AI-audit issue pipeline

The approval gate between your AI auditor and your codebase.

Your AI auditor finds bugs and files them here. Every finding waits as pending until a human approves it. Only then does the AI get to fetch it and start fixing — a clean approval gate between machine and codebase.

PHP · no database REST API Self-hosted

Three roles, one gate

The whole system is one rule: nothing gets fixed until a person says so.

1

AI submits

Your auditor POSTs findings (single or a full report batch). They're stored as pending — the AI can't self-approve.

2

Admin approves

A human reviews each issue in the console and clicks approve or reject. This is the gate.

3

AI solves

The solve queue returns only approved issues, severity-first. The AI claims, fixes, and marks them resolved.

What's inside

🗄️

No database

Everything persists as lock-protected JSON files. Deploy anywhere PHP runs — no DB to provision.

🔑

Role-based API

Separate agent and admin keys. Agents submit and solve; only admins approve, reject, or delete.

Approval workflow

Two independent states per issue: approval_status (admin) and work_status (agent).

Severity queue

Approved issues surface critical-first. Atomic claim so two workers never grab the same one.

🔒

Hardened

CSRF-protected GUI, security headers, session hardening, login throttling, secrets kept out of git.

🧭

Admin console

A clean dashboard: filter, search, inspect history, bulk-approve — all server-rendered, zero build step.

A tiny, predictable REST API

Bearer-token auth, JSON in and out. Full reference in docs/API.md.

Submit a report

curl -X POST https://bug.devai.in/api/issues \
  -H "Authorization: Bearer $AGENT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "site": "example.com",
    "issues": [
      { "title": "/docs returns 404",
        "severity": "critical",
        "category": "bug" }
    ]
  }'

Fetch the approved queue

curl https://bug.devai.in/api/queue \
  -H "Authorization: Bearer $AGENT_KEY"

# ...then report a fix
curl -X POST \
  https://bug.devai.in/api/issues/{id}/resolve \
  -H "Authorization: Bearer $AGENT_KEY" \
  -d '{"note":"Restored the route."}'

Security by default

Secrets out of gitReal keys live in config.local.php / env vars, never the repo.
Security headersCSP, HSTS, nosniff, frame-deny and referrer policy on every response.
Hardened sessionsHttpOnly + SameSite + Secure cookies, strict mode, id regeneration.
Brute-force throttleLogin lockout after repeated failures, per client IP.
CSRF protectionEvery state-changing admin action is token-verified.
Locked-down filesConfig, data and source dirs are denied direct web access.

Ready to gate your AI's fixes?

Sign in to the console, approve a few issues, and watch the queue fill.

Open the admin console →