What QC Pro actually surfaces

These are illustrative examples of the kind of findings QC Pro generates. Each one includes the observation (what the tester saw), the affected routes and files, the failing flow, and the fix instruction delivered to Claude Code.

criticalfunctional_integrity

Signup flow drops users at 404 after email verification

Observation

Created an account with disposable@qcpro.test, received the welcome email, and followed the verify link. Hit a 404 at /dashboard/home. The route was renamed to /dashboard last quarter but the email template still points at the old path.

Affected routes / files

/signup/dashboard/homeemail_template_welcome.html

Failing flow

POST /api/auth/signup → 201
GET /signup?sent=true → 200
Email received (subject: Welcome to Acme)
GET /dashboard/home → 404

Fix delivered to Claude Code

Update the welcome email template to link to /dashboard.

Files: emails/welcome.tsx
Acceptance criteria:
  • -Following the verify link lands on /dashboard with an authenticated session.
  • -No 404s in Sentry from the welcome email link for 7 days post-deploy.
highsecurity_basics

API key exposed in client JS bundle

Observation

Searched all loaded JavaScript chunks for credential-shaped strings and found SUPABASE_SERVICE_ROLE_KEY in chunks/pages_dashboard.js. Any visitor can extract it from DevTools and bypass RLS on your Supabase project.

Affected routes / files

/dashboard/*next.config.jslib/supabase/client.ts

Failing flow

GET / → 200 (loads chunks)
Scanned 8 JS chunks for credential patterns
Found service_role JWT in pages_dashboard.js:line 1438

Fix delivered to Claude Code

Remove the service role key from client-accessible code. Rotate the leaked key in Supabase dashboard immediately.

Files: lib/supabase/client.ts, .env.local, next.config.js
Acceptance criteria:
  • -No client chunk contains a service role JWT (verified via chunk-content grep).
  • -Rotated key confirmed in Supabase dashboard.
  • -Client code only imports the anon/public key.
highaccessibility

Checkout form is keyboard-inaccessible past the first field

Observation

Tabbing through the /checkout form focus-jumps past the expiry and CVV fields to the Submit button. They are reachable with a mouse but users on keyboard-only input (including many assistive-tech users) cannot complete checkout. Axe reports tabindex="-1" on the card input wrapper.

Affected routes / files

/checkoutcomponents/CardForm.tsx

Failing flow

GET /checkout → 200
Tab from card number → expiry SKIPPED
Tab from card number → CVV SKIPPED
Tab reached Submit without visiting 2 required fields

Fix delivered to Claude Code

Remove tabindex="-1" from the card input wrapper and ensure each form field receives focus in visual order.

Files: components/CardForm.tsx
Acceptance criteria:
  • -Keyboard user can tab through card number, expiry, CVV, and Submit in that order.
  • -Axe reports zero critical issues on /checkout.
  • -Safari VoiceOver announces each field label when focused.
mediumperformance

Homepage hero image is 2.1 MB and not responsive

Observation

The hero image is served as a 2.1 MB PNG at every viewport. Mobile devices on 3G wait 3.8 seconds for it to render, pushing LCP past the 2.5s budget. Next.js <Image> is not used.

Affected routes / files

/public/hero.png

Failing flow

GET / → 200
GET /hero.png → 200 (2.1 MB, 3.8s on 3G)
LCP measured: 3,847 ms (target: <2,500 ms)

Fix delivered to Claude Code

Replace the img tag with Next.js <Image>, set priority, and provide srcset-compatible sizes. Convert source to WebP or AVIF.

Files: app/page.tsx, public/hero.webp
Acceptance criteria:
  • -LCP is under 2,500 ms at mobile-375 viewport on simulated 3G.
  • -Hero image is served as WebP or AVIF with responsive sizes.
  • -Total hero payload is under 200 KB at mobile viewport.

Run QC Pro on your own app

First scan is free. Paste a URL and get a report like these in under 5 minutes.

Test your app freeRead the methodology