Описание
The local security gate for AI-generated code.
README
PreFlight helps AI-built Next.js, Supabase, Vercel, Cursor, Lovable, Bolt, and Claude-assisted codebases catch launch-blocking repo risk before production.
It combines a local AST security daemon, Micro-Fuzzer, Quantized Code Property Graph, MCP bridge, VS Code/Cursor companion extension, and native Windows fallback alerts to catch unsafe auth, RLS, SQL, SSRF, command execution, dependency, and secret-handling drift before it ships.
Website: https://preflight-vibe.vercel.app
PreFlight Repo Risk Report
The current paid offer is a private, manually verified report for one public repo.
Price: $49 global / ₹2,999 India
Delivery: 48-72 hours
Included: 1 month of PreFlight Pro access
Guarantee: If the report does not contain at least one useful, verified issue, you get a full refund. No scanner noise.
What you get:
- Top 5 verified findings
- Exact file paths and severity
- Why each issue matters
- Suggested fix direction
- A short private report you can send to a founder, CTO, client, or engineering lead
- One month of PreFlight Pro so you can run the local guardrail after the report
Order from the website: https://preflight-vibe.vercel.app
What PreFlight Checks
PreFlight is designed for the failure modes AI coding tools often introduce when they generate database, auth, payment, and backend code:
- Missing Supabase Row-Level Security (RLS)
- Unsafe or theatrical RLS policies such as broad
USING (true)access - Service-role keys leaking into client or route code
- Auth checks drifting out of scope
- Unsafe database mutations and IDOR-style ownership gaps
- Stripe/webhook integrity regressions
- Command injection, SQL injection, SSRF, and path traversal
- Hardcoded secrets and unsafe dependency ranges
Tri-State Risk Score Engine
This is the core PreFlight signal. Every scan resolves into one of three clear outcomes so you know whether to stop, review, or ship.
| Score | Meaning | What It Catches |
|---|---|---|
| 🔴 Hard Block | Stop immediately. This change is unsafe to ship. | Exposed frontend secrets, leaking database service roles, command execution, SQL injection, or missing Supabase Row Level Security (RLS). |
| 🟡 High-Risk Drift | Review carefully. The code may be structurally wrong even if it runs. | Structural state inconsistencies, un-idempotent webhooks, weak validation, or open CORS contexts. |
| 🟢 Pass | Safe to continue. No blocking structural risk was detected. | Standard local edits matching your expected stack rules. |
Local CLI: PreFlight Guardian
Developers can also install the local CLI directly.
Free local usage includes:
- Unlimited local scans
- The Eye background daemon
- Native Windows popup fallback when no extension is connected
- MCP scan tooling
- 10 total patch applications across local deterministic fixes and proxy-backed AI fixes
Install and start The Eye:
npm install -g preflight-pro@latest
preflight start
Run a one-shot scan:
preflight scan .
Run scan with fixes:
preflight scan . --fix
VS Code / Cursor Companion
The VS Code/Cursor extension is the optional visual layer. The core engine, daemon, MCP server, Windows fallback popup, and fix pipeline all live in the global preflight CLI.
- Install the CLI:
npm install -g preflight-pro@latest
preflight start
- Install the companion extension:
- Download VSIX from the PreFlight website
- Or open GitHub Releases and install the latest
preflight-companionVSIX. - In VS Code or Cursor, open the Extensions panel, click the
...menu, chooseInstall from VSIX..., and select the downloaded file.
- Save a file. The extension connects to The Eye daemon and surfaces PreFlight alerts in-editor.
If the extension is not installed or not connected, The Eye still runs. For terminal-only workflows and desktop AI agents, PreFlight falls back to a native Windows hard-block popup.
Pro / Beta Keys
Free users get unlimited scans and 10 total patches across local fixes and proxy-backed AI fixes.
After the 10 free patches are used, unlimited fixes require a Pro/Beta key. Repo Risk Report buyers receive temporary PreFlight Pro access as part of the report package.
