O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

Google CodeWiki: public repos are becoming onboarding surfaces and risk maps

CodeWiki puts AI-generated documentation, diagrams, and repo explanations in the middle of product work. For AI-built SaaS, that helps non-technical teams understand faster, but it also makes architecture and weak decisions easier to inspect.

The repository became readable beyond engineering

The hype around Google CodeWiki points to an important shift: a public repository is no longer just a developer artifact. When AI can read the codebase, generate navigable documentation, draw diagrams, and explain modules, founders, product, sales, and support can understand the product much faster.

That is useful. It also changes the risk surface. If anyone can navigate public code more easily, they can also see routes, table names, integrations, authorization assumptions, architecture patterns, and comments that used to hide behind the effort of reading the repo manually.

What to review before pasting a public repo into an AI tool

Git history without keys, tokens, internal URLs, or credentials removed only in the latest commit.
Example files without real secrets, private endpoints, or sensitive bucket names.
Login, admin, billing, webhook, and upload routes with explicit server-side authorization.
Tenant separation in each query, not only in the interface.
Comments, TODOs, and mocks that do not reveal fragile business logic.
Deploy scripts without excessive permissions.
Generated documentation reviewed by someone who understands the product.

The good use case

CodeWiki and similar tools can reduce onboarding, explain architecture to non-technical stakeholders, and help a founder show the product to a B2B customer without depending on an endless meeting with the senior developer.

The smarter use is turning repo reading into triage: what is public, what is architecture, what touches customer data, what touches billing, and what needs human review before it appears in a sales motion.

Where risk appears

A public repository with an AI-generated app often carries speed patterns. The route works, but does not validate roles. The webhook exists, but trusts the browser return. Upload saves to the right bucket, but does not prove file ownership. The README helps people run the app, but also exposes internal paths, test seeds, and admin scope.

When AI makes that easier to read, the defense needs to be clearer. This is not paranoia. It is public-product hygiene.

How to use this for RET positioning

For founders, vibe coders, and makers, the question is not "can I use CodeWiki?". The better question is: "what would an AI-assisted read of my public repo make obvious about login, billing, data, and permissions?".

If the answer touches customers, revenue, private files, or a B2B sale, review the signal before calling the product ready.

Sources used

A public repo is now onboarding material, sales context, and a risk map. If AI can explain it quickly, your security needs to survive a quick read too.

Google CodeWiki: public repos are becoming onboarding surfaces and risk maps

The repository became readable beyond engineering

What to review before pasting a public repo into an AI tool

Git history without keys, tokens, internal URLs, or credentials removed only in the latest commit.
Example files without real secrets, private endpoints, or sensitive bucket names.
Login, admin, billing, webhook, and upload routes with explicit server-side authorization.
Tenant separation in each query, not only in the interface.
Comments, TODOs, and mocks that do not reveal fragile business logic.
Deploy scripts without excessive permissions.
Generated documentation reviewed by someone who understands the product.

The good use case

Where risk appears

When AI makes that easier to read, the defense needs to be clearer. This is not paranoia. It is public-product hygiene.

How to use this for RET positioning

If the answer touches customers, revenue, private files, or a B2B sale, review the signal before calling the product ready.

Sources used

A public repo is now onboarding material, sales context, and a risk map. If AI can explain it quickly, your security needs to survive a quick read too.