How V1be Check decides
These rules are read from the source. Changing them is a UX change, not just a config tweak.
Verdict thresholds
- Any critical finding in security, auth, or payments → Blocked.
- Ship Score ≥
90and no manual checks → Launch Cleared. - Ship Score ≥
75→ Demo Ready (upgrades to Launch Cleared when manual checks are resolved). - Ship Score ≥
50→ Demo Ready. - Below that → Needs Work.
Category weights
- security: 25%
- auth: 20%
- database: 15%
- payments: 15%
- deployment: 10%
- ux: 10%
- business: 5%
- accessibility: 0%
- compliance: 0%
Per-severity deductions
| Severity | security | auth | database | payments | deployment | ux | business | accessibility | compliance |
|---|---|---|---|---|---|---|---|---|---|
| critical | −50 | −50 | −40 | −45 | −30 | −25 | −20 | −45 | −40 |
| major | −20 | −20 | −15 | −20 | −15 | −10 | −10 | −18 | −16 |
| minor | −5 | −5 | −5 | −5 | −5 | −3 | −3 | −5 | −5 |
| info | −0 | −0 | −0 | −0 | −0 | −0 | −0 | −0 | −0 |
Blocking categories
A critical finding in one of these categories triggers a Blocked verdict regardless of overall Ship Score: security, auth, payments.
Confidence
Every finding carries a confidence — high, medium, or low. Secret-shaped strings that are public by design (a Supabase anon key, a Stripe publishable key, a NEXT_PUBLIC_* URL) or that live in test fixtures and examples are demoted to low confidence rather than flagged as leaks. A low-confidence critical never forces a Blocked verdict on its own — it still costs score and shows up, but it won't cry wolf.
Dismissing a false positive
If a finding is wrong for your project, you can suppress it so it stays dismissed across scans — it won't be persisted or affect the verdict:
- Add a
.vibecheckignorefile at the repo root with gitignore-style path globs (e.g.src/generated/,*.test.ts). - Add an inline comment on or above the line:
// vibe-check-disable-line,// vibe-check-disable-next-line, or// vibe-check-disable-filefor the whole file. - Add a rule id to scope it to one rule:
// vibe-check-disable-next-line secrets.regex. Omit the id to suppress every rule at that location.