qodfy 0.2.8 → 0.2.10

package/README.md

@@ -18,9 +18,24 @@ Scan a specific folder:
 npx qodfy scan --path apps/web
 ```
 
+Print machine-readable JSON:
+
+```bash
+npx qodfy scan --json
+```
+
+Write JSON or Markdown reports:
+
+```bash
+npx qodfy scan --json --output qodfy-report.json
+npx qodfy scan --report qodfy-report.md
+```
+
+The Markdown report is the **Qodfy Launch Report**: a senior-engineer-style review with a launch status, executive summary, top priorities, what looks good, and per-issue context (what Qodfy found, why it matters, evidence, suggested fix, and an AI fix prompt).
+
 ## What Qodfy Checks Today
 
-Qodfy v0.1 scans locally and looks for common launch-readiness risks:
+Qodfy scans locally and looks for common launch-readiness risks:
 
 - Next.js project detection
 - missing `.env.example`
@@ -67,6 +82,9 @@ Fix critical issues first, then warnings, then cleanup items.
 ```bash
 qodfy scan
 qodfy scan --path <project-path>
+qodfy scan --json
+qodfy scan --json --output qodfy-report.json
+qodfy scan --report qodfy-report.md
 qodfy --help
 qodfy --version
 ```
@@ -79,13 +97,12 @@ Qodfy starts at `100`.
 - Warning: `-8`
 - Info: no major score penalty
 
-The score is intentionally simple in v0.1 and will become more precise as the rule set improves.
+The score is intentionally simple and will become more precise as the rule set improves.
 
 ## Roadmap
 
 Near-term priorities:
 
-- JSON and Markdown output
 - `.env.example` coverage for `process.env.*`
 - exposed secret detection
 - Stripe webhook signature checks

package/dist/index.js

@@ -11,34 +11,59 @@ import {
   scanProject,
   validScanChecks
 } from "@qodfy/core";
-var CLI_VERSION = "0.2.8";
+var CLI_VERSION = "0.2.10";
 var DEFAULT_MAX_ISSUES = 5;
 var program = new Command();
 program.name("qodfy").description("Launch readiness scanner for AI-built apps.").version(CLI_VERSION);
-program.command("scan").description("Scan a project for launch readiness issues.").option("-p, --path <path>", "Project path to scan", process.cwd()).option("--max-issues <number>", "Maximum number of issues to display", String(DEFAULT_MAX_ISSUES)).option("--prompts", "Show safe copy-paste fix prompts for displayed issues").option("--prompt <issue-id>", "Show the safe AI fix prompt for one issue").option("--checks <checks>", "Comma-separated checks to run").option("--all", "Run all checks without prompting").option("--no-interactive", "Skip interactive prompts and run the recommended scan").action(async (options) => {
+program.command("scan").description("Scan a project for launch readiness issues.").option("-p, --path <path>", "Project path to scan", process.cwd()).option("--max-issues <number>", "Maximum number of issues to display", String(DEFAULT_MAX_ISSUES)).option("--prompts", "Show safe copy-paste fix prompts for displayed issues").option("--prompt <issue-id>", "Show the safe AI fix prompt for one issue").option("--checks <checks>", "Comma-separated checks to run").option("--all", "Run all checks without prompting").option("--no-interactive", "Skip interactive prompts and run the recommended scan").option("--json", "Print a machine-readable JSON report").option("--output <file>", "Write the JSON report to a file").option("--report <file>", "Write a human-readable Markdown report to a file").action(async (options) => {
+  const outputOptionsResult = validateScanOutputOptions(options);
+  if (!outputOptionsResult.ok) {
+    printScanError(outputOptionsResult.reason, !isOutputMode(options));
+    process.exitCode = 1;
+    return;
+  }
   const pathResult = await resolveProjectPath(options.path);
   if (!pathResult.ok) {
-    printScanError(pathResult.reason);
+    printScanError(pathResult.reason, !isOutputMode(options));
     process.exitCode = 1;
     return;
   }
   try {
     const scanModeResult = await resolveScanMode(options);
     if (!scanModeResult.ok) {
-      printScanError(scanModeResult.reason);
+      printScanError(scanModeResult.reason, !isOutputMode(options));
       process.exitCode = 1;
       return;
     }
-    if (scanModeResult.notice) {
+    if (scanModeResult.notice && !isOutputMode(options)) {
