Winnowbeta
This is a pre-loaded demo scan. Run your own scan to see real results.
Scan report (demo)

AutoFix AI

This repository claims to be an "AI-powered automated code review and fix platform" with real-time analysis, automated PR fixes, and security scanning. The implementation integrity scan found 47 findings across 6 categories. The codebase consists almost entirely of placeholder routes returning hardcoded success responses, dashboard components powered by Math.random(), and Stripe/OpenAI integrations that never make actual API calls. Only 2 of 11 claimed features have any implementation evidence.

5/5/2026, 2:32:00 PM·89 files analyzed·28 findings·11 claims
22
Integrity
Likely AI slop
Likely AI slop
Feature auditAll findings
Placeholder
18
Claim mismatch
12
Skeleton CRUD
15
Fake integration
8
Tests
45
Security theater
10
Dashboard illusion
5
Language breakdown
File count, lines of code, and finding density per language. Density = findings per 100 lines.
FilesDistributionLinesDens.
TypeScript
20
26 findings
111
23.4
JSON
2
10
0.0
YAML
2
15
0.0
CSS
1
6
0.0
HTML
1
3
0.0
Markdown
1
11
9.1
Shell
1
5
0.0
SQL
1
6
0.0
Env
1
4
0.0
Prisma
1
9
0.0
TOML
1
4
0.0
Weakest feature claims
Claims with the least implementation evidence.
  • Real-time collaboration with WebSocket updates
    README.md:5
    Missing

    No WebSocket server, no Socket.IO, no real-time subscription. The README claims real-time collaboration but the codebase has zero WebSocket-related imports or routes.

  • Email notifications for review completion
    src/components/Settings.tsx:34
    Missing

    No email provider SDK, no SendGrid/Mailgun/SES imports, no email template engine. The settings UI has a toggle for notifications but no backend handler.

  • Multi-tenant workspace isolation
    src/app/page.tsx:22
    Missing

    No workspace or organization model, no tenant isolation in database queries, no multi-tenancy middleware. The UI shows a workspace selector but it is cosmetic only.

  • Export reports to PDF and CSV
    src/app/page.tsx:26
    Missing

    The export endpoint returns null. No PDF generation library, no CSV serialization, no file download logic. The button in the UI is non-functional.

  • Automated PR fixes pushed directly to GitHub
    README.md:3
    Mocked

    The fix endpoint returns a hardcoded success response with null fix. No GitHub API calls, no branch creation, no PR creation. The README claim is entirely aspirational.

  • Webhook notifications for CI/CD integration
    README.md:10
    Mocked

    A notify route exists but only contains a comment "here you would integrate with SendGrid". No webhook dispatch, no HTTP client calls, no event emission.

  • Background scanning with scheduled cron jobs
    src/components/Dashboard.tsx:8
    Mocked

    A schedule route exists but contains only "cron scheduling not wired up" as a comment. No cron system integration, no job queue, no recurring task execution.

  • Role-based access control for team management
    src/app/page.tsx:12
    Mocked

    An rbac.ts file exists with role constants defined, but actual middleware and route guards contain only TODO comments. The role check is a no-op.

  • AI-powered code analysis with GPT-4
    README.md:1
    Mocked

    OpenAI SDK is imported and a client is instantiated, but every call returns simulated data. The analysis route throws "not implemented" or returns { ok: true, issues: [] }. No real code analysis occurs.

  • Live metrics dashboard with real-time analytics
    src/app/page.tsx:18
    Mocked

    A polished dashboard exists with charts and metrics, but every value uses Math.random(). Issues fixed, accuracy, scan time, and users online are all fabricated.

Top risk files
Files with the most findings.
  • src/app/api/analyze/route.ts7 findings
  • src/app/api/stripe/webhook/route.ts5 findings
  • src/components/Dashboard.tsx5 findings
  • src/app/api/auth/route.ts4 findings
  • src/lib/openai.ts3 findings
  • src/app/api/fix/route.ts3 findings
  • src/components/MetricsChart.tsx3 findings
Security theater
Claimed protections without enforcement.
  • highsrc/middleware.ts:8security.bypass_middleware
    // Role check — in production you'd validate the JWT here
    Middleware claims to enforce roles but contains no actual check.
  • highsrc/app/api/stripe/webhook/route.ts:6security.no_sig_verify
    // TODO: verify Stripe signature
    Webhook handler skips signature verification entirely.
  • mediumsrc/lib/rate-limit.ts:4security.stub_rate_limit
    export function rateLimit() { return true; }
    Rate limiter is a no-op that always returns true.
Dashboard illusion
UI that looks live but uses fabricated values.
  • highsrc/components/Dashboard.tsx:24dashboard.random_metric
    const issuesFixed = Math.floor(Math.random() * 500) + 100;
    Dashboard metric "issues fixed" is randomly generated.
  • highsrc/components/Dashboard.tsx:25dashboard.random_metric
    const accuracy = (Math.random() * 15 + 85).toFixed(1);
    "Accuracy" percentage is fabricated.
  • mediumsrc/components/MetricsChart.tsx:12dashboard.random_metric
    const data = Array.from({ length: 30 }, () => Math.random() * 100);
    Chart data is entirely random, not from any real metrics source.
  • mediumsrc/components/Dashboard.tsx:28dashboard.random_metric
    const scanTime = (Math.random() * 3 + 0.5).toFixed(1);
    "Avg scan time" is fabricated.
  • lowsrc/components/Dashboard.tsx:30dashboard.random_metric
    const usersOnline = Math.floor(Math.random() * 200);
    "Users online" counter is random.
AI slop residue
Agent-style comments in production source.
  • highsrc/app/api/analyze/route.ts:12ai.production_should_phrase
    // In production, you would send the code to OpenAI for analysis
    Comment admits the actual OpenAI integration does not exist.
  • highsrc/app/api/fix/route.ts:8ai.demo_only_phrase
    // This is a simplified example — replace with your actual fix logic
    Route body is a placeholder. No fix logic exists.
  • highsrc/app/api/stripe/webhook/route.ts:15ai.demo_only_phrase
    // Mock implementation for demo purposes
    Webhook handler explicitly labeled as mock. No real webhook processing occurs.
  • mediumsrc/lib/openai.ts:22ai.demo_only_phrase
    // Simulated response — assume this works
    OpenAI client returns simulated data instead of calling the API.
  • mediumREADME.md:3ai.production_should_phrase
    In a real application, AutoFix AI would connect to your CI pipeline
    README hedge admitting the described feature does not exist.
  • highsrc/app/api/notify/route.ts:9ai.demo_only_phrase
    // Here you would integrate with SendGrid or similar
    Notification route has no real email provider integration.
Finding distribution
ai slop
6
placeholder
5
dashboard illusion
5
fake integration
4
security theater
3
test credibility
3
skeleton crud
2
AI Summary

AutoFix AI presents itself as a production-ready code review platform with AI-powered fixes, real-time analysis, and automated security scanning. In reality, the repository is almost entirely scaffolding. The dashboard displays randomized metrics, every API route returns hardcoded { ok: true } without performing work, the Stripe integration is a stub that never contacts the payment processor, and the "AI-powered" analysis engine simply returns a static JSON response. Of 11 claimed features, only basic file upload and syntax highlighting appear genuinely implemented. Users signing up would see a convincing interface that does nothing.

This narrative only summarizes stored findings. No evidence is invented.