/ Docs

Welcome to Trendslop.

This is the friendly version. Everything is explained as if you've never deployed anything before — because most of our users haven't, and that's the point.

Quick start (2 min)

  1. Sign up with Google or GitHub. You get 100 credits free.
  2. Connect a project from the dashboard. Pick your GitHub repo.
  3. Run an audit. Trendslop scans the repo against 17 production-readiness checks.
  4. Get findings and copy-paste fixes for what fires. Fix, then re-run.
Tip: You don't have to install anything to start. The audit runs through GitHub's app — no setup on your machine. (Continuous background monitoring, "Autopilot," is on the roadmap — see below.)

Connecting a project

From the dashboard, click Connect a new project. You'll be asked for three things:

  • A GitHub repository (we use OAuth — we never see your password)
  • Your AI builder (Lovable, Bolt, Cursor, etc — for context only)
  • Your Supabase project URL (so we can audit your RLS policies)

That's it. Within about 30 seconds we've scanned your repo and you'll see your first Ship audit results on the dashboard.

How credits work

A credit is what we charge per audit or fix we run on your behalf. Here's the current pricing:

  • Ship audit: 20 credits per run (scans your whole repo against 17 production-readiness checks)
  • Auto-fix (diff): 10 credits per fix — real code diff PR, requires Pro or Team plan
  • Auto-fix (instructions): free — TRENDSLOP_FIX.md PR with step-by-step instructions, included with every audit on all plans
  • Fix all: 30 credits flat — bundle every failing finding into one PR (mix of diffs + instructions)

Plan credits roll over for one billing cycle. Top-up credits expire 12 months after purchase.

Some features are on the roadmap and not yet billed: Autopilot conflict checks, regression test generation, one-click deploy to AWS. Pricing for those will be announced before they launch.

Autopilot: conflict detection — roadmap

Autopilot is the layer we're building next: continuous monitoring that checks every change your AI builder makes against a dependency graph of your app, and flags anything that would break another part before it lands. It isn't live yet — this section describes how it's designed to work. Here's the kind of warning it will surface:

⚠ conflict in 3 files
↳ /pages/dashboard.tsx — column "due_date" removed
↳ /api/orders.ts — referenced by checkout
↳ /tests/orders.spec.ts — out of date

→ trendslop will offer to patch all 3 in the same commit

Integration: Clerk

Trendslop drops Clerk into any vibe-coded app that doesn't already have proper auth. To connect:

  1. Sign up at clerk.com and create an application.
  2. Copy your CLERK_PUBLISHABLE_KEY and CLERK_SECRET_KEY.
  3. In Trendslop dashboard → Settings → Integrations → Clerk, paste them.
  4. Click Verify. We'll do a test sign-in to confirm.

Integration: Stripe

Stripe is the #1 thing vibe coders get wrong. The audit flags an unsigned or missing webhook handler and gives you the fix to paste — wired the way Stripe themselves recommend:

// The fix the audit hands you, verified.
import Stripe from 'stripe';
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);

export async function POST(req) {
  const sig = req.headers.get('stripe-signature');
  let event;
  try {
    event = stripe.webhooks.constructEvent(
      await req.text(), sig, process.env.STRIPE_WEBHOOK_SECRET
    );
  } catch (err) {
    return new Response('Bad signature', { status: 400 });
  }
  // ... handle event
}

Integration: Supabase

We connect via your project's REST URL and an anon key. We never ask for your service-role key. Audits read your schema and check that every user-data table has an RLS policy.

Integration: AWS SES

SES is the cheapest email infrastructure on the planet — and the most painful to set up correctly. The audit checks whether DKIM, SPF, DMARC, the inbound MX records, and the bounce/complaint webhook handler are configured, and tells you what's missing. Automatic one-click configuration is on the roadmap; see Deploying to AWS.

Deploying to AWS — roadmap

One-click deploy is a roadmap feature. The design: deploys use your own AWS account, so we never run your app on our infrastructure and never see your customer data. Today, the audit flags deploy-readiness gaps and points you to the fixes; automated one-click deploy lands on Pro plans next.

The Trendslop Certified badge

Once your app passes a full Ship audit with zero open issues, you get a Certified badge — a public URL that customers can click to see your real-time security posture. Embed it in your footer like Stripe's "Powered by" or Vercel's "Deployed by" badges.

REST API

Programmatic access is on the Pro plan and above. Base URL: https://api.trendslop.ai/v1. Auth via bearer token from Dashboard → Settings → API keys.

CLI

$ npm install -g @trendslop/cli
$ trendslop login
$ trendslop project init
$ trendslop audit            # live
$ trendslop ship --to=aws    # roadmap

Security disclosure

Found a bug? Email security@trendslop.ai. Rewards for valid reports are based on severity and impact. Full programme details on the Security page.