Automated AI-powered analysis — Thuban Scanner + Crucible Adversarial Engine
Thuban performed a comprehensive dual-engine analysis of the acme-fintech/payments-api repository. The codebase contains 342 files across 4 languages (TypeScript, JavaScript, SQL, Shell), totalling 28,491 lines of code.
The Thuban Scanner identified 3 critical security vulnerabilities (SQL injection, hardcoded API key, insecure JWT verification), 2 AI hallucination issues (non-existent Stripe API methods), and 4 code quality warnings (ghost functions, clone clusters, high complexity). The Crucible adversarial engine tested the codebase against 486 attack patterns and confirmed that 12 attack vectors are exploitable in the current state.
Overall, the codebase demonstrates solid architectural decisions and competent engineering, but the critical security findings must be remediated before production deployment or investment close. Estimated remediation effort: 2–4 developer days.
| Metric | Value | Assessment |
|---|---|---|
| Total files | 342 | ✓ Reasonable size |
| Lines of code | 28,491 | ✓ Manageable |
| Languages | TypeScript (78%), JS (12%), SQL (8%), Shell (2%) | ✓ Consistent stack |
| Dependencies | 47 direct, 312 transitive | ⚠ 3 outdated |
| Test files | 89 (26% of codebase) | ✓ Good coverage |
| Avg. complexity per file | 4.2 (cyclomatic) | ✓ Low complexity |
| Largest file | src/services/payment-processor.ts (847 lines) | ⚠ Consider splitting |
algorithms: ['none'], which accepts unsigned tokens. Any user can forge authentication tokens.stripe.refunds.createInstant() does not exist in any version of the Stripe Node SDK. The correct method is stripe.refunds.create(). This was likely generated by an AI coding assistant that hallucinated the method name.crypto.generateKeyPairAsync() does not exist. The correct method is crypto.generateKeyPair() (callback) or crypto.generateKeyPairSync(). Another AI hallucination.The Crucible engine subjected the codebase to 486 known attack patterns including SQL injection variants, XSS payloads, command injection, prototype pollution, and path traversal. Results below.
| Attack Category | Tested | Blocked | Exploitable | Status |
|---|---|---|---|---|
| SQL Injection | 87 | 82 | 5 | ✗ Fail |
| Cross-Site Scripting | 64 | 61 | 3 | ✗ Fail |
| Authentication Bypass | 42 | 38 | 4 | ✗ Fail |
| Command Injection | 38 | 38 | 0 | ✓ Pass |
| Path Traversal | 31 | 31 | 0 | ✓ Pass |
| Prototype Pollution | 28 | 28 | 0 | ✓ Pass |
| SSRF | 24 | 24 | 0 | ✓ Pass |
| Deserialization | 22 | 22 | 0 | ✓ Pass |
| Chaos Mutations | 150 | 150 | 0 | ✓ Pass |
Thuban analysed all 47 direct and 312 transitive dependencies for known CVEs, malicious packages, licence risks, and deprecated libraries. Supply chain attacks are the fastest-growing vector in software security.
| Package | Installed | CVE | Severity | Fix Available |
|---|---|---|---|---|
jsonwebtoken |
8.5.1 | CVE-2022-23529 | HIGH | ✓ 9.0.0+ |
express |
4.17.1 | CVE-2024-29041 | MEDIUM | ✓ 4.19.2+ |
semver |
5.7.1 | CVE-2022-25883 | MEDIUM | ✓ 5.7.2+ |
qs |
6.5.2 | CVE-2022-24999 | LOW | ✓ 6.5.3+ |
| Licence | Count | Risk | Commercial Use |
|---|---|---|---|
| MIT | 241 | ✓ None | ✓ Permitted |
| ISC | 48 | ✓ None | ✓ Permitted |
| BSD-2-Clause | 23 | ✓ None | ✓ Permitted |
| Apache-2.0 | 31 | ✓ None | ✓ Permitted |
| BSD-3-Clause | 12 | ✓ None | ✓ Permitted |
| GPL-3.0 | 2 | ⚠ Copyleft | ⚠ Viral clause |
| UNLICENSED | 2 | ⚠ Unknown | ⚠ Verify |
@acme/logger, text-table). If the product is distributed as proprietary software, GPL dependencies require legal review. 2 packages have no licence declaration — contact maintainers or replace.
