How we prove the engine works.

A variable is read by your code but not present in the provider's production environment.

Next.js only exposes NEXT_PUBLIC_-prefixed env vars to the browser.

Vite only inlines env vars prefixed with VITE_ into the client bundle.

Detects server-only secret names (KEY, SECRET, TOKEN, PASSWORD) used in browser-bound files.

Names like VITE_*, NEXT_PUBLIC_*, PUBLIC_*, NUXT_PUBLIC_*, EXPO_PUBLIC_*, REACT_APP_*, GATSBY_* are inlined into the browser bundle. A secret-flavored name (TOKEN, SECRET_KEY, SERVICE_ROLE, API_KEY, DATABASE_URL, AUTH_TOKEN, provider PATs…) under one of those prefixes leaks the secret to every visitor.

Code references env vars that aren't documented in .env.example.

.env / .env.local files contain real secrets and must never be committed.

Env vars are case-sensitive; small typos silently return undefined.

A local DB URL shipped to production will crash on connect.

next/headers, next/server, fs, child_process etc. cannot be imported from client components.

Remix files ending in .server.ts must not be imported from .tsx route components that render in the browser.

When export const runtime = 'edge', Node-only APIs (fs, path, os, net, tls, child_process, crypto.createHmac/createHash/randomBytes, Buffer) are unavailable.

SvelteKit treats $env/static/private as server-only.

Anything in runtimeConfig.public is shipped to the browser.

Potential XSS vector — needs sanitization.

Remix routes render in the browser; process.env is only populated server-side. Values must be exposed via the loader.

Without engines.node, your host may upgrade Node mid-deploy and break the build.

Railway, Render, Fly all require the app to listen on $PORT.

Builds run a different command than the one you test locally.

Netlify merges both, but conflicts silently win in unexpected order.

Some providers route traffic based on EXPOSE.

Workers run in V8 — Node built-ins require the nodejs_compat flag.

fly.toml [http_service] internal_port must match the port the container/app actually listens on.

FROM node:latest or FROM node (no tag) breaks reproducible builds when Docker Hub bumps the floating tag.

Live and test Stripe envs never validate each other's signatures.

stripe.webhooks.constructEvent requires the raw request body.

Local webhook URLs can't receive production Stripe events.

Service role bypasses Row Level Security — never expose to the browser.

createClient(url, anon) needs both.

Resend rejects sends from unverified domains.

new OpenAI({ apiKey }) in client code leaks your AI key.

Wildcard CORS with credentialed cookies is a CSRF vector.

Auth0 Allowed Callback / Logout / Web Origin URLs must use the public production URL, not localhost.

Parses common 'cannot find module' errors out of the deploy log.

Parses 'environment variable X is not defined' patterns out of the log.

Detects npm ci failures caused by package-lock.json missing or out of date.

Detects descriptions of production URLs (webhooks, redirects, site URL) still set to http://localhost.

dangerouslyAllowBrowser: true ships your AI API key to every visitor.

Even on server-only routes, the service-role key bypasses RLS and deserves a hardening check.

Next.js needs NEXT_PUBLIC_SUPABASE_ANON_KEY (with prefix) to expose the anon key to the browser.

Catches 'X is not configured for Production' / 'X is missing' style warnings in pasted text.

Detects JWT_SECRET / SESSION_SECRET / etc. set to placeholder values like 'changeme', or `process.env.X || 'changeme'` fallbacks in source.

Detects provider tokens (GitHub ghp_, Stripe sk_live_/sk_test_, OpenAI sk-, Netlify nfp_, Slack xox*, AWS AKIA*) committed inline in source files.

Mirrors railway.port-bind for log-only / mixed-prose inputs where the user pastes the offending snippet instead of uploading server.js.

.env.example is committed; values that match real credential shapes (ghp_, sk_live_, whsec_, nfp_, sk-…) almost certainly leaked.