GradLayer
Get report

This is a sample graduation report generated from a Lovable export. Your real reports look the same.

Back to GradLayer

GradLayer · Graduation report

lovable-todo

github.com/acme-demo/lovable-todo· TypeScript, CSS· Next.js 15· 47 files· Generated Apr 17, 2026
Scan your repo

Graduation verdict

Conditional

Two critical findings block production merge. Five high-severity issues and an estimated $1,840/month in previously-unbudgeted vendor spend need review.

Fixable issues before shipping. Review the WATCH pillars below.

Pass 6Watch 3Fail 1Pillars

10-pillar scorecard

Tap a tile to jump to its top finding

Identity
Pass

Clerk auth wired through middleware

What we check · Looks for an auth provider (Clerk, NextAuth, Auth0, WorkOS, Convex Auth), detects MD5/SHA1 password hashing, and flags hand-rolled session cookies.

Access
Pass

Route handlers gated; no admin routes exposed

What we check · Verifies admin routes have auth checks, looks for role-based gating, and checks whether schema-declared tenant IDs are enforced in query code.

Data
Pass

Schema looks clean; no obvious PII exposure

What we check · Detects the database layer, looks for a migrations directory, flags PII/regulated columns (HIPAA/PCI signals), and warns on sequential integer IDs.

Integrations
Pass

6 vendors detected; all in the registered directory

What we check · Maps external service dependencies and integration health. Reserved for upcoming checks on third-party SLA coverage.

Infrastructure
Pass

Dockerfile, CI, and lockfile all present

What we check · Checks for deployment config (Dockerfile, Terraform, Vercel, Fly, Railway, K8s), a CI workflow, a lockfile, and a .env.example.

Compliance
Pass

LICENSE present; no regulated-data signals

What we check · Reads the LICENSE (AGPL/GPL blocks commercial reuse), detects HIPAA/PCI signals in code, and checks for a consent mechanism when regulated data is present.

1 finding

Findings by severity

Tap a tile to filter

Findings (27)

Next.js 15

critical

2 findings

critical

  • SecretsSecret

    Hardcoded Supabase service-role key in source

    lib/db.ts:47

  • SecretsSecret

    OpenAI API key in client bundle

    app/chat/page.tsx:12

high

5 findings

high

  • Code FoundationVulnerability· CVE-2024-39338· axios@1.6.0

    axios ≤1.6.7 — CVE-2024-39338 (SSRF)

  • EconomicsCost

    Unbounded OpenAI streaming in a public endpoint

    app/api/chat/route.ts:22

  • Code FoundationVulnerability· CVE-2025-29927· next@15.1.0

    next ≤15.1.1 — CVE-2025-29927 (auth bypass via middleware)

  • EconomicsCost

    Stripe SDK present without usage disclosure

    lib/billing.ts:3

  • OperabilityDocumentation

    No .env.example — undocumented required secrets

medium

11 findings

medium

  • OperabilityOwnership

    No CODEOWNERS file

  • OperabilityDocumentation

    README has no operational runbook

  • Code FoundationVulnerability· eslint-config-next@13.5.6

    eslint-config-next outdated

  • ComplianceDocumentation

    No LICENSE file

  • SecretsSecret

    Sentry DSN exposed in client-side config

    sentry.client.config.ts:4

  • EconomicsCost

    Pinecone SDK configured but no index creation guard

    scripts/bootstrap-vectors.ts:18

  • Code FoundationVulnerability· CVE-2024-28863· tar@6.1.15

    tar ≤6.2.0 path traversal

  • OperabilityOwnership

    Commits authored only by one user in last 30 days

  • EconomicsCost

    Large LLM context without caching

    lib/ai.ts:34

  • OperabilityDocumentation

    No ARCHITECTURE.md

  • Code FoundationVulnerability· postcss-selector-parser@6.0.15

    postcss-selector-parser dev dep below patched range

low

6 findings

low

  • OperabilityDocumentation

    Missing CONTRIBUTING.md

  • OperabilityOwnership

    No issue templates configured

  • EconomicsCost

    Image optimization not configured

    next.config.js:1

  • OperabilityDocumentation

    Package.json missing 'description'

  • OperabilityDocumentation

    No Dependabot configuration

  • Code FoundationVulnerability

    Dev dependencies: 3 minor CVEs (no runtime impact)

info

3 findings

info

  • OperabilityDocumentation

    README lacks badges

  • OperabilityOwnership

    No repo topics set

  • OperabilityDocumentation

    Tailwind config uses v3 pattern despite v4 dep

Cost model

P50 monthly estimate

Vendor cost estimate

$1,840/mo (P50)

Range $740–$4,508

Priced Apr 2026

  • OpenAI

    openai · per-token

    $680$2.4k$1.2k

  • Supabase

    @supabase/supabase-js · plan + storage

    $25$199$99

  • Stripe

    stripe · per-transaction

    $0$1.2k$280

  • Pinecone

    @pinecone-database/pinecone · serverless + storage

    $35$380$160

  • Sentry

    @sentry/nextjs · event quota

    $0$89$26

  • Resend

    resend · per-email

    $0$240$75

Estimates assume baseline traffic. Verify current vendor pricing before making budget decisions.

Review state

Not yet approved

Read-only sample

Put your repo on the path to production.

Point GradLayer at a GitHub repo or upload a ZIP. You will have the same Graduation Report, with your findings, in under five minutes.

Get Graduation Report