O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

Lovable, Bolt, v0, and Replit: what to review before calling it production SaaS

Prompt-to-app is not the same as secure production

Lovable, Bolt, v0, Replit, and Firebase Studio reduce the gap between idea and published app. That is great for market validation. The danger is treating the first deploy as if it were ready for paying customers.

The app can open, look polished, and still release wrong data, accept risky uploads, expose keys, charge without confirming payment, or leave admin areas too open.

Review before paid traffic

Authentication: signup, login, reset, and OAuth.
Authorization: user, team, admin, support, and paid plan.
Database: Row Level Security, tenant_id, and owner-scoped queries.
Storage: private uploads, temporary URLs, and file type limits.
Checkout: server-side price, webhook, and correct email.
Mobile: buttons, text, and states that do not break on small screens.
Deploy: variables, domain, rollback, logs, and alerts.

What to ask the AI to inspect

Ask the tool to explain public routes, private routes, database rules, API endpoints, environment variables, integrations, and permissions. If it cannot show where one customer's data is separated from another's, pause before selling.

When it becomes Risk Review

When real users, payment, a B2B proposal, sensitive data, or a critical integration exists, review needs human impact judgment. That is not drama. It is where prototype becomes business.

App builders deliver speed. Selling safely still needs evidence.

Prompt-to-app is not the same as secure production

The app can open, look polished, and still release wrong data, accept risky uploads, expose keys, charge without confirming payment, or leave admin areas too open.

Review before paid traffic

Authentication: signup, login, reset, and OAuth.
Authorization: user, team, admin, support, and paid plan.
Database: Row Level Security, tenant_id, and owner-scoped queries.
Storage: private uploads, temporary URLs, and file type limits.
Checkout: server-side price, webhook, and correct email.
Mobile: buttons, text, and states that do not break on small screens.
Deploy: variables, domain, rollback, logs, and alerts.

What to ask the AI to inspect

When it becomes Risk Review

When real users, payment, a B2B proposal, sensitive data, or a critical integration exists, review needs human impact judgment. That is not drama. It is where prototype becomes business.

App builders deliver speed. Selling safely still needs evidence.