On your side when you code.Catching problems before you merge.Always on watch once you ship.

Panache backs your agency across the whole life of a site: hardening your config while you build, diffing every preview against production, checking every live site around the clock, and keeping signed, timestamped proof that it all held.

Start with one siteSee how it proves it

Free for one site. First findings in 30 seconds. Nothing to install to start.

Client portfolio23 sites checked
A
atelier-nord.com94
A
maison-claire.fr91
B
studio-helio.com84
C
shop-arpege.com72
F
legacy-2019.net41

Built by an agency, for agencies. Panache runs on our own client portfolio, every day.

Next.jsVercelGitLabGitHub

The real job

Shipping quality is your craft. Keeping it is a system.

You build it right: clean config, hardened headers, a stack you chose with care. But quality is not a state, it is a discipline that starts at the first commit and never really ends. The portfolio grows, dependencies age, rules change, and your team ships faster than ever with AI writing more of the code. Holding the bar across every client site takes more than craft. It takes a system.

Entropy never sleeps.

Dependencies, domains, certificates, headers, cookies. Production degrades silently, on every site at once.

Speed outruns review.

AI-assisted teams ship more code than any human reads. The blind spots ship too.

Your best work is invisible.

Maintenance done well looks like nothing happened. Clients only notice the one time it breaks.

Panache exists so none of this lands on you at 3am. Or in a client call.

The loop · 01

On your side when you code.

  • Security defaults wired into your Next.js config with one line.
  • A Content Security Policy learned from your real traffic, not guessed from a blog post.
  • Your Postgres schema audited for RLS gaps before they become incidents.
  • Ground truth for your coding agent over MCP: real findings, real evidence, straight into Claude Code or Cursor.
next.config.ts
import { withPanache } from "@withpanache/nextjs"
export default withPanache(nextConfig)
CSP learningfrom real traffic
script-src'self' www.datocms-assets.comobserved
img-src'self' images.example-cdn.comobserved
connect-src'self' api.acme-shop.comobserved
P
panache-botcommented on !128 just now
B
Preview vs production
2 new findings on this branch
security-headerspass
ssl-certificatepass
bundle-size +42 KBwarn
new dependency CVEfail
View the full diff on Panache

The exact format Panache posts to GitLab, generated from a preview diff.

The loop · 02

Catching problems before you merge.

Every preview deploy gets scanned and diffed against production. A new vulnerability, a missing header, a heavier bundle: it shows up on the merge request, not in production. Posted where your team already works, on GitLab merge requests and Vercel checks.

Start with one client site

The loop · 03

Always on watch once you ship.

Security, performance, SEO, compliance and uptime, checked around the clock on every site you run. Fixes arrive as merge requests, ready to review. Everything else comes with evidence and a clear path to resolution.

You find out before it becomes a client call.

Strict-Transport-Security missinghigh

Observed on shop-arpege.com. Responses are served without HSTS, leaving first visits open to downgrade.

How to fixheaders: [{ key: "Strict-Transport-Security", ... }]
P
fix: add Strict-Transport-Security header!142 · opened by Panache
ready to review

Proof

The work your clients could never see. Now they can.

Every check, every fix, every quiet month of a healthy site builds a record: grades, score history, and signed, timestamped snapshots designed so nobody can quietly rewrite them, not even us. Share a site's public report. Export the evidence. Walk into the renewal meeting with proof instead of promises.

  • A grade per site, A to F, that a non-technical client understands in one glance.
  • A monthly white-label report for every client, ready to send with your maintenance invoice.
  • A public report page per site you can share with a link.
  • Signed PDF snapshots, PAdES + RFC 3161 timestamped, for the records that matter.
Public reportmaison-claire.fr
A
91/100
Security
95
Performance
88
Dependencies
82
Configuration
100
Signed snapshot · PAdES + RFC 3161Export PDF

AI-native

Sixty sites scanned. Three things to do.

Panache reads every finding across every client site and writes the brief a senior consultant would: what to fix right now, what will bite in the next 30 days, what you already won this week. Ranked by business impact, not raw severity, with named sites and concrete actions you can forward to a client as is.

Rewritten after every scan, for the whole portfolio at once.

