About nextcheck

What it is

A free, public tool that runs 10 production-grade security checks on any public Next.js GitHub repository. It scans for CSP/HSTS headers, .env file hygiene, leaked console.log calls, unescaped HTML injection, Supabase RLS coverage, dangerous SECURITY DEFINERfunctions, Dependabot, CI, and dependency pinning. Returns a 0–100 score, a verdict, and a downloadable PDF.

Why it exists

I spent 14 years inside the Brazilian financial services sector — credit analysis, lending, regulatory compliance. I've seen what happens when reconciliation fails at 3am, when a webhook fires twice, when an audit trail goes missing the day before the regulator shows up. Production security is not theatre — it's the difference between a working business and a phone call from your lawyer.

Most security tools are either heavyweight enterprise platforms or hobby scripts. nextcheck is the middle: ten focused checks I actually run against my own SaaS work, exposed for free so other builders can ship safer.

How it was built

nextcheck was built end-to-end via AI orchestration— I spec, review, and test every line, while Claude Code handles the actual typing. Stack:

• • Next.js 16 (App Router) + TypeScript + Tailwind
• • Octokit (GitHub REST + git tree API)
• • @react-pdf/renderer for PDF reports
• • Geist (font), Lucide (icons), Framer Motion (kept simple)
• • Vercel (edge-aware deploy)

Time from blank repo to live URL: a single evening session. That's the bet I'm making with my career — that one experienced person orchestrating AI correctly produces software indistinguishable from a five-person team. Try the tool. Read the source. Judge for yourself.

Who I am

Paul Costa. Independent software engineer focused on Next.js, Supabase, payments, and AI integration for SaaS founders. Based in Brazil (GMT-3). Available for bug fixes, refactors, Supabase/RLS work, Stripe webhook hardening, and AI feature builds.