What the report looks like

A redacted sample. Yours will be tailored to what we find in your code.

[This is placeholder content — replace with a real redacted example once you've completed a few engagements. Even better: link a downloadable PDF.]

Rescue Report — Project “Acme Demo”

Delivered 2026-04-15 · Maturity: 2 / 5 · Recommendation: Clean up before demo

Executive summary

Acme Demo is a Next.js app generated primarily with [AI tool]. The core flow works locally. The code carries several findings that should be addressed before any external use, but none of them are catastrophic. Two are urgent; the rest can be sequenced.

What the app appears to do

Allows users to upload a CSV, run it through an OpenAI prompt, and download a transformed result. Single-page UI, no auth, no persistence between sessions.

What works

  • The happy-path CSV upload and transform flow runs correctly.
  • Build and dev server start without errors.
  • UI is functional, if unstyled.

What does not work

  • CSV files larger than ~5MB time out due to a synchronous OpenAI call on the request thread.
  • Empty-file upload throws an unhandled exception.
  • The "download" button on Safari downloads an empty file due to a missing content-type.

Critical risks

  • Hardcoded OpenAI API key in app/api/transform/route.ts. Anyone who views the deployed source can extract it. Move to environment variable before any deploy.
  • No rate limiting. Each request makes an OpenAI call billed to your account. A single bot could rack up large bills in minutes.

Security concerns

  • No CSRF token on the upload form.
  • Uploaded files are written to /tmp and never cleaned up.
  • No file size or MIME-type validation on upload.

Deployment blockers

  • Hardcoded API key (above).
  • No .env.example file. Anyone redeploying has no reference for which env vars are needed.
  • NEXT_PUBLIC_ prefix used on a server-only secret in lib/config.ts, which would expose it to the browser.

Code quality and generated-code issues

  • ~40% of the code is unused boilerplate from the AI tool's default template.
  • Three near-duplicate API routes that all do the same thing.
  • A TODO: fix this comment on the only error-handling block.

Recommended next step

Clean up before demo. The two critical risks (hardcoded key, no rate limiting) need to be fixed before any URL is shared. After that, the app is fine for a controlled demo. It is not ready for public traffic without the items in Security concerns and Deployment blockers.

Estimated effort to address all findings: 4–6 hours of focused engineering work.

Get your own Rescue Report →