All findings (demo)
28 findings across categories.
Category:
Severity:
Rule:
28 findings
| Category | Rule | Evidence | Actions | ||
|---|---|---|---|---|---|
| high | ai slop | ai.production_should_phrase | src/app/api/analyze/route.ts:12 | // In production, you would send the code to OpenAI for analysis Comment admits the actual OpenAI integration does not exist. | |
| high | ai slop | ai.demo_only_phrase | src/app/api/fix/route.ts:8 | // This is a simplified example — replace with your actual fix logic Route body is a placeholder. No fix logic exists. | |
| high | ai slop | ai.demo_only_phrase | src/app/api/stripe/webhook/route.ts:15 | // Mock implementation for demo purposes Webhook handler explicitly labeled as mock. No real webhook processing occurs. | |
| high | ai slop | ai.demo_only_phrase | src/app/api/notify/route.ts:9 | // Here you would integrate with SendGrid or similar Notification route has no real email provider integration. | |
| high | placeholder | ai.not_implemented_throw | src/app/api/analyze/route.ts:18 | throw new Error('not implemented: analysis engine');Core analysis endpoint throws instead of performing work. | |
| high | placeholder | placeholder.todo_fixme | src/app/api/auth/route.ts:14 | // TODO: implement real authentication Auth route has no authentication logic, only a TODO marker. | |
| high | fake integration | ai.hardcoded_success_response | src/app/api/stripe/webhook/route.ts:20 | return NextResponse.json({ ok: true });Stripe webhook acknowledges receipt without verifying or processing the event. | |
| high | security theater | security.bypass_middleware | src/middleware.ts:8 | // Role check — in production you'd validate the JWT here Middleware claims to enforce roles but contains no actual check. | |
| high | security theater | security.no_sig_verify | src/app/api/stripe/webhook/route.ts:6 | // TODO: verify Stripe signature Webhook handler skips signature verification entirely. | |
| high | dashboard illusion | dashboard.random_metric | src/components/Dashboard.tsx:24 | const issuesFixed = Math.floor(Math.random() * 500) + 100; Dashboard metric "issues fixed" is randomly generated. | |
| high | dashboard illusion | dashboard.random_metric | src/components/Dashboard.tsx:25 | const accuracy = (Math.random() * 15 + 85).toFixed(1); "Accuracy" percentage is fabricated. | |
| high | test credibility | tests.skipped_critical_tests | tests/analyze.test.ts:4 | it.skip("should analyze real TypeScript code", () => {Critical analysis test is skipped. | |
| high | test credibility | tests.skipped_critical_tests | tests/stripe.test.ts:8 | it.skip("should process subscription created event", () => {Payment integration test is skipped. | |
| medium | ai slop | ai.demo_only_phrase | src/lib/openai.ts:22 | // Simulated response — assume this works OpenAI client returns simulated data instead of calling the API. | |
| medium | ai slop | ai.production_should_phrase | README.md:3 | In a real application, AutoFix AI would connect to your CI pipeline README hedge admitting the described feature does not exist. | |
| medium | placeholder | placeholder.todo_fixme | src/lib/rbac.ts:7 | // FIXME: role checks are not enforced yet RBAC module exists but role checks are not enforced. | |
| medium | placeholder | placeholder.return_null_stub | src/app/api/export/route.ts:10 | return null; // stub Export endpoint returns null instead of generating a file. | |
| medium | fake integration | ai.hardcoded_success_response | src/app/api/analyze/route.ts:20 | return NextResponse.json({ ok: true, issues: [] });Analysis endpoint returns empty success without analyzing code. | |
| medium | fake integration | ai.hardcoded_success_response | src/app/api/fix/route.ts:16 | return NextResponse.json({ ok: true, fix: null });Fix endpoint claims success but returns no actual fix. | |
| medium | fake integration | ai.hardcoded_success_response | src/app/api/auth/route.ts:22 | return NextResponse.json({ ok: true, user: { id: "demo" } });Auth endpoint returns a hardcoded demo user. | |
| medium | skeleton crud | skeleton.crud_no_auth | src/app/api/projects/route.ts:5 | export async function GET() { return db.select().from(projects); }CRUD route with no auth, validation, or side effects. | |
| medium | skeleton crud | skeleton.crud_no_auth | src/app/api/reviews/route.ts:5 | export async function POST(req) { return db.insert(reviews).values(await req.json()); }Review creation with no validation, auth, or rate limiting. | |
| medium | security theater | security.stub_rate_limit | src/lib/rate-limit.ts:4 | export function rateLimit() { return true; }Rate limiter is a no-op that always returns true. | |
| medium | dashboard illusion | dashboard.random_metric | src/components/MetricsChart.tsx:12 | const data = Array.from({ length: 30 }, () => Math.random() * 100);Chart data is entirely random, not from any real metrics source. | |
| medium | dashboard illusion | dashboard.random_metric | src/components/Dashboard.tsx:28 | const scanTime = (Math.random() * 3 + 0.5).toFixed(1); "Avg scan time" is fabricated. |
Page 1 of 2