P
Expert glanceupdated after every scan

Right now

Bump nodemailer on 3 sites. One known vulnerability, same fix everywhere.
Add the missing security headers on client-store.com before the campaign launch.

What to anticipate

SSL certificate on atelier-nord.fr expires in 12 days.

Wins this week

7 fixes shipped across 4 sites.
Written for you, not parsed from a dashboard.

MCP

The reviewer that didn't write the code.

Your team ships AI-written code every day, and AI reviews it with the same blind spots that produced it. Panache verifies from the outside, black box: what your site actually exposes, actually loads, actually leaks in production. Then it hands the findings to your coding agent over MCP, so the agent that fixes the problem works from facts, not guesses.

Works with Claude Code, Cursor, and anything that speaks MCP.

P
Claude Coderead-only
What is failing on shop-arpege.com before I push this fix?

3 findings from the latest scan, with evidence:

CSP missing frame-ancestors on /checkout (high)
2 trackers fire before consent (high)
LCP at 4.1s on /products (medium)
Live findings over MCP

Depth

Deep where it matters.

More than 160 individual checks across security, performance, SEO and compliance. A few you will not find anywhere else:

  • Your Postgres schema parsed and audited for RLS coverage and dangerous grants.
  • A CSP built from your real production traffic, then watched for drift.
  • Trackers firing before consent, observed the way an auditor would observe them.
  • Cookie lifetimes checked against the CNIL 13-month cap.
  • Source maps, env files and 40+ sensitive paths probed on every site.
  • Dependency CVEs traced through your actual lockfile, not a generic advisory feed.
  • Your own custom checks: assert what must load, and what must never load.

Security

Headers, TLS, exposed files, CSP drift, dependency CVEs.

CSPHSTS.envCVE

Performance

Lighthouse runs, Core Web Vitals, bundle weight per deploy.

LCPCLSbundle size

SEO

Robots, sitemaps, meta tags, broken links, redirects.

robotssitemap404

Compliance

Consent, trackers, cookies, legal pages, observed as an auditor would.

RGPDconsentcookies

Built in Europe, for the rules you actually operate under.

Consolidate

Five subscriptions. One system.

The checks are scattered. The responsibility is not.

Uptime here, CVE alerts there, Lighthouse in CI, a link checker somewhere, and a launch checklist in a shared doc that nobody reruns. Panache replaces the pile with one loop and one source of truth across every client site.

How it works

Live in 30 seconds. Deeper when you're ready.

01

Add a domain.

External checks start immediately. No agent, no SDK, no code change.

02

Connect Vercel or GitLab.

Every preview gets diffed against production, results land on the MR.

03

Add the plugin.

One line in next.config: security defaults, dependency manifests, CSP learning.

Each level works on its own. Adopt at your own pace, site by site.

Trust

Built to observe, never to operate.

Panache watches your sites from the outside. It never runs inside your production and never touches more than what you choose to send it. Hosted in the EU, with strict isolation between every customer, enforced at the database level.

EU hostingPer-tenant isolationObserver by designYou stay in control

Fair questions

The objections, answered straight.

We're not only on Next.js.

External checks work on any site, any stack, today. The deep loop (plugin, branch diff, autofix) is Next.js-first. Nuxt and Astro are next.

We're on GitHub, not GitLab.

Preview checks already land in your Vercel checks. Native GitHub comments are rolling out during the private beta.

Is this an APM or a status page?

No. Sentry tells you about errors in your code. Panache verifies the site itself: what it exposes, how it performs, what it proves. They work well together.

Is this just Lighthouse with better branding?

No. Lighthouse is one signal, and Panache runs it. Then it ties live checks, preview diffs, dependency context and signed evidence to every client site you run. Lighthouse scores a page; Panache backs a portfolio.

Will it flood us with alerts?

Findings come with severity, evidence, and a fix path. No alert without a reason you can read.

Where does our data live?

In the EU. Panache observes your public sites and what you choose to send it. Nothing more.

Plug in one site. Watch the findings land.

Thirty seconds from domain to first findings. No install, no sales call, no card.

Start free

Detect. Verify. Fix. Prove.