Complete inventory of all direct dependencies. Full SBOM including transitive dependencies available in CycloneDX and SPDX formats via export.
| Package | Version | Licence | Direct | CVE | Status |
|---|---|---|---|---|---|
@stripe/stripe-node | 14.2.0 | MIT | ✓ | — | ✓ Clean |
express | 4.17.1 | MIT | ✓ | 1 | ⚠ Update |
pg | 8.11.3 | MIT | ✓ | — | ✓ Clean |
jsonwebtoken | 8.5.1 | MIT | ✓ | 1 | ✗ Vuln |
bcryptjs | 2.4.3 | MIT | ✓ | — | ✓ Clean |
helmet | 7.1.0 | MIT | ✓ | — | ✓ Clean |
cors | 2.8.5 | MIT | ✓ | — | ✓ Clean |
winston | 3.11.0 | MIT | ✓ | — | ✓ Clean |
zod | 3.22.4 | MIT | ✓ | — | ✓ Clean |
dotenv | 16.3.1 | BSD-2 | ✓ | — | ✓ Clean |
redis | 4.6.10 | MIT | ✓ | — | ✓ Clean |
bullmq | 4.12.0 | MIT | ✓ | — | ✓ Clean |
pino | 8.16.2 | MIT | ✓ | — | ✓ Clean |
uuid | 9.0.0 | MIT | ✓ | — | ✓ Clean |
axios | 1.6.2 | MIT | ✓ | — | ✓ Clean |
Showing 15 of 47 direct dependencies. Full SBOM available as CycloneDX JSON or SPDX export.
Auto-generated module dependency graph showing the codebase structure, entry points, and data flow paths. Modules with security findings are highlighted.
┌─────────────────────┐
│ API Gateway │
│ src/app.ts (entry) │
└─────────┬───────────┘
│
┌─────────────┴─────────────┐
│ │
┌────────┴─────────┐ ┌────┴────────────┐
│ ⚠ Middleware │ │ Route Handlers │
│ src/middleware/ │ │ src/api/ │
│ auth.ts [SEC007] │ │ users.ts │
│ rate-limit.ts │ │ merchants.ts [CLONE]│
│ cors.ts │ │ admins.ts [CLONE] │
└──────────────────┘ └─────────┬────────┘
│
┌─────────────┴─────────────┐
│ │
┌────────┴─────────┐ ┌────┴────────────┐
│ ⚠ Services │ │ Utilities │
│ payment- │ │ src/utils/ │
│ processor.ts │ │ tokens.ts [HALL] │
│ [SEC001,SEC003] │ │ format.js [GHOST] │
│ refunds.ts [HALL] │ │ crypto.ts │
└──────────────────┘ └─────────────────┘
│
┌────────┴─────────┐
│ ⚠ Database │
│ src/db/ │
│ query.js [SEC003] │
│ migrations/ │
│ seeds/ │
└──────────────────┘
| Module | Files | LOC | Complexity | Findings | Health |
|---|---|---|---|---|---|
| src/api/ | 12 | 2,841 | 3.8 | 1 clone cluster | ⚠ Fair |
| src/services/ | 8 | 4,293 | 6.1 | 2 critical, 1 halluc. | ✗ Poor |
| src/middleware/ | 5 | 612 | 2.4 | 1 critical | ✗ Poor |
| src/utils/ | 9 | 1,102 | 2.8 | 1 halluc., 1 ghost | ⚠ Fair |
| src/db/ | 6 | 1,847 | 3.2 | 1 critical (SQL inj) | ✗ Poor |
| src/config/ | 4 | 189 | 1.0 | 1 critical (API key) | ✗ Poor |
| src/types/ | 11 | 891 | 1.0 | — | ✓ Clean |
| tests/ | 89 | 7,421 | 1.8 | — | ✓ Clean |
Git history analysis showing development patterns, contributor distribution, and project health indicators. These metrics help investors assess team capability and sustainability.
| Contributor | Commits | Lines Added | Lines Deleted | Last Active | Focus Areas |
|---|---|---|---|---|---|
| dev-lead-alex | 412 (49%) | 18,291 | 6,103 | 2 days ago | Services, API, DB |
| backend-sarah | 198 (23%) | 8,412 | 3,201 | 3 days ago | Auth, middleware |
| fullstack-mike | 127 (15%) | 5,891 | 2,487 | 1 week ago | API routes, tests |
| devops-jen | 63 (7%) | 1,203 | 412 | 5 days ago | CI/CD, infra |
| junior-tom | 31 (4%) | 2,104 | 891 | 2 weeks ago | Utils, tests |
| intern-emma | 16 (2%) | 890 | 312 | 3 weeks ago | Documentation |
Automated mapping of scan findings against major compliance frameworks. This is a code-level assessment and does not replace a full compliance audit, but gives investors visibility into the codebase's alignment with industry standards.
