Get your Claude Code project reviewed, architecture, security and infrastructure in view
Claude Code builds a lot, and very fast, but a production-ready project is decided by auth, RLS, secrets, dependencies and infrastructure. I review a project built with Claude Code on exactly those points and keep it under ongoing technical oversight afterwards, instead of stopping at a one-off audit.
- Baseline from 790 €
- Fixed monthly plans
- Repo + CVE + infrastructure
- German point of contact
Direct point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
I have delivered production software, infrastructure and cloud systems for clients worldwide, including Europe, the UAE, Asia, Australia and the Americas: from automated multi-location platforms and cloud migrations to remote access systems for industrial plants.
For questions like:
- Is this release production-ready?
- Which CVEs are really critical?
- Are auth, data access and tenant isolation clean?
Claude Code builds a lot and fast, but production gaps remain
Claude Code generates whole features, migrations and deployments in no time. The speed is impressive, yet the decisions that determine real production are often missing or incomplete. These are the gaps I see most often in Claude Code projects:
- Authentication without a clean roles and permissions model
- Supabase RLS not enabled, too open or inconsistent per table
- Secrets and API keys in the frontend, in configs or in the repository
- Dependencies with known CVEs, often several versions behind
- Tests missing, only placeholders or not covering the critical paths
- Infrastructure without a backup, recovery and rollback plan
- No monitoring and no logging when something breaks in operation
- Open or unthrottled endpoints without rate limiting
Why even strong AI code needs an independent review
Claude Code often writes clean, readable code. That is exactly the trap: code that looks good is rarely questioned. Readability is no proof that tenant isolation holds, that secrets do not leak or that the infrastructure survives an outage.
The model optimises for the prompt in front of it, not for the whole system. It rarely sees the full attack surface, does not know your data flow across multiple tables in detail, and does not check whether a dependency has picked up a new CVE since its training cut-off. Letting the same assistant grade its own code also tends to produce an overly favourable verdict.
An independent review looks at the repository and infrastructure from the outside, with a clear severity per finding and human prioritisation. Not to talk Claude Code down, but to close the gaps that sit between building fast and real production.
What I review in your Claude Code project
I look at the points that decide production readiness and rank every finding by severity. I review:
- Repo and architecture: structure, dependencies, obvious weak spots
- Security and access control: auth, roles, exposed secrets
- CVEs and dependencies: known vulnerabilities in the packages you use
- Database and RLS: tenant isolation, policies, access protection
- Infrastructure, deployment, backups and monitoring
- Production readiness: what is still missing before real users
One review is not enough: ongoing oversight
A one-off audit describes yesterday's state. With Claude Code, features land daily: every new feature adds new dependencies, new CVEs surface every week, and every prompt shifts the architecture a little. An action plan that is four weeks old no longer covers that movement.
This is exactly where Veriploy comes in: you get the project reviewed once (Baseline) and then keep it under ongoing technical oversight with Oversight, Guard or Launch. That keeps the risk dashboard current instead of going stale with every merge.
On an ongoing plan, new dependencies and CVEs are watched, risky changes are flagged early, and before larger releases you get a human judgement instead of an automated score. Async sparring and a direct channel are included depending on the plan.
Baseline or ongoing plan
You start with a one-off review and then decide whether ongoing oversight makes sense. Prices are fixed and transparent.
| Baseline 790 € | Plan from 990 €/mo | |
|---|---|---|
| Scope | Deep initial baseline: repo, architecture, dependencies, config | Recurring reviews based on the baseline |
| Result | Risk dashboard, CVE baseline, secrets check, plan recommendation | Recurring reports with fix prioritisation |
| CVEs and dependencies | Full baseline as a reference point | Ongoing CVE and dependency monitoring |
| Support | One-off, with a recommendation for the right plan | Async sparring and a direct channel by plan |
| Best for | Clean starting point before any plan | Projects that keep growing with Claude Code |
How the Claude Code review works
- 01
Fit check
Free first contact: a short check of whether a review fits the Claude Code project and which question matters most. No obligation and no effort on the project side.
