Show HN: OSS Tests to Fix AI Gen Code. 110 Test for Major API – Supabase, Auth0
api-doctor is an open-source CLI tool that scans AI-generated code for incorrect API integrations using 110 deterministic AST rules. It covers security, correctness, reliability, and integration issues for providers like Supabase, Auth0, and Firebase. Unlike AI-based tools, it gives the same output every time, making it easy to test AI code.
Uh oh!
There was an error while loading. Please reload this page.
Notifications You must be signed in to change notification settings
Fork 3
Star 30
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
49 Commits
49 Commits
assets
assets
skills/api-doctor
skills/api-doctor
src
src
.gitignore
.gitignore
CLAUDE.md
CLAUDE.md
LICENSE.md
LICENSE.md
README.md
README.md
package.json
package.json
pnpm-lock.yaml
pnpm-lock.yaml
tsconfig.json
tsconfig.json
tsup.config.ts
tsup.config.ts
vitest.config.ts
vitest.config.ts
Repository files navigation
api-doctor scans AI-generated code for bad API integrations.
Deterministic AST rules. Not a prompt. Same input, same output, every time.
→ Full story and examples at apidoctor.co
output.mp4
Quick Start
Scan your project
npx @api-doctor/cli .
Or install as an agent skill (Claude Code, Cursor, Windsurf)
npx @api-doctor/cli install
📦 Supported Providers
Provider Rules
Resend 13 rules
Supabase 12 rules
Auth0 4 rules
Firebase 20 rules
Lovable 4 rules
Browserbase 11 rules
OpenAI Computer Use 7 rules
TipTap 11 rules
ElevenLabs 10 rules
Twilio 9 rules
OpenAI Realtime 9 rules
Full rule catalogs live in the GitHub repo under src/providers//README.md.
What it catches
Rules cover four categories: security (CWE/OWASP mapped), correctness (wrong endpoints), reliability (production failure modes), and integration (wiring gaps).
Category What it means Examples
Security Issues that expose you to compromise. Mapped to CWE and OWASP audits. Hardcoded API keys, secrets in the client bundle, webhooks read before signature verification
Correctness Wrong endpoint or API for the job. Marketing email via batch send, missing unsubscribe links, test domain in production
Reliability Production failure modes the provider docs warn about. Missing idempotency keys, batch limits not enforced, error codes not mapped
Integration Wiring gaps your agent won't add on its own. No tags, no request ID logging, bare from address instead of "Name "
Why deterministic matters
You can't test AI code with AI. api-doctor breaks that loop. Same rules, same output, every time. Not a model call. Not a prompt.
Telemetry
api-doctor sends anonymous usage data to PostHog so we can see whether the tool is helping developers catch real bugs.
What we collect:
CLI version, Node.js version, platform
Run context: local, CI, or agent
Which API SDKs were detected (e.g. resend, supabase) — provider names only
Which rules fired — rule names only, no code
Score and finding counts
Score delta between runs on the same project (stored locally in that project's .api-doctor/run-history.json)
A hashed project identifier (project_hash) — SHA-256 of the scanned directory path, not the path itself
Sanitized error messages and stack traces on unexpected crashes (paths redacted)
What we never collect:
Your code or file contents
Raw file paths or project names
Email, name, or any personally identifying information
A random anonymous ID is stored at ~/.api-doctor/install-id. Per-project run history is stored at /.api-doctor/run-history.json. Both stay on your machine — only the event data above is sent to PostHog.
Opt out:
npx @api-doctor/cli . --no-telemetry npx @api-doctor/cli install --no-telemetry
Or set API_DOCTOR_TELEMETRY=0 or DO_NOT_TRACK=1 in your environment.
Help
New provider? Open an issue
MIT © Qualty
About
AI compiles hallucinated code that pass. This fixes it before accepting it. 100% Deterministic
www.apidoctor.co
Topics
api
doctor
skills
linter
code-review
agents
abstract-syntax-tree
ai-tools
Resources
Readme
License
MIT license
Uh oh!
There was an error while loading. Please reload this page.
Activity
Custom properties
Stars
30 stars
Watchers
0 watching
Forks
3 forks
Report repository
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
TypeScript 100.0%