       console.log(pc.dim(scanModeResult.notice));
       console.log("");
     }
-    console.log(pc.cyan("Qodfy is scanning your project...\n"));
+    if (!isOutputMode(options)) {
+      console.log(pc.cyan("Qodfy is scanning your project...\n"));
+    }
     const report = await scanProject({
       projectPath: pathResult.projectPath,
       checks: scanModeResult.checks,
       includeLowConfidence: Boolean(scanModeResult.includeLowConfidence)
     });
+    const outputReport = createOutputReport(report, scanModeResult);
+    if (options.json) {
+      const jsonReport = `${JSON.stringify(outputReport, null, 2)}
+`;
+      if (options.output) {
+        await writeReportFile(options.output, jsonReport);
+        console.log(`Qodfy JSON report saved to ${options.output}`);
+      } else {
+        process.stdout.write(jsonReport);
+      }
+      return;
+    }
+    if (options.report) {
+      await writeReportFile(options.report, renderMarkdownReport(outputReport));
+      console.log(`Qodfy report saved to ${options.report}`);
+      return;
+    }
     if (options.prompt) {
       printPromptFromReport(report, options.prompt);
       return;
@@ -55,7 +80,7 @@ program.command("scan").description("Scan a project for launch readiness issues.
     if (isPromptCancelError(error)) {
       console.log("Scan cancelled.");
     } else {
-      printScanError(getErrorMessage(error));
+      printScanError(getErrorMessage(error), !isOutputMode(options));
     }
     process.exitCode = 1;
   }
@@ -113,6 +138,30 @@ var categoryLabels = {
   project: "Project"
 };
 await program.parseAsync();
+function validateScanOutputOptions(options) {
+  if (options.output && !options.json) {
+    return {
+      ok: false,
+      reason: "Use --output together with --json, for example: qodfy scan --json --output qodfy-report.json."
+    };
+  }
+  if (options.json && options.report) {
+    return {
+      ok: false,
+      reason: "Use either --json or --report for one scan command, not both."
+    };
+  }
+  if ((options.json || options.report) && options.prompt) {
+    return {
+      ok: false,
+      reason: "Use qodfy prompt <issue-id> for fix prompts, or run qodfy scan --json/--report for reports."
+    };
+  }
+  return { ok: true };
+}
+function isOutputMode(options) {
+  return Boolean(options.json || options.output || options.report);
+}
 async function resolveScanMode(options) {
   if (options.checks) {
     const parsedChecks = parseChecks(options.checks);
@@ -141,6 +190,13 @@ async function resolveScanMode(options) {
       includeLowConfidence: true
     };
   }
+  if (isOutputMode(options)) {
+    return {
+      ok: true,
+      checks: [...recommendedScanChecks],
+      label: "Recommended launch scan"
+    };
+  }
   if (options.interactive === false) {
     return {
       ok: true,
@@ -380,6 +436,464 @@ async function resolveProjectPath(projectPath) {
     };
   }
 }
+function createOutputReport(report, scanMode) {
+  return {
+    qodfyVersion: CLI_VERSION,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    projectPath: report.projectPath,
+    scanMode: scanMode.label,
+    checks: [...scanMode.checks],
+    score: report.score,
+    stats: { ...report.stats },
+    issues: report.issues
+  };
+}
+async function writeReportFile(outputPath, content) {
+  const resolvedOutputPath = path.resolve(outputPath);
+  await fs.mkdir(path.dirname(resolvedOutputPath), { recursive: true });
+  await fs.writeFile(resolvedOutputPath, content, "utf8");
+}
+function renderMarkdownReport(report) {
+  const projectName = path.basename(report.projectPath) || report.projectPath;
+  const statusLabel = getStatusLabel(report.score);
+  const criticalCount = countIssuesBySeverity(report.issues, "critical");
+  const warningCount = countIssuesBySeverity(report.issues, "warning");
+  const infoCount = countIssuesBySeverity(report.issues, "info");
+  const lines = [
+    "# Qodfy Launch Readiness Report",
+    "",
+    `Generated: ${report.generatedAt}`,
+    `Project: ${projectName}`,
+    `Scan mode: ${report.scanMode}`,
+    `Score: ${report.score}/100`,
+    `Launch status: ${statusLabel}`,
+    "",
