EDITH
Start
Coverage · 151 deterministic checks

Every check we run on your AI-built app.

151 deterministic rules across security, performance, reliability, data safety, business logic, and deploy readiness — plus AI-pattern checks that fire on the bugs Cursor, Claude, v0 and Lovable ship most often. Same input, same finding, every time. No LLM tax on your scans.

0
Deterministic checks
0
Coverage dimensions
0
Compliance frameworks
0s
p50 scan time
By dimension

What we cover.

Every check belongs to one of six dimensions. Each dimension has its own weight in the EDITH score, so a critical security finding costs more than a low-severity performance hint.

Security

48

Auth gaps, secrets in client, OWASP-grade scans.

  • Stripe / Razorpay keys in client bundles
  • Server Actions with no auth check
  • JWT in localStorage
  • OAuth callback missing state check
  • SSRF in fetch()
  • Prototype pollution via Object.assign
  • Missing CSRF on state-changing routes
  • Production source maps published

Performance

22

Cost-leaks, N+1, layout shifts, bundle bloat.

  • LLM call with no max_tokens
  • LLM call inside useEffect
  • Embedding endpoint with no cache
  • Await inside DB loop (N+1)
  • <Image> without width / height
  • useState(expensive())
  • SELECT * queries
  • FK column without index

Reliability

30

AI-pattern stale catches, race conditions, async.

  • Silent catch blocks
  • useEffect stale closure
  • Floating promise
  • Next 15 cookies() not awaited
  • Missing AbortController on streaming
  • await res.json() with no .ok check
  • Pointless catch + rethrow
  • Missing loading.tsx / error.tsx

Data Safety

18

RLS, PII leakage, schema invariants, GDPR.

  • Tables without RLS
  • Plain 'password' column
  • PII in response body
  • PII in console logs
  • Multi-table writes without transaction
  • UNIQUE missing on email column
  • created_at without default now()
  • No /api/account/delete (Art 17)

Business Logic

18

Race conditions, idempotency, money flows.

  • Webhook with no dedup / idempotency
  • Currency from client
  • Admin route without role check
  • Tool dispatcher with no allowlist
  • Bcrypt rounds < 10
  • Math.random for tokens
  • Reset token reusable after use
  • Email HTML injection

Deploy Ready

15

What breaks the first production push.

  • process.env.X in client component
  • output: 'export' with route handlers
  • No engines.node pin
  • Missing lockfile
  • Env var typo (Levenshtein-based)
  • Hallucinated import
  • Missing /robots.txt + sitemap
  • No health endpoint
AI-aware

Catches per AI tool.

EDITH fingerprints the AI tool that wrote each file and runs tool-specific rules on top of the universal checks. Below is what each tool gets wrong most often — and what EDITH catches on every commit.

Cursor

Tuned
  • Hallucinated package names
  • Outdated model name strings (gpt-3.5-turbo, claude-3-opus-20240229)
  • process.env in 'use client'
  • Server Action with no auth gate

Claude Code

Tuned
  • Silent catches around JSON.parse
  • Floating promises in async handlers
  • FIXME / TODO comments left in PRs
  • useEffect with object-literal dep

v0

Tuned
  • Missing alt attributes on <img>
  • <div onClick> used as button
  • Heading skips (h1 → h3)
  • Form inputs without labels

Lovable

Tuned
  • Tables created without RLS
  • Stripe webhook without constructEvent
  • JWT stored in localStorage
  • Multi-table writes without $transaction
14-day Pro trial · no card needed

See it on your repo.

Connect GitHub, run a scan on your last commit, and see every check that fires on your actual code in under 60 seconds.

Connect GitHubView pricing