might end up in a customer-support chat transcript when a human asks the agent what it did this morning. The bug fans out.

The right gate sits where the data leaves the database. If a row crosses a tenant boundary on read, the read itself is the policy violation.

The wrap

Vibefixing's data_access action type intercepts four signals: dataset, columns, actor, purpose. The wrap lets the policy refuse a read where the actor doesn't belong to the row's tenant.

from supervisor_guards import supervised
from supervisor_guards.signals import data_access

@supervised(
    "data_access",
    signals=lambda tenant_id, **_: data_access(
        dataset="invoice",
        columns=["id", "tenant_id", "amount", "recipient_email"],
        actor={"tenant_id": tenant_id, "role": "billing-agent"},
        purpose="monthly_billing_run",
    ),
)
def outstanding_invoices(tenant_id: str) -> list[Invoice]:
    rows = (
        db.query(Invoice)
          .filter(Invoice.status == "outstanding")
          .order_by(Invoice.due_date.desc())
          .limit(50)
          .all()
    )
    # the supervisor refuses the read if any row's tenant_id
    # differs from actor.tenant_id — the missing WHERE clause
    # surfaces as a denial, not as a leaked invoice.
    return rows

The policy file that backs the wrap is plain YAML:

# packages/policies/data_access.tenant_isolation.v1.yaml
applies_to: action_type=data_access, dataset=invoice
require_evidence:
  - field: rows[*].tenant_id
    must_equal: actor.tenant_id
on_violation:
  decision: deny
  reason: "cross-tenant read attempted by billing-agent"
  emit_threat: { detector_id: "cross-tenant-read", level: "critical" }

When the LLM ships a query that loses the tenant_id filter, the policy denies the read. The agent gets back an empty list and a decision the operations team can replay. The eleven customers never see the wrong invoice.

What shadow mode would have shown the team the morning before

With the wrap installed and SUPERVISOR_ENFORCEMENT_MODE=shadow set, nothing is blocked — but every would-block writes a decision to the supervisor's evidence chain. The morning digest the day before the incident:

Subject: 4 actions would have been blocked yesterday — vibefixing

  1. CROSS_TENANT_READ × 4 calls
     outstanding_invoices(tenant_id=t_842) returned rows for
     tenants {t_111, t_842, t_904}. The function lost its tenant
     WHERE clause in commit 1f4c2a.
     Open replay →

Flip to enforce when you trust shadow → vibefixing.me/dashboard

The fix is in source control. The four caught reads in shadow mode are the warning before the eleven uncaught reads in prod.

What I'm not worried about

Your DB is fine. Your ORM is fine. The wrap doesn't change the query, doesn't add indexes, doesn't need a migration. It reads what the function read, compares it to the actor's scope, and refuses the inconsistent case. Under fifteen minutes to install on the billing path, plus the parallel paths the scanner flags for you when you point it at the repo.

The data-privacy section of the risk hub.

Same failure pattern, framed for first-time visitors and tied to the live data_access action type in the registry.

/risks · data privacy →scan my repo