DEV Community

Jakub
Jakub

Posted on

Audit Vibe Coding by Inithouse: 47 automated checks for AI-generated apps (and the 5 issues we always find first)

At Inithouse, we ship a growing portfolio of products built with AI code generation tools. Every quarter, we run a structured audit across our codebases. Q3 just started. Here's what we look for.

The first half of the year is for shipping. You push features, test ideas, launch MVPs. Q3 is when the technical debt from that speed starts compounding. Users who found you in H1 expect things to keep working. Search engines that indexed you in spring will recrawl in summer. If your meta tags are still broken, that's traffic you won't recover.

We built Audit Vibe Coding because we kept finding the same problems across our own projects. The tool runs 47 automated checks across security, SEO, performance, accessibility, and code quality. But even without the tool, the pattern of what breaks is consistent enough to write down.

The 5 things we catch every quarter

1. Hardcoded secrets in client-side code

AI generators get things working fast. They also drop API keys, database URLs, and auth tokens directly into frontend files. We've caught this in three of our own projects. It works perfectly in development and becomes a real problem the moment someone opens DevTools.

What to grep for: .env references in /src, hardcoded supabase or firebase URLs in component files, API keys outside environment variables.

2. Missing or broken meta tags (the SPA trap)

Single-page apps built with React (which most AI builders produce) have a specific indexation problem. The HTML shell ships with generic or empty <title> and <meta> tags. Google crawls the shell, not the rendered page. Result: your blog has 30 posts and Google thinks they're all the same page.

We've tracked this across our portfolio. Pages show up as "crawled, not indexed" in Google Search Console, sometimes with every URL canonicalized to the homepage. Fix: server-side rendering for meta tags, or at minimum a pre-rendering service.

3. Broken accessibility defaults

AI-generated UIs tend to look polished but miss structural accessibility. Common gaps: images without alt attributes, form inputs without labels, missing ARIA landmarks, insufficient color contrast on interactive elements. Screen readers can't navigate the page, and Lighthouse scores drop below 60.

Quick test: run npx lighthouse --only-categories=accessibility on your homepage. Below 80 means low-hanging fruit waiting to be fixed.

4. Performance bottlenecks from unoptimized assets

Vibe-coded projects accumulate assets fast. AI builders inline SVGs that should be components, import entire icon libraries for three icons, and generate images at resolutions that don't match their display size. One of our projects had a 4.2 MB hero image on a page with a 6.8-second LCP.

Check Core Web Vitals in Search Console. LCP above 2.5 seconds means you're losing visitors before they see your product.

5. Dead event tracking

You set up analytics. The AI builder generated track('button_click') calls. But nobody checked whether the events actually fire, whether the property IDs are correct, or whether the tracking script loads before the first interaction. We've found projects with complete GA4 setups that recorded zero events over 28 days. Every conversion metric was a ghost.

Verify in GA4 DebugView: click every CTA on your site and confirm the event shows up in real time.

Why we audit at the start of each quarter

At Inithouse, we run Audit Vibe Coding against every project in the portfolio when Q3 opens. The scored report prioritizes fixes by impact: security issues first, then SEO, then performance, then accessibility, then code quality cosmetics. That ordering matters because a leaked API key is a production incident, while a missing alt tag is a Lighthouse point.

The alternative is waiting for something to break. A broken auth flow on a Friday evening once cost us three days of debugging and a spike of rage clicks in our session recordings. The audit would have flagged the underlying issue in minutes.

The compressed checklist

If you want to do this manually, here's the minimum Q3 pass:

  1. Grep your frontend for hardcoded secrets. Move them to environment variables.
  2. Check Google Search Console for "crawled, not indexed" pages. Fix your meta tags or add pre-rendering.
  3. Run a Lighthouse accessibility audit. Fix anything scoring below 80.
  4. Measure Core Web Vitals. Compress oversized images, lazy-load below-the-fold content.
  5. Open GA4 DebugView and click through your critical paths. Confirm events fire correctly.

That covers a fraction of the 47 checks Audit Vibe Coding runs, but those 5 areas are where we find the most damage, consistently.

Vibe coding changed how fast you can ship. It didn't change the fact that shipped code needs a quality pass. Start Q3 with that pass, not a production incident.

Top comments (0)