Architecture
GitHub-native. Five-minute install. No workflow change.
- 01
Install the GitHub App on your Lovable repo
Quenchloop requests read-only access to code, pull requests, and metadata. Write access is scoped to checks and the isolated branches Quenchloop creates for fix PRs.
- 02
Lovable commits trigger an analysis automatically
Quenchloop identifies commits authored by the Lovable bot and ignores the rest by default. An isolated Modal sandbox clones the repo, runs static + LLM analysis, and destroys itself within five minutes.
- 03
You receive a single PR comment with findings
No dashboard to check. The comment includes severity-sorted findings, file:line references, an estimated credit cost, and a one-click link to generate the fix.
- 04
Quenchloop opens a PR against a new branch
Mechanical fixes are applied via AST transformations. Tests for critical paths are generated. Ambiguous logic fixes are reviewed by you before merge. Quenchloop never pushes to your default branch.
Detection catalog
12 Lovable-specific patterns, out of the box.
| Category | Pattern | Severity | Fix cost |
|---|---|---|---|
| lovable | supabase.auth.onAuthStateChange callback awaits Supabase directly | high | ~90 |
| lovable | ProtectedRoute checks session without a loading state | medium | ~70 |
| lovable | Secret-looking env var uses VITE_ prefix — exposed in client bundle | high | ~100 |
| lovable | Supabase table with user_id missing or bypassing RLS | critical | ~120 |
| lovable | Third-party API key sent from the browser to a non-Supabase host | critical | ~150 |
| lovable | Edge function directory has no matching block in config.toml | high | ~60 |
| lovable | Generated Supabase types.ts out of sync with migration SQL | medium | ~35 |
| lovable | Postgres SECURITY DEFINER function without SET search_path | high | ~12 |
| production | console.log statements left in code | low | ~5 |
| types | Excessive use of `any` or `unknown` casts | medium | ~25 |
| production | Hardcoded API keys in source | critical | ~200 |
| performance | Image rendered without width/height/loading attrs | low | ~10 |