Activate a key:
preflight auth PREFLIGHT-BETA-XXXXX
For one terminal session, you can also set it manually:
$env:PREFLIGHT_PRO_KEY="PREFLIGHT-BETA-XXXXX"
export PREFLIGHT_PRO_KEY="PREFLIGHT-BETA-XXXXX"
The Eye and MCP
- The Eye:
preflight startregisters the current project and starts PreFlight's local daemon. - Windows fallback popup: When no extension client is connected, the daemon shows a native Windows hard-block notification. This covers terminal-only users and desktop-agent users.
- MCP bridge:
preflight mcpis available for supported AI editors so agents can call PreFlight tools without leaving the coding flow.
Start the MCP server locally:
preflight mcp
Available MCP tools include:
scan_projectpreflight_fixaudit_dependencies
scan_project remains free and unlimited. preflight_fix shares the global 10-patch free allowance before a PREFLIGHT_PRO_KEY is required.
Engine Upgrades
PreFlight is powered by deeper local analysis primitives:
- Micro-Fuzzer: Generates focused security payloads for risky data-flow paths, such as SQL injection, command injection, auth bypass, SSRF, and path traversal.
- Quantized CPG (Code Property Graph): Builds a compact in-memory graph of syntax, control flow, and data flow so PreFlight can trace untrusted input into dangerous sinks instead of relying on brittle string matching.
- The Eye daemon: Runs locally through the CLI/extension workflow and watches file saves so issues appear while the AI coding session is still active. If the extension is not installed, Windows users still receive native popup alerts for hard-block findings.
2-Phase Fix Pipeline
PreFlight runs fixes in a strict sequence:
- Phase 1: Offline Local AST Sweep PreFlight completes an ultra-fast offline structural pass first and applies any deterministic local fixes it can resolve safely.
- Phase 2: PreFlight Pro Deep Reasoning Handoff Remaining SQL, fuzzer, and complex architectural flaws are handed off through the secure proxy-backed reasoning path when a patch requires deeper context.
The first 10 patch applications are free across both phases. After that, a PREFLIGHT_PRO_KEY is required.
Post-Fix Verification Loop
PreFlight is designed to be used as a closed loop, not a one-shot scanner:
- Generate or modify code with your AI coding assistant.
- Run
preflight scan .to classify the change under the Tri-State Risk Score. - If PreFlight returns
Hard Block, stop and repair the structural issue before moving forward. - If PreFlight returns
High-Risk Drift, runpreflight scan . --fixand inspect every proposed fix before applying it. - Re-run
preflight scan .after each accepted fix to confirm the repository settles intoPass. - Ship only after the final verification pass is green and the structural receipt matches the architecture boundary you intended.
This verification loop is the product: scan, review, patch, re-scan, then deploy with confidence.
Usage Metrics
- Website visits: tracked through Vercel Web Analytics on https://preflight-vibe.vercel.app. View them in the Vercel project dashboard under Analytics.
- npm downloads: run the local report command below. npm reports package downloads, not unique human users.
npm run analytics:npm
Beta Architecture & Safety Notice
PreFlight Pro is currently in active Beta. While the local AST daemon is designed to catch severe structural anomalies, hallucinated syntax, and potential Supabase RLS drift in real time, it does not guarantee 100% error elimination.
AI-assisted code should always be explicitly reviewed by a senior engineer before being pushed to production. Use PreFlight as an advanced automated guardrail, not a replacement for manual code review.
Установить Preflight Pro в Claude Desktop, Claude Code, Cursor
unyly install preflight-proСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add preflight-pro -- npx -y preflight-proFAQ
Preflight Pro MCP бесплатный?
Да, Preflight Pro MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Preflight Pro?
Нет, Preflight Pro работает без API-ключей и переменных окружения.
Preflight Pro — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Preflight Pro в Claude Desktop, Claude Code или Cursor?
Открой Preflight Pro на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Preflight Pro with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
