Architecture

GitHub-native. Five-minute install. No workflow change.

01
Install the GitHub App on your Lovable repo
Quenchloop requests read-only access to code, pull requests, and metadata. Write access is scoped to checks and the isolated branches Quenchloop creates for fix PRs.
02
Lovable commits trigger an analysis automatically
Quenchloop identifies commits authored by the Lovable bot and ignores the rest by default. An isolated Modal sandbox clones the repo, runs static + LLM analysis, and destroys itself within five minutes.
03
You receive a single PR comment with findings
No dashboard to check. The comment includes severity-sorted findings, file:line references, an estimated credit cost, and a one-click link to generate the fix.
04
Quenchloop opens a PR against a new branch
Mechanical fixes are applied via AST transformations. Tests for critical paths are generated. Ambiguous logic fixes are reviewed by you before merge. Quenchloop never pushes to your default branch.

Detection catalog

12 Lovable-specific patterns, out of the box.

Category	Pattern	Severity	Fix cost
lovable	supabase.auth.onAuthStateChange callback awaits Supabase directly	high	~90
lovable	ProtectedRoute checks session without a loading state	medium	~70
lovable	Secret-looking env var uses VITE_ prefix — exposed in client bundle	high	~100
lovable	Supabase table with user_id missing or bypassing RLS	critical	~120
lovable	Third-party API key sent from the browser to a non-Supabase host	critical	~150
lovable	Edge function directory has no matching block in config.toml	high	~60
lovable	Generated Supabase types.ts out of sync with migration SQL	medium	~35
lovable	Postgres SECURITY DEFINER function without SET search_path	high	~12
production	console.log statements left in code	low	~5
types	Excessive use of `any` or `unknown` casts	medium	~25
production	Hardcoded API keys in source	critical	~200
performance	Image rendered without width/height/loading attrs	low	~10