+    "## Executive Summary",
+    "",
+    getExecutiveSummary(report),
+    "",
+    "## Score Breakdown",
+    "",
+    `- Critical issues: ${criticalCount}`,
+    `- Warnings: ${warningCount}`,
+    `- Info: ${infoCount}`,
+    `- Files scanned: ${report.stats.totalFiles}`,
+    `- API routes scanned: ${report.stats.apiRoutes}`,
+    `- Scan duration: ${formatDuration(report.stats.durationMs)}`,
+    "",
+    "## Top Priorities",
+    ""
+  ];
+  const priorities = getTopPriorities(report.issues);
+  if (priorities.length === 0) {
+    lines.push("No urgent priorities found. Review warnings below before launch.");
+  } else {
+    for (const [index, priority] of priorities.entries()) {
+      lines.push(`${index + 1}. ${priority}`);
+    }
+  }
+  lines.push("", "## What Looks Good", "");
+  const observations = getWhatLooksGood(report);
+  if (observations.length === 0) {
+    lines.push("No positive observations to highlight from this scan.");
+  } else {
+    for (const observation of observations) {
+      lines.push(`- ${observation}`);
+    }
+  }
+  lines.push("", "## Issues by Priority", "");
+  if (report.issues.length === 0) {
+    lines.push("No issues found.");
+    appendMarkdownFooter(lines);
+    return `${lines.join("\n").trimEnd()}
+`;
+  }
+  const sortedIssues = getSortedDisplayIssues(report.issues);
+  const severityOrder = ["critical", "warning", "info"];
+  for (const severity of severityOrder) {
+    const severityIssues = sortedIssues.filter((issue) => issue.severity === severity);
+    if (severityIssues.length === 0) {
+      continue;
+    }
+    lines.push(`**${getSeverityHeading(severity, severityIssues.length)}**`, "");
+    for (const category of categoryOrder) {
+      const categoryIssues = severityIssues.filter((issue) => issue.category === category);
+      if (categoryIssues.length === 0) {
+        continue;
+      }
+      lines.push(`_${categoryLabels[category]}_`, "");
+      for (const issue of categoryIssues) {
+        appendMarkdownIssue(lines, issue);
+      }
+    }
+  }
+  appendMarkdownFooter(lines);
+  return `${lines.join("\n").trimEnd()}
+`;
+}
+function appendMarkdownFooter(lines) {
+  lines.push("", "## Recommended Next Steps", "");
+  lines.push("- Fix critical issues first.");
+  lines.push("- Review warnings before launch.");
+  lines.push("- Re-run Qodfy after changes.");
+  lines.push("- Use `qodfy prompt <issue-id>` for focused AI repair prompts.");
+  lines.push("", "## Generated by Qodfy", "");
+  lines.push("Qodfy scans locally and does not print secret values in reports.");
+}
+function appendMarkdownIssue(lines, issue) {
+  lines.push(`### ${issue.title}`);
+  lines.push("");
+  lines.push(`- ID: \`${issue.id}\``);
+  lines.push(`- Severity: ${issue.severity}`);
+  lines.push(`- Confidence: ${issue.confidence}`);
+  lines.push(`- Category: ${categoryLabels[issue.category]}`);
+  if (issue.file) {
+    lines.push(`- File: \`${issue.file}\``);
+  }
+  lines.push("");
+  lines.push("#### What Qodfy found");
+  lines.push("");
+  lines.push(issue.message);
+  lines.push("");
+  lines.push("#### Why it matters");
+  lines.push("");
+  lines.push(getWhyItMatters(issue));
+  lines.push("");
+  lines.push("#### Evidence");
+  lines.push("");
+  appendMarkdownEvidence(lines, issue.evidence);
+  lines.push("");
+  lines.push("#### Context");
+  lines.push("");
+  appendMarkdownEvidence(lines, issue.context);
+  lines.push("");
+  lines.push("#### Suggested fix");
+  lines.push("");
+  lines.push(issue.suggestion ?? "No specific suggestion provided for this rule yet.");
+  lines.push("");
+  lines.push("#### AI Fix Prompt");
+  lines.push("");
+  lines.push("```txt");
+  lines.push(issue.fixPrompt ?? "No AI fix prompt available for this rule yet.");
+  lines.push("```");
+  lines.push("");
+  lines.push("#### After fixing, test this");
+  lines.push("");
+  for (const test of getAfterFixTests(issue)) {
+    lines.push(`- ${test}`);
+  }
+  lines.push("");
+}
+function appendMarkdownEvidence(lines, items) {
+  if (!items || items.length === 0) {
+    lines.push("- None");
+    return;
+  }
+  for (const item of items) {
