FAQ · under the hood

What every check actually does — in plain language.

getAdvantage is an independent layer that checks the app you built with AI. Here's exactly what each part reads, what it can tell you, and what it can't — no jargon, no over-claiming. We tell you what we found; we never claim your app is “secure”.

Looking for the developer reference (endpoints, the MCP server)? That's the API & MCP docs. This page is the human version.

The scan

One link, three independent reads — never blended into one number.

Paste one URL and a single scan returns three separate verdicts. Each looks at a different thing AI and buyers actually see, so we keep them apart — a model, a buyer and a leak are three different questions.

Found by AI — AI findabilityWe read your page the way ChatGPT, Perplexity and Gemini do, and check the on-page signals a model needs to parse, name and cite you — a clear title and description, structured data (JSON-LD), a sensible heading structure, an /llms.txt, enough real text in the HTML, and whether your robots.txt blocks AI crawlers. You get each gap plainly, with the exact paste-ready fix.
Ready to convert — conversion readinessWe read your page cold, the way a first-time visitor does, and tell you what we understood in about five seconds: what your app is, who it's for, and whether the value and the next step land. Where they don't, you get the fix. This is a read of clarity, not a guarantee of sales.
Safe to ship — shipped-safety checksWe run seven checks for the exposures that slip into apps built with AI: secret keys leaked into the browser bundle, exposed Supabase / Firebase config, a publicly served .env or .git, missing security headers, an open CORS policy, traffic not on HTTPS, and published source maps. We tell you exactly what we found on your page. We don't test that your app works, and we don't certify it secure.

Three lenses, three honest verdicts, three sets of paste-ready fixes — we never average them into a single vanity score. See how it works →

Ship-Safe · local CLI · launching soon

One command reads your whole repo — before you deploy.

The scan above reads your live page. Ship-Safe is the other half: a dependency-free command you'll run inside your project, right before you ship. It reads your repo locally — nothing leaves your machine — and ends with one plain verdict: GO or NO-GO. It's built and we run it on our own repo daily; it's in final testing, not published yet — so don't run the unscoped ship-safe name (an unrelated package). The scoped command ships soon: join the waitlist → Here's every check and why it matters.

No secrets in codeScans the files you're about to commit for leaked keys and tokens (OpenAI, Stripe live keys, AWS, GitHub tokens, webhook secrets, private keys, and more). It prints the file and a masked fingerprint — never the full secret. Why it matters: a key pushed to a repo is the single most common, most expensive AI-app mistake. This is a hard NO-GO.
Clean working treevercel --prod ships your working tree, not a commit — so uncommitted edits (or a teammate's half-finished work) can reach production by accident. Why it matters: it stops you shipping something you never meant to. Tracked changes are a NO-GO; untracked-only files are a warning.
Build + typecheckRuns tsc --noEmit (and a full npm run build with --build) and prints the error tail if it fails. Why it matters:a build that's broken locally is broken in production. A failure is a NO-GO.
Schema-version bumpIf your database setup file changed in a way that adds or alters tables but the schema version constant didn't move, it warns you. Why it matters: a missing bump silently skips the change on a real production database — the app passes every test and quietly breaks live. This is a warning, so you decide.
Your API surface (map)Lists every route your app exposes — its URL, the methods it answers, and whether it looks gated by a login or a shared secret. Why it matters:an AI agent can wire up a hundred endpoints in an afternoon; this shows you what's reachable before it's live. It flags a route that changes data with no gate at all.
Agents & integrations (map)Lists the external services and the env keys behind them — ChatGPT, Claude, Perplexity, Gemini, Stripe, email, your MCP server, and more. Why it matters: nothing should ship that you forgot was wired in. It warns if a secret key would end up in the browser bundle.
Schedules & jobs (map)Lists the scheduled jobs (crons) in your project and whether each one is protected. Why it matters: a job firing in production without a gate is a job anyone can trigger. It warns on an ungated cron or a schedule with no matching handler.
Safe deployship-safe deploy runs the checks first, then deploys from a clean copy of the exact commit (so no stray local work rides along), reads your deploy token from an env var by name (never printed), and confirms the deployment landed on the right project— stopping if it didn't. Why it matters: it makes the careful, safe deploy the easy one.

Every check above runs locally, on your machine — and Ship-Safe is in final testing now. Get it the day it ships →

What's coming

The CLI is launching soon. The team system around it comes after.

We're honest about what exists. The gate above is built and dogfooded, in final testing now. The following is further out and not built yet— we'll never present it as live until it is.

Ship-Safe in CIcoming — not built yetGate every push automatically from a GitHub Action, not just by hand.
Deploy historycoming — not built yetA record of what shipped, when, and what the gate said.
Team config & web dashboardcoming — not built yetOne shared policy across everyone's repos, viewable in a browser.
The live monitorcoming — not built yetA check that the shipped app actually works — not just that it built.

The rest of the toolkit

The project brief, the embed, and the loop.

Three more pieces people ask about — answered straight.

What is the “project brief”?

It's the idea that your project's context — what the app is, who it's for, the checks that matter to you — lives as plain files in your own repo, not locked inside one AI tool. Ship-Safe will read your repo where it sits; nothing is hosted on our side. The practical payoff: when you switch the model or tool you build with, that context doesn't evaporate — it's yours, in your code. (Today this is the repo-resident approach itself; the brief generator ships with the Ship-Safe CLI, which is in final testing.)

What does the embed actually do — and what can’t it do?

On a paid plan, one line of script applies the DOM-safe fixes for you: JSON-LD, FAQ blocks, and missing meta tags (description, Open Graph, canonical, title). It only adds a tag when a real one is missing — it never clobbers a better tag you already have. It can't create real files like llms.txt or robots.txt— a browser script can't guarantee a non-JavaScript crawler ever sees an injected tag, so those stay files you place yourself. We say this plainly rather than hide it.

What is the loop, and why does it matter more than a one-time score?

A scan is a photo; your app is a film. The loop is measure → fix → re-measure: we re-scan on your plan's schedule and tell you the moment something regresses — a deploy strips the JSON-LD, a template change drops your meta, or a new exposure ships. A tool that only scores you once can't tell you the fix actually held. Proving the gain, and catching the drift, is the part a one-time scanner structurally can't do.

Do I need to be a developer to use any of this?

No. The scan takes a URL and gives plain-language verdicts and paste-ready fixes. Ship-Safe will be one command you copy into your project (it's launching soon). If a term ever isn't clear, the why-it-matters page explains the whole thing for non-technical readers.

Is it free? What do I pay for?

The scan and the fixes are free — they're yours to read and paste. Ship-Safe (the CLI) will be free when it launches. You only pay when you want the DOM-safe fixes auto-applied from the one-line embed and the daily monitoring that watches for drift. Start free, no card. See pricing →

Which AI engines do you actually check?

We read your page against the on-page signals every engine relies on, and we run live perception against ChatGPT, Perplexity and Gemini (Claude on the Agency plan). Google AI Overviews is a separate surface we don't probe yet, and we say so. We never imply an engine already recommends you — that's an honest, separate “in progress”.

Want to see it on your app?
Free, in under a minute.

Paste one link and get the three reads, plain — and get Ship-Safe the day it ships.