Public Source Map Confessional
What it is
Source map artifacts or production source map settings may expose implementation details after deployment.
This usually appears when generated code proves that a feature works but does not leave enough evidence that the launch boundary was checked.
How to fix it
Disable public production source maps or restrict sourcemap upload to private error-reporting systems.
- 1Disable public production source maps for browser assets.
- 2Upload source maps only to private error-reporting systems when needed.
- 3Check deployed assets for exposed map files.
How VibeAudit checks for this
VibeAudit checks this with Q0_EXTERNAL_SHALLOW source-map observations and SAST_LOCAL_STRUCTURAL production source-map configuration evidence when local files are supplied. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan