# prodlint > Production readiness for vibe-coded apps. 52 checks to make sure your AI-generated code is ready to ship. prodlint is a zero-config static analysis tool for JavaScript and TypeScript projects. It checks for security, reliability, performance, and AI quality issues commonly found in code from tools like Claude Code, Cursor, v0, Bolt, and Copilot — hardcoded secrets, missing auth, hallucinated imports, unvalidated server actions, and more. 52 checks across 4 categories (security 27, reliability 11, performance 6, AI quality 8), under 100ms, MIT licensed, free and open source. ## Quick Start Run with no install: `npx prodlint` Other options: `npx prodlint ./path`, `npx prodlint --json`, `npx prodlint --ignore "*.test.ts"`, `npx prodlint --web example.com` (get your site's prodlint score) MCP server for AI editors: `claude mcp add prodlint npx prodlint-mcp` (Claude Code) or add `{ "mcpServers": { "prodlint": { "command": "npx", "args": ["-y", "prodlint-mcp"] } } }` to `.cursor/mcp.json` (Cursor/Windsurf). ## Site Score Free site scoring at [prodlint.com/score](https://prodlint.com/score). Enter any URL and get a prodlint score out of 100 across 14 AI agent standards — robots.txt, AI directives, Content-Usage, llms.txt, ai.txt, TDMRep, AI-Disclosure, AgentCard, WebMCP, HTTP Message Signatures (RFC 9421), structured data, OpenGraph, sitemap, and page speed. No signup required. Also available from the CLI: `npx prodlint --web example.com` (or `--json` for JSON output). ## Free Tools 7 free generator tools at [prodlint.com/tools](https://prodlint.com/tools). All run client-side with live preview, copy, and download: - [robots.txt AI Directives](https://prodlint.com/tools/robots-txt): Per-bot AI crawler access control - [llms.txt Generator](https://prodlint.com/tools/llms-txt): LLM-optimized site summary - [ai.txt Generator](https://prodlint.com/tools/ai-txt): AI training permissions (Spawning spec) - [Content-Usage Directives](https://prodlint.com/tools/content-usage): IETF aipref per-path AI usage rules - [TDMRep Generator](https://prodlint.com/tools/tdmrep): W3C text & data mining reservations - [A2A AgentCard Generator](https://prodlint.com/tools/agent-card): Agent discovery and capabilities - [AI-Disclosure Header Generator](https://prodlint.com/tools/ai-disclosure): AI content transparency headers ## Blog - [The 10 most common security bugs Cursor writes](https://prodlint.com/blog/10-security-bugs-cursor-writes): Real examples of security and reliability issues in AI-generated code, with bad patterns, fixes, and prodlint output - [Your site is invisible to AI agents. Here's how to fix it.](https://prodlint.com/blog/ai-discoverability-14-standards): 14 standards that control whether AI agents can find, read, and interact with your site - [The 5 patterns prodlint catches most in vibe-coded apps](https://prodlint.com/blog/vibe-coded-projects-scan-results): The five most common blind spots in AI-generated code, with examples and fixes ## Docs - [Homepage](https://prodlint.com): Overview, terminal demo, comparison with ESLint, and quick start - [All 52 Rules](https://prodlint.com/rules): Complete rule reference with severity levels, code examples, and fixes - [MCP Server Setup](https://prodlint.com/mcp): Setup instructions for Claude Code, Cursor, and Windsurf - [Site Score](https://prodlint.com/score): Free AI agent-readiness scoring - [Free Tools](https://prodlint.com/tools): 7 AI agent policy file generators - [Full Documentation](https://prodlint.com/llms-full.txt): Complete reference with all rules, scoring, and integration details - [GitHub](https://github.com/prodlint/prodlint): Source code, issues, and GitHub Action - [npm](https://www.npmjs.com/package/prodlint): Package page with install instructions ## Optional - [secrets](https://prodlint.com/rules/secrets): Hardcoded API keys (Stripe, AWS, Supabase, OpenAI, GitHub) - [auth-checks](https://prodlint.com/rules/auth-checks): API routes without authentication - [env-exposure](https://prodlint.com/rules/env-exposure): Server env vars in client components - [input-validation](https://prodlint.com/rules/input-validation): Request body used without validation - [cors-config](https://prodlint.com/rules/cors-config): Access-Control-Allow-Origin: *, wildcard + credentials escalated to critical - [unsafe-html](https://prodlint.com/rules/unsafe-html): dangerouslySetInnerHTML with user data - [sql-injection](https://prodlint.com/rules/sql-injection): SQL queries built with string concat (ORM-aware) - [open-redirect](https://prodlint.com/rules/open-redirect): User input passed to redirect() - [rate-limiting](https://prodlint.com/rules/rate-limiting): API routes with no rate limiter - [phantom-dependency](https://prodlint.com/rules/phantom-dependency): Packages missing from package.json - [insecure-cookie](https://prodlint.com/rules/insecure-cookie): Session cookies missing httpOnly/secure/sameSite - [leaked-env-in-logs](https://prodlint.com/rules/leaked-env-in-logs): process.env leaked in console.log - [insecure-random](https://prodlint.com/rules/insecure-random): Math.random() for tokens or secrets - [next-server-action-validation](https://prodlint.com/rules/next-server-action-validation): Server actions without schema validation - [env-fallback-secret](https://prodlint.com/rules/env-fallback-secret): Hardcoded fallback values for secrets - [verbose-error-response](https://prodlint.com/rules/verbose-error-response): Stack traces in API responses - [missing-webhook-verification](https://prodlint.com/rules/missing-webhook-verification): Webhooks without signature verification - [server-action-auth](https://prodlint.com/rules/server-action-auth): Server actions without auth checks - [eval-injection](https://prodlint.com/rules/eval-injection): eval() and new Function() - [next-public-sensitive](https://prodlint.com/rules/next-public-sensitive): NEXT_PUBLIC_ on secret env vars - [ssrf-risk](https://prodlint.com/rules/ssrf-risk): User-controlled URLs in server fetch - [path-traversal](https://prodlint.com/rules/path-traversal): Unsanitized file paths - [unsafe-file-upload](https://prodlint.com/rules/unsafe-file-upload): File uploads without validation - [supabase-missing-rls](https://prodlint.com/rules/supabase-missing-rls): Tables without Row Level Security - [deprecated-oauth-flow](https://prodlint.com/rules/deprecated-oauth-flow): OAuth Implicit Grant - [jwt-no-expiry](https://prodlint.com/rules/jwt-no-expiry): JWT without expiration - [client-side-auth-only](https://prodlint.com/rules/client-side-auth-only): Auth logic in client components - [hallucinated-imports](https://prodlint.com/rules/hallucinated-imports): Imports of packages that don't exist - [error-handling](https://prodlint.com/rules/error-handling): Async operations without try/catch - [unhandled-promise](https://prodlint.com/rules/unhandled-promise): Floating promises - [shallow-catch](https://prodlint.com/rules/shallow-catch): Empty catch blocks - [missing-loading-state](https://prodlint.com/rules/missing-loading-state): Fetching without loading UI - [missing-error-boundary](https://prodlint.com/rules/missing-error-boundary): Routes without error.tsx - [missing-transaction](https://prodlint.com/rules/missing-transaction): Multiple writes without transaction - [redirect-in-try-catch](https://prodlint.com/rules/redirect-in-try-catch): redirect() caught by try/catch - [missing-revalidation](https://prodlint.com/rules/missing-revalidation): Mutations without revalidatePath - [missing-useeffect-cleanup](https://prodlint.com/rules/missing-useeffect-cleanup): useEffect without cleanup - [hydration-mismatch](https://prodlint.com/rules/hydration-mismatch): Server/client render mismatch - [no-sync-fs](https://prodlint.com/rules/no-sync-fs): readFileSync blocking event loop - [no-n-plus-one](https://prodlint.com/rules/no-n-plus-one): Database calls inside loops - [no-unbounded-query](https://prodlint.com/rules/no-unbounded-query): Queries without LIMIT - [no-dynamic-import-loop](https://prodlint.com/rules/no-dynamic-import-loop): import() inside loops - [server-component-fetch-self](https://prodlint.com/rules/server-component-fetch-self): Server components fetching own API - [missing-abort-controller](https://prodlint.com/rules/missing-abort-controller): Fetch/axios without timeout - [ai-smells](https://prodlint.com/rules/ai-smells): any types, console.log spam, TODOs - [placeholder-content](https://prodlint.com/rules/placeholder-content): Lorem ipsum and example values - [hallucinated-api](https://prodlint.com/rules/hallucinated-api): .flatten(), .contains(), .substr() - [stale-fallback](https://prodlint.com/rules/stale-fallback): localhost:3000 hardcoded - [comprehension-debt](https://prodlint.com/rules/comprehension-debt): Functions over 80 lines - [codebase-consistency](https://prodlint.com/rules/codebase-consistency): Mixed naming conventions - [dead-exports](https://prodlint.com/rules/dead-exports): Exported functions nothing imports - [use-client-overuse](https://prodlint.com/rules/use-client-overuse): Unnecessary "use client" directives