- 02
Scope and access
Define which repository, which environments and which areas get reviewed. Read-only access is set up and the focus on tests, CI/CD and operability is agreed.
- 03
Technical analysis
Review of test coverage on critical paths, the CI/CD pipeline and build gates, operability with monitoring, logging and rollback, plus the context gaps that Claude Code leaves between individual prompts. On top of that, auth, RLS, secrets and CVEs in the dependencies.
- 04
Report and recommendations
Findings land in a clear report: risk dashboard, prioritised findings and concrete recommendations with a verdict on what to do now, before launch or later.
- 05
Next step
A Baseline can turn into ongoing oversight when needed: Oversight, Guard or Launch keep tests, CI/CD and dependencies current while the project keeps growing with Claude Code.
Many projects start with a Baseline review. If the product keeps being built with AI afterwards, I can provide ongoing oversight.
What I need for the review
- Read-only access to the repository
- a short description of stack, tool and goal
- details on hosting and deployment
- database and auth context
- notes on sensitive data or user roles
- open questions or specific concerns
What the review delivers
- an understandable risk dashboard
- top risks at a glance
- prioritised findings
- concrete recommendations
- a verdict: fix now, fix before launch, plan for later
- an optional recommendation for Oversight, Guard or Launch
What a finding looks like
The Supabase service-role key sits in the frontend bundle and can be read from the shipped JavaScript file. Recommendation: keep the key server-side, rotate it and use it only through a protected route.
Let Claude Code review itself or review it independently?
| Claude Code reviews itself | Veriploy independent | |
|---|---|---|
| Perspective | Optimised for the current prompt | Outside view on repo and infrastructure |
| CVEs and dependencies | Training state, no live comparison | Ongoing monitoring with alerts |
| Tenant isolation | Rarely sees the full data flow | Targeted review of RLS and policies |
| Before a release | Automated, often favourable verdict | Human prioritisation included in the plan |
| Over time | Only assesses the moment of the prompt | Continuous, with every new change |
Frequently asked questions
Is Claude Code output worse than hand-written code?
Not by default. Claude Code often produces clean, readable code. The risks lie less in the syntax than in architecture and operations decisions: roles, RLS, secrets, dependencies and infrastructure. Those are exactly the points I review, regardless of how the code was created.
Can't I just ask Claude Code for a review myself?
You can, but the same assistant that built the code often grades it too favourably and rarely sees the full attack surface or new CVEs since its training cut-off. An independent Claude Code review looks at the repo and infrastructure from the outside and prioritises the findings with a human.
Do you also do the fixes?
Not within the plan. I review, prioritise and explain what needs to be done. Implementation runs separately through Wevelsiep Advisory or WZ-IT, or your own team. That keeps the review independent from the implementation.
Do you need repo access?
Yes, read-only by default. Read access to the repository is enough for the review. I do not need write access, because I do not commit the fixes myself.
What does it cost?
The entry point is fixed: Baseline 790 € as a one-off review. Ongoing oversight starts at 990 € per month (Oversight), then Guard at 1.950 € and Launch at 3.900 € per month, with larger projects on Scale on request. All prices net plus VAT. Ongoing packages start with a 3-month minimum term, then cancelable monthly, unless agreed otherwise.
How fast do I get results?
I deliver the Baseline within a few business days. On an ongoing plan you get regular reports and a prompt heads-up on critical CVEs.
- Cursor code review, from prototype to a production-ready codebase
- CodeRabbit alternative? When a tool is enough and when a human should look at the repo, CVEs and infrastructure
- Make your AI app production-ready, spot technical risks before real users
- Repo review subscription, a recurring senior look at code, CVEs and architecture
Do you recognize these risks in your own app?
The AI-app risk self-check assesses product status, stack, auth, data access, infrastructure, CVEs and your technical knowledge, and shows whether a review makes sense.
Get your Claude Code project reviewed and keep it monitored afterwards.
Start with the Baseline, then ongoing oversight in the plan that fits.
Check repo fit
Briefly describe the project.
Direct contact with me, no anonymous ticket system. I get back to you with a first assessment and the right entry point.
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director