| Framework | Requirement | Status | Findings |
|---|---|---|---|
| OWASP Top 10 (2021) | A01 — Broken Access Control | ✗ Fail | SEC007: JWT allows unsigned tokens |
| A02 — Cryptographic Failures | ✗ Fail | SEC001: Hardcoded Stripe secret key | |
| A03 — Injection | ✗ Fail | SEC003: SQL injection (5 instances) | |
| A04–A10 | ✓ Pass | No findings in remaining categories | |
| Overall: 3/10 categories failed — remediation required | |||
| SOC 2 Type II | CC6.1 — Logical Access Controls | ✗ Fail | JWT verification disabled; secrets in source |
| CC6.6 — System Boundaries | ✓ Pass | Proper CORS, rate limiting, input validation | |
| CC7.1 — Vulnerability Management | ⚠ Partial | 4 CVEs in dependencies; no automated scanning in CI | |
| CC8.1 — Change Management | ✓ Pass | PR-based workflow, branch protection, review required | |
| PCI DSS v4.0 | Req 6.2 — Secure Development | ✗ Fail | SQL injection, hardcoded keys violate secure coding standards |
| Req 6.3 — Vulnerability Management | ⚠ Partial | Known CVEs not patched; no SBOM process | |
| Req 8 — Authentication | ✗ Fail | JWT allows algorithm:none — critical auth bypass | |
| ISO 27001:2022 | A.8.25 — Secure Development Life Cycle | ⚠ Partial | Good practices in place, but no automated security scanning in CI |
| A.8.28 — Secure Coding | ✗ Fail | Injection flaws, hardcoded secrets, AI hallucinations in production code | |
Score progression across previous Thuban scans. Trend data shows whether the team is actively improving code quality or allowing technical debt to accumulate.
Anonymous aggregate comparison against all codebases scanned by Thuban in the same category (FinTech, TypeScript, 20k–50k LOC). Data based on 2,400+ scans across 340+ repositories.
| Metric | This Codebase | Category Average | Top 10% | Percentile |
|---|---|---|---|---|
| Trust Score | 68 | 61 | 89+ | 72nd |
| Critical Findings | 3 | 4.2 | 0 | 58th |
| AI Hallucinations | 2 | 3.8 | 0 | 65th |
| Test Coverage Ratio | 26% | 18% | 45%+ | 71st |
| Avg Complexity | 4.2 | 6.8 | <3.0 | 76th |
| Dependency CVEs | 4 | 7.1 | 0 | 62nd |
| Ghost Code % | 2.4% | 5.1% | <1% | 69th |
| Clone Ratio | 3.1% | 6.3% | <2% | 67th |
Estimated financial exposure if critical findings remain unaddressed. Based on industry breach cost data (IBM Cost of a Data Breach Report 2025, Ponemon Institute) adjusted for company stage and data sensitivity.
| Risk Scenario | Finding | Probability | Impact Estimate | Expected Loss |
|---|---|---|---|---|
| Payment data breach via SQL injection | SEC003 | High (70%) | $1.2M – $3.2M | $840K – $2.24M |
| Account takeover via JWT bypass | SEC007 | High (60%) | $500K – $1.5M | $300K – $900K |
| Stripe account compromise | SEC001 | Medium (40%) | $200K – $800K | $80K – $320K |
| Runtime crash from hallucinated APIs | HALL001 | Certain (100%) | $10K – $50K | $10K – $50K |
| GPL licence violation lawsuit | Licence | Low (10%) | $100K – $500K | $10K – $50K |
The hardcoded Stripe secret key (SEC001) must be rotated in the Stripe dashboard and moved to environment variables. This is a blocking issue — the key grants full account access. Estimated effort: 30 minutes.
Remove algorithms: ['none'] from JWT verification (SEC007). This allows any user to forge authentication tokens. Thuban can auto-fix this. Estimated effort: 15 minutes.
5 SQL injection points found (SEC003). All can be auto-fixed by Thuban. The engineering team should also adopt a query builder (e.g., Knex) to prevent recurrence. Estimated effort: 1 day.
2 non-existent API methods will crash at runtime. These indicate AI-generated code that was not reviewed. Recommend integrating Thuban into CI to prevent future hallucinations from reaching production. Estimated effort: 2 hours.
The codebase demonstrates clean separation of concerns, consistent TypeScript usage, 26% test coverage, and low average complexity (4.2). The engineering team is competent — the critical issues are fixable and do not indicate systemic problems.
After implementing the recommended fixes, the Trust Score is projected to rise from 68 to 91 and the Crucible Score from 71 to 94. The codebase has strong fundamentals.
The codebase is architecturally sound with strong engineering fundamentals. 3 critical security issues must be remediated before investment close. All issues are fixable within 2–4 developer days. Thuban can auto-fix 3 of the 9 findings.