+    const detail = item.detail ? `: ${item.detail}` : "";
+    lines.push(`- ${item.label}${detail}`);
+  }
+}
+function getStatusLabel(score) {
+  if (score >= 90) {
+    return "Ready with minor review";
+  }
+  if (score >= 75) {
+    return "Almost ready";
+  }
+  if (score >= 50) {
+    return "Needs fixes before launch";
+  }
+  return "Not ready to launch";
+}
+function getSeverityHeading(severity, count) {
+  const noun = severity === "critical" ? "Critical" : severity === "warning" ? "Warnings" : "Info";
+  return `${noun} (${count})`;
+}
+function getExecutiveSummary(report) {
+  const issues = report.issues;
+  const criticalCount = countIssuesBySeverity(issues, "critical");
+  const warningCount = countIssuesBySeverity(issues, "warning");
+  const topRiskCategory = getTopRiskCategory(issues);
+  const sentences = [];
+  if (criticalCount > 0) {
+    const issueWord = criticalCount === 1 ? "critical issue" : "critical issues";
+    sentences.push(
+      `Qodfy found ${criticalCount} ${issueWord} that should be fixed before launch.`
+    );
+  } else if (warningCount > 0) {
+    sentences.push(
+      "Qodfy found no critical blockers. Review the warnings below before launch."
+    );
+  } else if (issues.length > 0) {
+    sentences.push(
+      "Qodfy found no critical or warning blockers. Review the info notes below before launch."
+    );
+  } else {
+    sentences.push(
+      "Qodfy did not flag any issues. Do a final manual review and you should be good to launch."
+    );
+  }
+  if (topRiskCategory) {
+    sentences.push(`The main area to review is ${topRiskCategory}.`);
+  }
+  sentences.push(
+    `Score: ${report.score}/100. Launch status: ${getStatusLabel(report.score)}.`
+  );
+  return sentences.join(" ");
+}
+function getTopRiskCategory(issues) {
+  if (issues.length === 0) {
+    return null;
+  }
+  const weights = /* @__PURE__ */ new Map();
+  for (const issue of issues) {
+    const weight = issue.severity === "critical" ? 1e3 : issue.severity === "warning" ? 10 : 1;
+    weights.set(issue.category, (weights.get(issue.category) ?? 0) + weight);
+  }
+  let topCategory = null;
+  let topWeight = 0;
+  let topOrder = Number.MAX_SAFE_INTEGER;
+  for (const [category, weight] of weights) {
+    const order = categoryOrder.indexOf(category);
+    if (weight > topWeight || weight === topWeight && order < topOrder) {
+      topWeight = weight;
+      topCategory = category;
+      topOrder = order;
+    }
+  }
+  if (!topCategory) {
+    return null;
+  }
+  return getCategoryShortName(topCategory);
+}
+function getCategoryShortName(category) {
+  if (category === "security") {
+    return "security";
+  }
+  if (category === "api") {
+    return "API routes";
+  }
+  if (category === "webhook") {
+    return "webhooks";
+  }
+  if (category === "ai") {
+    return "AI routes";
+  }
+  if (category === "environment") {
+    return "environment variables";
+  }
+  if (category === "maintainability") {
+    return "maintainability";
+  }
+  return "project setup";
+}
+function getWhatLooksGood(report) {
+  const observations = [];
+  const issues = report.issues;
+  const checks = new Set(report.checks);
+  const criticalCount = countIssuesBySeverity(issues, "critical");
+  if (criticalCount === 0) {
+    observations.push("No critical issues found.");
+  }
+  observations.push("Local source scan completed successfully.");
+  if (checks.has("api") && report.stats.apiRoutes > 0) {
+    observations.push("API routes were analyzed method by method.");
+  }
+  const hasPublicReadRouteNote = issues.some(
+    (issue) => issue.ruleId === "api-public-read-route"
+  );
+  if (hasPublicReadRouteNote) {
+    observations.push("Public read routes were separated from protected routes.");
+  }
+  if (checks.has("environment")) {
+    const hasEnvIssue = issues.some((issue) => issue.category === "environment");
+    if (!hasEnvIssue) {
+      observations.push("Environment variable documentation looks complete.");
+    }
+  }
+  if (checks.has("webhook")) {
+    const hasWebhookSignatureIssue = issues.some(
+      (issue) => issue.ruleId === "webhook-missing-signature-verification"
