FOR VIBE CODERS

The QA tool for vibe coded apps that writes zero test code

You shipped it by prompting, not by writing tests. Prufa's agent drives your live app in a real browser; plain code verifies what works — no test suite to author.

No signup, no card. Public URL, ~60 seconds.

In June 2026 we pointed this same free audit at 49 products that had just launched on Show HN — 78% shipped with at least one critical bug on day one.

What you get in ~60s: six A–F section grades, verified findings with mono evidence above a quieter advisory block — and no 0–100 vanity score.

Why vibe-coded apps break in ways you can't see

You described the app and the model built it. The happy path demoed fine — that's why you shipped. But you never wrote a test, so nothing is watching the parts a demo skips: the signup that silently fails on a real email, the analytics that never fire, the page served with no Content-Security-Policy header, the link that 404s, the layout that overflows on a phone. The code reads fine. The deployed app is where the truth is — see what actually breaks in vibe-coded apps.

How Prufa tests a vibe-coded app — without a test suite

Prufa splits the job the way it should be split. An LLM-backed agent does the part humans are good at — it navigates your live app, clicks, fills, and explores, no script required. A plain-code harness does the part machines are good at — it owns the browser session, records every network request, console message, cookie, and response code, and grades that captured evidence against deterministic specs.

The agent never decides whether something passed; captured traffic is asserted against a spec. That separation is the whole reason the verdict is worth trusting. You don't author tests, and you don't read code to understand the result — every finding is one plain-English line backed by one line of machine evidence.

How does the vibe-coded app QA pass work?

Three steps, no signup. Paste a URL and watch the run stream in live.

  1. Point it at your live app

    Paste your URL — Lovable, Bolt, v0, Replit, or your own domain — or call prufa_run_audit({url}) from the same agent that built it. No signup, no card.

  2. The agent drives a real browser

    It loads your deployed app, navigates the public pages, and captures every network beacon, console error, cookie, and HTTP status — the way a new visitor's browser would.

  3. Evidence keeps the score

    Plain code grades the captured evidence into six sections (works · fast · found · measured · accessible · compliant), each an A–F. Machine-checked facts are VERIFIED; judgment calls are labeled ADVISORY and never counted toward a grade. There is no fake 0–100 score, ever.

Can the agent that built my app also test it?

If you build in Claude Code, Cursor, Cline, or any MCP host, wire Prufa in and let the same agent verify what it just shipped. The free audit tool (prufa_run_audit / prufa_get_report) works anonymously — no key, no card. A PRUFA_API_TOKEN is optional and only unlocks the persistent (paid) tools.

Install once with pip install prufa-mcp, or claude mcp add prufa --command prufa-mcp. The package is open source (Apache-2.0, prufa-dev/prufa-mcp).

agent session
agent ~ $
prufa_run_audit({ "url": "https://your-app.lovable.app" })
→ real-browser run started…
report_url:
prufa.dev/r/a1b2c3
✓ verified: 1 critical · 2 warning
advisory: 1 note (excluded from the grade)
The same agent that built the app calls prufa_run_audit and reads the evidence-gated report back — anonymously.
mcp config (.cursor/mcp.json, .mcp.json, …)
{ "mcpServers": { "prufa": { "command": "prufa-mcp" } } }

What a vibe-coded app report looks like

Verified findings are machine-checked facts — these set your grade. The advisory block is opinion, never phrased as "broken", and never counts against the grade. The two tiers never interleave.

critical No analytics events were sent ✓ verified
tracking.none_detected · / · 0 network beacons captured

Your page loaded but no tracking request ever left it — you're flying blind on day one.

warning Link to /pricing returns 404 ✓ verified
ux.dead_links · href="/pricing" · HTTP 404

A visitor who clicks your pricing link hits a dead end.

info No Content-Security-Policy header ✓ verified
security.missing_csp · GET / · no CSP header

Without a CSP, one injected script can run with full access to the page.

advisory The hero may bury the primary action below the fold

A judgment call, not a verified fact — shown for context, not counted toward any grade.

Is it safe to run on my live app?

The straight answers to what founders ask before they paste a URL.

Is it safe to run on my live app?

Yes. The free audit is read-only: a fresh anonymous browser session fetches your public pages the way a visitor would. It never submits your forms and never touches your users' data. (Chaos-style mutation testing is a separate paid mode, dry-run by default, and payments are never executed.)

Isn't this just a crawler or a Lighthouse score?

No. A crawler reads your HTML; Lighthouse scores one page's performance. Prufa drives the rendered app in a real browser and checks what actually happens on the wire — whether analytics fired, whether a link 404s, whether a security header like CSP is missing. And there's no fake 0–100 number: you get severity counts and an A–F per section, computed from machine-verified findings only.

Does it see my code, or my users' data?

Neither. It's a black-box external check against your public URL. It records network requests, console output, and the rendered DOM — never your source, never your users' inputs. Reports are unlisted behind a share token and carry a noindex tag.

How is it different from testRigor, Autonoma, or a security scanner?

Those either generate test scripts (Autonoma reads your codebase to do it — useful if you want a suite to keep) or scan for exposed secrets (which Prufa can't see). Prufa's edge is no test authoring at all and an evidence-gated verdict. See our honest roundup of AI QA tools for where each one genuinely wins.

Frequently asked questions

The questions vibe coders actually ask before running their first audit.

How do I test a vibe-coded app without writing tests?

Point Prufa's free audit at your live URL — Lovable, Bolt, v0, Replit, or your own domain. An LLM-backed agent loads the app in a real browser and clicks through it; plain-code analyzers then grade the captured network traffic, console errors, security headers, and response codes. You write no test code. For a step-by-step version, see our 6-step process to test a vibe-coded app.

What's the best QA tool for Lovable, Bolt, or v0 apps?

Use a tool that tests the live, deployed app — not the prompt and not the repo. Prufa runs your public URL in a real browser the way a visitor would, with no test authoring and no code access required. The free 60-second audit returns six graded sections (works, fast, found, measured, accessible, compliant) as A–F grades, with no signup and no card.

Do I need to understand the code to QA a vibe-coded app?

No. Prufa is a black-box check: it fetches your public URL like a new visitor, records what the browser does, and verifies the result against deterministic specs. You never read a test suite or a stack trace — each finding is a plain-English title with a one-line evidence trail. That is the point for founders who prompted their app into existence.

Can it catch broken flows, not just security issues?

Yes. The free audit walks your public pages and flags broken links, missing analytics, console errors, missing security headers, and layout breakage. Beyond that, Prufa's flow engine runs signup, login, and checkout as plain-text test cases in a real browser and machine-verifies the outcome. It is not a security scanner — it can't see a key hardcoded in your client bundle (why a black-box check can't see exposed keys).

How is this different from testRigor, Autonoma, or a security scanner?

testRigor and Autonoma generate reusable test scripts — Autonoma even reads your codebase to do it, a real advantage if you want a suite to keep. A security scanner finds exposed secrets Prufa can't see. Prufa's edge is no test authoring at all plus an evidence-gated verdict: the agent navigates, plain code verifies, and opinions are labeled advisory and never counted toward a grade.

Give your vibe-coded app a QA pass it can trust

Paste your URL. Real browser, machine-verified findings, ~60 seconds — no signup, no card.

See pricing →