Catches LLM hallucination — code that references modules, files, routes, schemas, env vars, or assets that do not exist anywhere in the project.
25
Total Checks
2
Delivery Formats
4
Categories
3
Versions
Included
Never included
Hardening: broadened ORM checks to cover Supabase table/column references via migration SQL parsing. Fixed env-vars-documented skip condition (env vars used but undocumented now fails instead of skipping). Added 3 new checks: db-rpc-functions-exist (Supabase RPC validation), page-conventions-in-correct-files (misplaced Next.js metadata/dynamic exports), css-references-resolve (CSS @import and url() validation). Check count 22 → 25. Category weights rebalanced.
2026-04-16
Tier change: free → paid as part of v2.0 Slop Detector pricing reset (Stack Scan remains the only free audit).
2026-04-13
Initial release
2026-04-07
Picked by pack overlap with this audit.
Catches code that will surprise-bill on the first viral moment — non-LLM cost vectors that AI tools commonly leave unbounded: file uploads with no size limit, unbounded DB queries, email/SMS without rate limits, webhooks without idempotency, and background jobs without retry caps.
Catches multi-session AI confusion: codebases that accumulate multiple libraries doing the same job because the model picked differently across sessions, resulting in dependency cruft and split-brain data layers.
Catches security controls that are imported, configured, or defined but never actually wired up — the unique AI failure mode of code that looks secure but isn't. Strictly focused on the gap between declaring a security control and applying it.
Catches AI-generated test suites that look impressive but don't actually test anything — assertion-free test files, mock-saturated tests that test the mocks, tautologies, skipped tests in CI, and missing E2E coverage on critical user flows.
Catches AI-specific half-finished code patterns that slip into production: mock API responses in real handlers, hardcoded test credentials in fallbacks, stub returns, debug bypasses, and dev-only routes left active.