+    );
+    if (!hasWebhookSignatureIssue) {
+      observations.push("No webhook routes were flagged for missing signature checks.");
+    }
+  }
+  if (checks.has("ai")) {
+    const hasAiRateIssue = issues.some(
+      (issue) => issue.ruleId === "ai-route-missing-rate-limit"
+    );
+    if (!hasAiRateIssue && report.stats.aiFiles > 0) {
+      observations.push("AI routes were not flagged as missing rate limiting.");
+    }
+  }
+  if (checks.has("security")) {
+    const hasSecretIssue = issues.some(
+      (issue) => issue.ruleId === "security-hardcoded-secret" || issue.ruleId === "security-client-side-secret"
+    );
+    if (!hasSecretIssue) {
+      observations.push("No hardcoded or client-side secrets were detected.");
+    }
+  }
+  observations.push("Qodfy did not print any secret values in this report.");
+  return observations;
+}
+function getWhyItMatters(issue) {
+  const ruleExplanation = getWhyItMattersByRuleId(issue.ruleId);
+  if (ruleExplanation) {
+    return ruleExplanation;
+  }
+  return getWhyItMattersByCategory(issue.category);
+}
+function getWhyItMattersByRuleId(ruleId) {
+  switch (ruleId) {
+    case "admin-route-missing-authorization":
+      return "This route is authenticated, but admin/debug/private routes often need an extra role or permission check. A normal logged-in user should not be able to access admin-only data or tools.";
+    case "public-form-missing-abuse-protection":
+      return "Public forms can be abused by bots or repeated submissions. Validation helps data quality, but rate limiting or spam protection helps prevent abuse.";
+    case "webhook-missing-signature-verification":
+      return "Webhook routes receive external events. Without signature verification, attackers may be able to fake events and trick your app into running real actions.";
+    case "environment-variable-missing-from-example":
+      return "Missing env documentation makes the project harder to deploy or maintain. Future developers (and future you) will not know which variables are required.";
+    case "environment-missing-env-example":
+      return "Without a .env.example, anyone setting up this project has to guess which environment variables are required. That guesswork leads to broken deploys and runtime errors.";
+    case "ai-route-missing-rate-limit":
+      return "AI routes can create real API costs. Rate limiting helps control abuse and unexpected spend, especially if a route is exposed to anonymous users.";
+    case "security-hardcoded-secret":
+      return "Hardcoded secrets can leak through git history, public deploys, or AI tools that read your code. Rotate any real values and load them from environment variables instead.";
+    case "security-client-side-secret":
+      return "Secrets used in client-side code are visible to anyone who opens the browser devtools. Move sensitive values and logic to server-only code.";
+    case "sensitive-api-route-missing-auth":
+      return "API routes that handle sensitive data should verify the caller is authenticated before reading or writing. Without that check, anonymous users may access protected information.";
+    case "api-mutation-route-review-auth":
+      return "Routes that mutate data without an obvious auth check can let anyone create, update, or delete records. Review the auth path before launch.";
+    case "internal-route-missing-protection":
+      return "Internal or operational routes (debug, admin, jobs) are often forgotten before launch. Without protection they can expose admin-only behavior to the public.";
+    case "api-public-read-route":
+      return "This is a public read route. Confirm the data exposed here is safe to share with anonymous visitors and that no sensitive fields are leaking.";
+    case "maintainability-large-file":
+      return "Large files are harder to review, refactor, and test. Splitting them now reduces future cleanup cost and makes AI tools more reliable on this codebase.";
+    case "maintainability-large-file-skipped":
+      return "Some files were too large for Qodfy to read fully. Review them manually before launch in case they hide other issues.";
