O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

Internal mini-app marketplaces: Lovable, Bolt, v0, and Replit inside the company

Companies will want vibe coding too

Lovable, Bolt, v0, Replit, Firebase Studio, and similar tools make it easy to create dashboards, small CRMs, automations, internal portals, operations mini apps, and proofs of concept. That fits teams that want speed without waiting in a long engineering queue.

The problem is that internal mini apps rarely stay small. They start by reading a spreadsheet, then connect to CRM, then pull customer data, then get login, then become a daily tool for sales, support, or finance.

Where the internal marketplace breaks

Apps created without a clear technical owner.
API keys pasted into the frontend or shared variables.
RBAC improvised with a fixed email list.
Internal data sent to an integration without a clear basis.
Storage accidentally public.
Old apps forgotten while still holding access to current data.
Deploys without logs, alerts, or removal process.

What needs to become policy

Internal mini apps need a catalog, owner, data scope, authentication, permission review, expiration date, and audit trail. This does not need to kill speed. It needs to stop a prototype from becoming critical software without review.

Lovable, Bolt, v0, and Replit raise similar questions

The tool name changes, but the risk repeats: who can access it, which data appears, where the secret lives, who can export, which integration calls external APIs, how users are revoked, and how abandoned apps are removed.

If it uses Supabase, review RLS. If it uses Firebase, review rules. If it uses Stripe, review the webhook. If it uses storage, review file ownership. If it uses AI, review prompt injection, logs, and data sent to the model.

Convert interest into review

When someone asks "can we build an internal mini-app marketplace?", the safe answer is: yes, but each app needs to be born with a clear limit. The first review package should look at login, permissions, data, integrations, storage, and deploy before the app becomes a daily tool.

Sources used

A good internal mini app is born fast, but not ownerless. The rule is simple: internal data, integrations, or customers require review before daily use.

Companies will want vibe coding too

Where the internal marketplace breaks

Apps created without a clear technical owner.
API keys pasted into the frontend or shared variables.
RBAC improvised with a fixed email list.
Internal data sent to an integration without a clear basis.
Storage accidentally public.
Old apps forgotten while still holding access to current data.
Deploys without logs, alerts, or removal process.

What needs to become policy

Lovable, Bolt, v0, and Replit raise similar questions

Convert interest into review

Sources used

A good internal mini app is born fast, but not ownerless. The rule is simple: internal data, integrations, or customers require review before daily use.