Finding Categories
What each category of FinishKit findings means and why it matters.
FinishKit organizes findings into six categories, each covering a different risk area for your app.
Blockers
Issues that will actively break your app in production. Examples:
- Missing authentication on protected routes
- Broken API routes that return 500s
- Database queries that will fail without certain env vars set
- Hardcoded development URLs (
localhost:3000) in production code
Fix these before anything else.
Security
Vulnerabilities that put your users or data at risk. Examples:
- API keys or secrets committed to the repo
- Missing Row Level Security on Supabase tables
- SQL injection risks in raw queries
- CORS configured to allow all origins (
*) in a production API - Unvalidated user input passed to dangerous functions
Deploy
Configuration problems that will prevent your app from deploying or running correctly. Examples:
- Missing environment variables that the code references
- Incorrect build configuration
- Missing
startscript inpackage.json - Static files referenced that don't exist in the build output
Stability
Code patterns that will cause unexpected crashes or poor behaviour at runtime. Examples:
- Unhandled promise rejections
- Missing error boundaries in React components
- API calls with no timeout or retry logic
- Race conditions in async code
Tests
Missing or inadequate test coverage for critical paths. Examples:
- No tests for authentication flows
- No tests for payment/billing logic
- Missing test for a form that validates user-submitted data
UI
User-facing issues that will hurt the experience. Examples:
- Pages with no loading state (blank screen while data loads)
- Forms that don't show validation errors
- Components that break on mobile screen sizes
- Missing empty states when lists have no data
Production Readiness Dimensions
In addition to triage categories, FinishKit scores your app across eight production readiness dimensions. These dimensions power your Production Readiness Score.
| Dimension | What it covers |
|---|---|
| Security | Auth, secrets management, injection attacks, access control |
| Error Handling | Exception handling, error recovery, user-facing error messages |
| Logging | Observability, structured logging, health checks, error tracking |
| Environment | Env var management, configuration, secrets separation |
| Database | Schema design, migrations, connection pooling, row-level security |
| Performance | Caching, rate limiting, bundle size, query efficiency |
| Deployment | CI/CD, rollback strategy, dependency pinning, smoke tests |
| Vibe Code | Placeholder copy ("Your Company Name", Lorem ipsum), default branding, stubbed handlers, mock data, dead scaffolding, and other "AI built 80%, left 20% unfinished" artifacts |
Categories vs. dimensions: Categories help you triage findings by urgency (fix blockers first, then security, then everything else). Dimensions measure your overall production readiness across eight areas, giving you a score that tracks your progress over time.