+    case "maintainability-file-unreadable":
+      return "Files Qodfy could not read may indicate encoding, permission, or generated-output issues that hide real problems from this scan.";
+    case "project-missing-package-json":
+      return "Without a package.json, Qodfy cannot fully reason about your project. Confirm Qodfy is pointed at the correct project root.";
+    case "project-invalid-package-json":
+      return "An invalid package.json blocks tooling, installs, and deploys. Fix the JSON before running other launch checks.";
+    case "project-next-not-detected":
+      return "Qodfy is currently optimized for Next.js apps. If this is a Next.js project, double-check dependencies and folder structure before launch.";
+    case "project-missing-readme":
+      return "A short README helps anyone (including future you) understand what this project does and how to run it.";
+    case "project-source-files-unreadable":
+      return "Some source files could not be read. Review them manually so the scan does not silently skip risky areas of the code.";
+    default:
+      return null;
+  }
+}
+function getWhyItMattersByCategory(category) {
+  switch (category) {
+    case "security":
+      return "Security risks can leak data, expose secrets, or grant unwanted access to your app. These should be the first issues you review before launch.";
+    case "api":
+      return "API routes shape what your app exposes to the internet. Confirm that authentication, input validation, and abuse protection match what each route does.";
+    case "webhook":
+      return "Webhooks receive events from external systems. Verifying signatures prevents fake or replayed events from being trusted by your app.";
+    case "ai":
+      return "AI routes have unique cost and abuse risks. Rate limits and usage caps protect your spend and keep the service usable for real users.";
+    case "environment":
+      return "Environment variables control how your app connects to external services. Missing or undocumented variables cause deploy failures and runtime errors.";
+    case "maintainability":
+      return "Maintainability signals do not block launch but slow future work. Cleaning them up early reduces friction later.";
+    case "project":
+      return "Project setup signals affect tooling, deploys, and onboarding. Fixing them early prevents surprises later in the launch.";
+  }
+}
+function getAfterFixTests(issue) {
+  const ruleTests = getAfterFixTestsByRuleId(issue.ruleId);
+  if (ruleTests) {
+    return ruleTests;
+  }
+  return getDefaultAfterFixTests();
+}
+function getAfterFixTestsByRuleId(ruleId) {
+  switch (ruleId) {
+    case "admin-route-missing-authorization":
+      return [
+        "Test as an unauthenticated user.",
+        "Test as a normal logged-in user.",
+        "Test as an admin/staff user.",
+        "Confirm non-admin users receive 403."
+      ];
+    case "public-form-missing-abuse-protection":
+      return [
+        "Submit a valid form and confirm it still works.",
+        "Submit invalid input and confirm validation returns 400.",
+        "Send repeated requests and confirm rate limiting or spam protection behavior.",
+        "Confirm no sensitive provider/API error details are exposed."
+      ];
+    case "webhook-missing-signature-verification":
+      return [
+        "Test a valid signed webhook.",
+        "Test an invalid signature.",
+        "Confirm invalid requests are rejected before processing.",
+        "Confirm the event is not processed twice."
+      ];
+    case "environment-missing-env-example":
+    case "environment-variable-missing-from-example":
+      return [
+        "Add the variable name to .env.example without a real value.",
+        "Run the app locally with required env values.",
+        "Confirm deployment docs or hosting env vars are updated."
+      ];
+    case "ai-route-missing-rate-limit":
+      return [
+        "Send a normal AI request.",
+        "Send repeated requests and confirm rate limiting.",
+        "Confirm rejected requests do not call the AI provider.",
+        "Check logs/cost controls after testing."
