Every check flags a real production issue — not a style nit. Built for the patterns commonly found in code from tools like Claude Code, Cursor, v0, Bolt, and Copilot.
Secrets, auth, injection, and access control
secretsHardcoded API keys (Stripe, AWS, Supabase, OpenAI, GitHub)criticalauth-checksAPI routes without authentication (middleware-aware)criticalenv-exposureServer env vars in client components, .env not in .gitignorecriticalinput-validationRequest body used without validationcriticalcors-configAccess-Control-Allow-Origin: *, cors() with no config, wildcard + credentials escalated to criticalwarningunsafe-htmldangerouslySetInnerHTML, direct innerHTML assignmentcriticalsql-injectionSQL queries built with template literals or string concat (ORM-aware)criticalopen-redirectUser input passed directly to redirect()warningrate-limitingAPI routes with no rate limiterwarningphantom-dependencyPackages in node_modules but missing from package.jsonwarninginsecure-cookieSession cookies missing httpOnly, secure, or sameSitecriticalleaked-env-in-logsprocess.env.* leaked inside console.log() callswarninginsecure-randomMath.random() used for tokens, secrets, or session IDscriticalnext-server-action-validationServer actions using formData without Zod/schema validationcriticalenv-fallback-secretSecret env vars with hardcoded fallback valuescriticalverbose-error-responseError stack traces leaked in API responseswarningmissing-webhook-verificationWebhook routes without signature verificationcriticalserver-action-authServer actions with mutations but no auth checkcriticaleval-injectioneval(), new Function(), dynamic code executioncriticalnext-public-sensitiveNEXT_PUBLIC_ prefix on secret env varscriticalssrf-riskUser-controlled URLs passed to fetch in server codecriticalpath-traversalFile system operations with unsanitized user inputcriticalunsafe-file-uploadFile uploads without type or size validationwarningsupabase-missing-rlsCREATE TABLE in migrations without enabling RLScriticaldeprecated-oauth-flowOAuth Implicit Grant (response_type=token)warningjwt-no-expiryJWT tokens signed without an expirationwarningclient-side-auth-onlyPassword comparisons or auth logic in client componentscriticalError handling, promises, and data consistency
hallucinated-importsImports of packages not in package.json (AI hallucinations)criticalerror-handlingAsync operations without try/catchwarningunhandled-promiseFloating promises with no await or .catchwarningshallow-catchEmpty catch blocks that swallow errors silentlywarningmissing-loading-stateClient components that fetch without a loading stateinfomissing-error-boundaryRoute layouts without a matching error.tsxwarningmissing-transactionMultiple Prisma writes without $transactionwarningredirect-in-try-catchredirect() inside try/catch — Next.js redirect throws, catch swallows itwarningmissing-revalidationServer actions with DB mutations but no revalidatePathinfomissing-useeffect-cleanupuseEffect with subscriptions/timers but no cleanupwarninghydration-mismatchwindow/Date.now()/Math.random() in server component render pathwarningBlocking I/O, N+1 queries, and unbounded data
no-sync-fsreadFileSync in API routes blocks the event loopwarningno-n-plus-oneDatabase calls inside loopswarningno-unbounded-query.findMany() / .select('*') with no limitwarningno-dynamic-import-loopimport() inside loopswarningserver-component-fetch-selfServer components fetching their own API routesinfomissing-abort-controllerFetch/axios calls without timeout or AbortControllerinfoHallucinations, placeholders, and code smells
ai-smellsany types, console.log spam, TODOs, commented-out code piling upinfoplaceholder-contentLorem ipsum, example emails, "your-api-key-here" left in productionwarninghallucinated-api.flatten(), .contains(), .substr() — methods AI inventswarningstale-fallbacklocalhost:3000 hardcoded in production codewarningcomprehension-debtFunctions over 80 lines, deep nesting, too many parametersinfocodebase-consistencyMixed naming conventions across the projectinfodead-exportsExported functions that nothing importsinfouse-client-overuse"use client" on files that don't use any client-side APIsinfo