Lavana: A D2C Beauty Storefront Design Study
A concept design study exploring D2C beauty storefront design — brand system, PDP, checkout, and the trade-offs we made.…
Etherlabz · The emergency room for vibe-coded apps
Built with Lovable, Bolt, v0 or Cursor and getting real users? We audit the five things that leak data and lose money: auth, payments, secrets, error handling, monitoring. You get a written report in 48 hours. Fixed prices, no rewrite upsell.
Or send a brief. We reply within a working day.
170+ Lovable apps exposed user data through one missing Supabase default (CVE-2025-48757). Ours is the audit that catches it: ~$350, yours to keep either way. No call needed: send the repo, we confirm within hours.
Key leaking right now? Emergency triage first: tell us here →
01 What we are, plainly
Mradul owns engineering: audits, rescues, micro-SaaS, ecom. Sanya owns design: brand, product, web, mobile. A small team works behind them to ship faster, but a founder always owns your project.
02 Fix, audit & harden
Fixed prices, written reports, and the audit fee is credited if we do the fix. The diagnosis is free when we do the surgery.
€299
~$350 · 48 hours · fixed price · written report
We go through the five failure modes: auth, payments, secrets, error handling, monitoring. You get a severity-ranked report with a fixed quote to fix. Yours to keep either way.
Book the audit → Development · best way in€990
~$1,150 · 1 week · fixed price · audit fee credited
We fix the top launch-blockers from the audit: access control and auth, exposed keys rotated, a payment flow that actually charges. The audit’s €299 comes off this price.
Start with the audit → UI/UX€490
~$570 · 1 week · fixed price · annotated report
Your app works but loses people. A designer walks your real flows: onboarding, checkout, empty states. You get an annotated, prioritized fix list engineering can act on.
Book the UX audit →Bigger job? A full production rescue is a scoped fixed price from €1,900, typically 20–40% of what the original build cost, roughly 10× cheaper than starting over. Ongoing care plans from €250/mo. Everything on the pricing page.
03 What we check
Users can often read each other’s data by changing a parameter. The usual cause: missing row-level security.
A Stripe button that shows “Thanks!” but never actually charges.
API keys and database strings committed to git history forever.
Happy-path code that fails silently the moment real traffic hits.
“Production” is a preview URL; you learn about bugs from customer emails.
$ etherlabz audit ./your-app
auth ........... FAIL rls missing on 4 tables
payments ....... WARN webhook unverified
secrets ........ FAIL key in git history
errors ......... WARN traces exposed
monitoring ..... FAIL none configured
report + fixed quote in 48h →
Next.js, Supabase (yes, RLS), Stripe, Vercel, Firebase, Node: the exact stack Lovable, Bolt and v0 emit. And we run our own production auth + billing every day: ReliPay is our MIT-licensed, self-hostable auth & billing product. Read the code before you trust us.
NDA by default. Read-only repo access to start. Any secret we touch gets rotated before we hand back. You get a written report you keep either way. And we tell you plainly what we did and why.
Selected work
Live · 12 projects
Three of our own MVPs: the clips below are demos straight from the apps. Press play.
Document-AI MVP
Spec + drawing PDFs in, a priced quote out.
Email MVP
A real visual flow builder you self-host.
ERP MVP
Team time-tracking with a real approval loop.
Also in the catalogue: ReliPay · LocalLeads · Lavana · Allegra · BlackVault · Eon Vita · IntentOS · FLOX-AI · NovaMind
04 Beyond the rescue
Fixing vibe-coded apps is the front door. Behind it: the design studio, micro-SaaS and mobile builds, and ecom engineering, each on its own page.
The design studio behind the rescue work: brand identity, product & SaaS interfaces, web, dashboards and mobile, drawn to be built, then built by the same team.
Learn more about Design: brand, UI/UX, product →A narrow product built right: auth, billing, a basic admin view, and a core loop users come back to. Designed and shipped by the same team.
Learn more about Micro-SaaS & mobile builds →Custom WooCommerce, headless storefronts, product configurators, and the connectors nobody wants to write.