+      ];
+    case "sensitive-api-route-missing-auth":
+    case "api-mutation-route-review-auth":
+      return [
+        "Test unauthenticated access.",
+        "Test authenticated access.",
+        "Confirm unauthorized users receive 401 or 403.",
+        "Confirm existing response formats still work."
+      ];
+    case "internal-route-missing-protection":
+      return [
+        "Test without the secret/auth guard.",
+        "Test with a valid secret/auth guard.",
+        "Confirm invalid requests are rejected before internal work runs."
+      ];
+    case "security-hardcoded-secret":
+    case "security-client-side-secret":
+      return [
+        "Rotate any real secret values that were exposed.",
+        "Confirm the secret is loaded from environment variables, not source code.",
+        "Re-run Qodfy and confirm the issue no longer appears.",
+        "Check git history and remove any committed real values if needed."
+      ];
+    case "api-public-read-route":
+      return [
+        "Confirm the data exposed here is safe to share with anonymous users.",
+        "Test the route as an anonymous visitor.",
+        "Confirm no sensitive fields leak in the response."
+      ];
+    default:
+      return null;
+  }
+}
+function getDefaultAfterFixTests() {
+  return [
+    "Re-run Qodfy after the fix.",
+    "Test the affected route or file manually.",
+    "Confirm existing behavior still works.",
+    "Check logs for unexpected errors."
+  ];
+}
 function printReport(report, maxIssues, showPrompts, scanModeLabel, showDetails, showAllIssues) {
   console.log(pc.bold("Qodfy Report"));
   console.log("");
@@ -539,14 +1053,23 @@ Run qodfy scan --all to see the current issue IDs.`
   }
   printFixPrompt(issue);
 }
+function getSeverityText(severity) {
+  if (severity === "critical") {
+    return "CRITICAL";
+  }
+  if (severity === "warning") {
+    return "WARNING";
+  }
+  return "INFO";
+}
 function getSeverityLabel(severity) {
   if (severity === "critical") {
-    return pc.red("CRITICAL");
+    return pc.red(getSeverityText(severity));
   }
   if (severity === "warning") {
-    return pc.yellow("WARNING");
+    return pc.yellow(getSeverityText(severity));
   }
-  return pc.blue("INFO");
+  return pc.blue(getSeverityText(severity));
 }
 function countIssuesBySeverity(issues, severity) {
   return issues.filter((issue) => issue.severity === severity).length;
@@ -607,6 +1130,10 @@ function getTopPriorities(issues) {
       ruleIds: ["internal-route-missing-protection"],
       message: "Protect internal or operational API routes before launch."
     },
+    {
+      ruleIds: ["admin-route-missing-authorization"],
+      message: "Confirm admin/private routes have role or permission checks."
+    },
     {
       ruleIds: ["public-form-missing-abuse-protection"],
       message: "Add abuse protection to public form routes."
@@ -659,13 +1186,13 @@ function shellQuote(value) {
   }
   return `'${value.replaceAll("'", "'\\''")}'`;
 }
-function printScanError(reason) {
-  console.error(pc.red("Qodfy could not scan this project."));
+function printScanError(reason, useColor = true) {
+  console.error(useColor ? pc.red("Qodfy could not scan this project.") : "Qodfy could not scan this project.");
   console.error("");
-  console.error(pc.bold("Reason:"));
+  console.error(useColor ? pc.bold("Reason:") : "Reason:");
   console.error(reason);
   console.error("");
-  console.error(pc.bold("Try:"));
+  console.error(useColor ? pc.bold("Try:") : "Try:");
   console.error("qodfy scan --path ./my-next-app");
 }
 function printPromptError(reason) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "qodfy",
-  "version": "0.2.8",
+  "version": "0.2.10",
   "description": "Open-source launch readiness scanner for AI-built apps.",
   "keywords": [
     "qodfy",
@@ -52,7 +52,7 @@
     "@inquirer/prompts": "^8.4.3",
     "commander": "^14.0.3",
     "picocolors": "^1.1.1",
-    "@qodfy/core": "^0.2.8"
+    "@qodfy/core": "^0.2.9"
   },
   "devDependencies": {
     "@types/node": "^25.7.0",