Scan Summary
Scan Approach
Conducted a three-phase quality scan of the Threadline e-commerce app:
- Codebase inventory — Read all source files (
app/main.js, api/mock-server.js, app/index.html, app/styles.css) and cross-referenced frontend API calls against mock server endpoints
- Browser interaction scan — Used Playwright via CDP to interact with every element on https://devin-ai-kata.vercel.app, capturing console errors and DOM state
- HTTP endpoint scan — Attempted requests to all API endpoints (all returned 404 on Vercel since the Express server is not deployed as a serverless function)
- Static analysis — Reviewed code for unhandled promises, missing error boundaries, accessibility issues
Bugs Found (10 total)
Broken UI Flows (4 bugs)
| # |
Bug |
File |
PR |
| 1 |
Cart button calls undefined viewCart() → ReferenceError |
app/main.js:181 |
PR #7 |
| 2 |
"Tops" category filter returns 0 results (compares against p.name instead of p.category) |
app/main.js:132 |
PR #4 |
| 3 |
Add to Cart does not increment cart count in header |
app/main.js:144 |
PR #5 |
| 4 |
Newsletter form silently fails — no API call, no user feedback |
app/main.js:33-61 |
PR #2 |
API Failures (3 bugs)
| # |
Bug |
File |
PR |
| 5 |
fetchCartCount() calls non-existent /api/cart/count → console error on every page load |
app/main.js:21-28 |
PR #1 |
| 6 |
Missing CORS headers on all mock server routes |
api/mock-server.js:13-20 |
PR #8 |
| 7 |
POST /api/cart with quantity=0 causes divide-by-zero (500 instead of 400) |
api/mock-server.js:53 |
PR #9 |
Accessibility / Silent Errors (3 bugs)
| # |
Bug |
File |
PR |
| 8 |
All product images missing alt attribute (WCAG violation) |
app/main.js:69 |
PR #3 |
| 9 |
Sort button missing type="button", aria-label, aria-pressed |
app/main.js:162-171 |
PR #6 |
| 10 |
Newsletter API uses GET with email in query params (REST violation, PII exposure) |
api/mock-server.js:57-66 |
PR #10 |
What I Checked
What I Was Unable to Verify
- API endpoint behavior at runtime (the Express mock server is not deployed on Vercel — all
/api/* routes return 404). API bugs were identified via static code analysis only.
- Whether the newsletter subscribe endpoint works end-to-end (since it does not exist on the Vercel deployment)
Detection Method Summary
| Method |
Bugs Found |
| Browser interaction (Playwright) |
5 (Cart button error, Tops filter, Cart count, Newsletter form, fetchCartCount console error) |
| Static analysis |
8 (all bugs visible in code, but 5 were also caught via browser) |
| HTTP scan |
0 (all endpoints 404 on Vercel; API bugs confirmed via code review) |
Scan Summary
Scan Approach
Conducted a three-phase quality scan of the Threadline e-commerce app:
app/main.js,api/mock-server.js,app/index.html,app/styles.css) and cross-referenced frontend API calls against mock server endpointsBugs Found (10 total)
Broken UI Flows (4 bugs)
viewCart()→ ReferenceErrorapp/main.js:181p.nameinstead ofp.category)app/main.js:132app/main.js:144app/main.js:33-61API Failures (3 bugs)
fetchCartCount()calls non-existent/api/cart/count→ console error on every page loadapp/main.js:21-28api/mock-server.js:13-20POST /api/cartwithquantity=0causes divide-by-zero (500 instead of 400)api/mock-server.js:53Accessibility / Silent Errors (3 bugs)
altattribute (WCAG violation)app/main.js:69type="button",aria-label,aria-pressedapp/main.js:162-171api/mock-server.js:57-66What I Checked
What I Was Unable to Verify
/api/*routes return 404). API bugs were identified via static code analysis only.Detection Method Summary