Learn more about Ecom engineering →05 What we've shipped
Not borrowed logos. Products and code we run ourselves: an auth-and-billing stack, a live SaaS, and open-source plugins. Poke around; it's all here.
Self-hostable auth + billing behind one API: a user's login and their plan in one place. Docker Compose, MIT-licensed, public beta. The exact rails we build into every product.
See ReliPay → Our SaaSGoogle Maps lead extraction with email enrichment and quality scoring. A live, paid product we built end to end.
Read more → Open sourceWordPress as a headless CMS done right: featured-image URLs, normalized SEO, per-post stylesheet manifests. The plumbing every headless team rebuilds; we shipped it once.
View on GitHub → Open sourceWooCommerce ⇄ Intercom: customer sync, event tracking, abandoned-cart recovery, and AI order-lookup REST endpoints. The auth and integration hygiene we bring to every build.
View on GitHub →One is a verified 5.0 review on Clutch; the other two are from past clients, kept verbatim. Most of our current work is under NDA, and these reviews come from our engineering work: the design proof is the portfolio and the open code above.
“Communication was clear, consistent, and highly responsive, making collaboration smooth and efficient. … Their team consistently demonstrated professionalism, adaptability, and a genuine commitment.”
“Working with EtherLabz has been transformative for our technical infrastructure. … What truly sets them apart is their ability to anticipate scaling challenges before they become problems. They've built robust APIs our front-end team loves, and security practices that give us complete confidence in our data handling.”
“Working with Etherlabz has been an incredibly smooth and professional experience from the start. Their communication has been clear, consistent, and thoughtful throughout every phase of the project. …”
Full statement
“… What really stood out to me is how collaborative and invested they are in the success of the project. They don’t just take instructions; they offer ideas, suggest improvements, and make sure everything stays aligned with the original vision.”
Worked with us? Leave a review on Trustpilot.
06 Who you'll work with
Etherlabz is founder-led: Sanya on design, Mradul on build, with a small team behind us to ship faster. We started the studio in 2025: new as a shop, but not new to the work. Mradul's built backends and configurators for over a decade, and Sanya's portfolio speaks for itself. You talk to the founder who owns your project, not an account manager relaying messages.
Mradul Tripathi
Co-founder · Engineering
Builds the products, the backends, and the plumbing. Micro-SaaS, mobile, WordPress, Next.js, NestJS for over a decade.
LinkedInSanya Madre
Co-founder · Design
Owns UX and visual direction: brand, product UI, dashboards, mobile, landing pages. The portfolios on Dribbble and the brand on this site are her work.
LinkedInField notes on design and engineering: brand, product, SaaS, ecom, and the work in between.
A concept design study exploring D2C beauty storefront design — brand system, PDP, checkout, and the trade-offs we made.…
Edge functions are precise tools, not free upgrades. Here’s what they’re actually good at for ecommerce — A/B tests, geo…
If you’re shipping a sub-2,000 SKU store, a Postgres cluster and a headless CMS is over-engineered. Astro plus an edge S…
07 FAQ
The security & launch audit is delivered in 48 hours. If something is actively leaking, like an exposed key or an open database, say so in your brief and we triage the emergency first.
The audit is €299 (about $350). Most apps then need the €990 critical fix sprint. A full production rescue is a scoped fixed price from €1,900, typically 20–40% of the original build cost. The audit fee is always credited when we do the fix.
Usually not. The UI, the design and the real logic carry forward, often 30–50% of what you shipped. We rebuild only the dangerous parts and tell you exactly which is which.
The stack AI builders actually emit: Next.js, Supabase (including row-level security), Stripe, Vercel, Firebase and Node, plus WordPress/WooCommerce for ecom. We run our own production auth and billing (ReliPay, MIT-licensed).
NDA by default, read-only repository access to start, and any secret we touch is rotated before handback. You get a written report you keep whether or not you hire us for the fix.
Start with the 48-hour €299 audit, a keep-it-either-way diagnosis, or book a 30-minute call. Either way we tell you plainly what’s solid and what’s a risk.
Prefer to write rather than call? Send a project brief →