Security-conscious

Keeping AI-written code from leaking

The AI writes fast, but it hardcodes keys, skips authorization checks, and ships tables with row-level security off.

Security expertSecret + RLS tripwiresKeys Bank

The scenario

Aisha — a security-minded senior developer, building a fintech-adjacent app that handles sensitive user data.

The goal

Move at AI speed without shipping the well-known classes of AI-generated vulnerabilities — exposed secrets, missing authorization, data left unprotected.

Aisha knows the research: a large share of AI-generated code ships with security flaws, and the model is happy to hardcode a key or skip an auth check if it makes the feature “work.” She can review some of it by hand, but not every diff on every change — and it only takes one miss.

Without afterclick

  • A service-role key lands in the client bundle during a feature build, where anyone can read it.
  • An endpoint ships without an authorization check because the happy path worked in testing.
  • A new table goes out with row-level security off, quietly exposing user records.
  • Catching all of this by hand on every change is simply more than one person can sustain.

With afterclick

  • A security specialist on sensitive diffs. The security advisor reviews the changes that touch auth, money, data, and secrets — hunting for the holes she’d otherwise have to find alone.
  • Secrets blocked at the door. A committed key or a service-role credential in client code is stopped by a tripwire before it reaches the repo.
  • Unprotected data caught. A table shipped with row-level security off is flagged automatically — one of the most common and most damaging AI-code mistakes.
  • Speed without the security debt. Aisha keeps the velocity of building with AI without inheriting its default vulnerabilities.

What afterclick did here

  1. 1Reviewed the feature diff that touched authentication and data.
  2. 2Caught a Supabase service-role key about to ship in front-end code.
  3. 3Blocked it before commit — bypassing row-level security would have exposed every record.
  4. 4Routed the change to the security advisor for a deeper read.
  5. 5Confirmed the keys vault held the credential, so nothing needed hardcoding.

What you’d have seen

afterclicklive
security

Service-role key found in client bundle

A Supabase service-role key was about to ship in front-end code, bypassing all row-level security. Blocked.

The obvious objection

Why not just use a SAST scanner or GitHub code scanning?

Scanners and GitHub code scanning are genuinely valuable — and they fire after the code is committed and pushed, flagging issues for triage later, often with the noise of false positives. The damage here is a service-role key shipped in the client bundle or a table going out with RLS off — things you want stopped before they reach the repo, not queued in a security backlog. SAST also reasons about patterns, not intent; it won’t reliably catch that an auth check was dropped because the happy path still worked. afterclick puts a security specialist on the sensitive diffs in the moment, and backs it with deterministic tripwires that block committed secrets and unprotected tables at the door — complementing your scanner, earlier in the timeline, where prevention beats detection.

For the senior engineer

You know SAST, you know the OWASP list, you know the AI’s failure modes. afterclick isn’t claiming to out-secure you — it’s claiming you can’t manually review every diff at AI throughput, and the classic AI-code vulnerabilities (hardcoded keys, RLS off, dropped authorization) are mechanical enough to catch in the moment, before commit. It’s the tireless junior security reviewer next to the senior one, catching the obvious-but-constant stuff so your attention goes to the subtle threats.

What it replaced for you

  • The manual security review Aisha can’t do on every single diff.
  • The service-role key that would have shipped to the client.
  • The SAST backlog ticket filed after the leak instead of before.
  • The trade-off between AI speed and AI-code security.

The outcome

Aisha ships at AI speed and the classic AI-code vulnerabilities don’t make it into production. The security review she couldn’t do on every diff by hand now happens on every one that matters.

Sound like you?

One paste, AI included, free to start.

More use cases