zuna11/climate-craft-plan

19/100
// latest public scan, scanned 2026-05-13 · classified as web app · stack: React 19 · TanStack Start · TanStack Router · TanStack Query · TypeScript · Vite · Tailwind CSS v4 · Radix UI · Supabase · Stripe · PostgreSQL (via Supabase)
// this URL always shows the latest public scan for this repo. permanent permalink to this specific scan: www.codeclanker.com/scan/id/XDcXTTWz

Nine dimensions

DevOps
12
No CI workflow in .github/workflows; no Dockerfile; no deployment configuration beyond vite.config.ts.
Security
3
.env with live JWT tokens and .env.development with Stripe pk_test_ key are committed. Both files contain production-equivalent secrets.
Cost & infra
25
Supabase and Stripe dependencies make cost unpredictable at scale; no usage monitoring, alerting, or cost caps visible in the codebase.
QA & testing
5
Zero test files in the entire repository. Every route, function, and component is untested.
Performance
28
No caching layer beyond React Query defaults; no load tests, profiling evidence, or database query optimization visible in migrations.
Architecture
38
Supabase migrations exist but no backup strategy, no disaster-recovery plan, and no documented data retention or migration rollback policy.
Code quality
18
tsconfig disables unused-variable checks; codebase appears largely UI scaffolding with minimal custom business logic beyond function wrappers.
Observability
8
No error tracking service (Sentry, etc.) configured; logger.server.ts exists but no evidence of log aggregation or structured telemetry in production.
Maintainability
20
README is a default template; license is 'unknown'; codebase has minimal documentation beyond component boilerplate.

Deterministic findings

critical

2 environment file(s) committed to git

.env, .env.development

critical

2 potential secret(s) found in committed files

.env — JWT; .env.development — Stripe key

Top findings (AI)

critical

Live secrets committed to repository

The file .env contains a Supabase JWT (anon key with full admin JWT header) and the Supabase project URL. The file .env.development contains Stripe pk_test_ token. These tokens are also duplicated in VITE_ prefixed variables in the same .env file, making them readable in client-side bundle. Once these keys are in a public repo, they must be treated as compromised regardless of 'test' prefix.

critical

Stripe webhook endpoint has no signature verification

File src/routes/api/public/payments/webhook.ts handles Stripe webhooks with no visible stripe.webhooks.constructEvent() call. This means any party can POST arbitrary events to this endpoint, enabling fake payment confirmations, credit injection, or replay attacks.

critical

No test suite — zero confidence in payment, auth, and AI function paths

The file tree shows 0 test files. The package.json has no test script. Routes handling checkout (src/routes/checkout.tsx), Stripe webhooks, auth flows (src/lib/auth-context.tsx, src/integrations/supabase/auth-middleware.ts), and AI itinerary generation (src/lib/itinerary-ai.functions.ts) are entirely untested.

high

No CI pipeline — code is merged and deployed with no automated gate

.github/workflows is absent. There is no automated lint, type-check, or build verification. Any push to main can break the production build without detection before deployment.

high

No error tracking in production

File src/lib/error-capture.ts exists but no Sentry, Bugsnag, or equivalent service is configured in package.json or environment variables. Unhandled exceptions in production will be invisible and unrecoverable.

medium

README is a default framework template with no project-specific content

The project has 'unknown' license and a default README. No contributor guide, no architecture document, no runbook for local setup or production deployment exists.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →