Test 0128 finqc - QC doc checklist view

[sdignum]

Hey @ruudandriessen! I did my first pass at playing with the new design system and Claude Code to create our document QC checklist review experience.

Would love your eyes on it and your guidance on what I need to fix/do differently in the future. This view should eventually be a template I think, but I created it as a standalone app (wasn't thinking straight). I'd like to get this in decent enough shape to be able to share with Oleksandr as I know he's now getting set up with the new design system and will be working on some of the functionality I've included in this PR.

Thanks in advance for your review and guidance!

Key Features

• Split-view layout with validation checklist sidebar and dual document viewers
• AI evaluation status badges (yes/no/inconclusive) with human review toggles
• Identified fields pattern showing source/target document comparisons for validation checks
• Document highlights with tooltips showing field labels on hover
• Interactive zoom functionality:
  -- Click highlights to zoom smoothly to that area with bezier curve animation
  -- Floating zoom controls (zoom in, zoom out, zoom to fit)
  -- Drag/pan support when zoomed in
• Multi-page document support with scrollbar positioned outside document border
• Comment system for validation items with timestamp and author tracking
• Human evaluation toggles with deselection support (Yes/No/N/A)
• Smooth animations using Framer Motion with custom bezier curves

Tech Stack

• Next.js 16.1.1 with App Router and Turbopack
• React 19.2.3 with client components
• Tailwind CSS v4 with design tokens
• Radix UI primitives (tooltip, toggle-group, popover, separator)
• shadcn/ui component patterns
• Framer Motion for animations
• TypeScript for type safety

Changes

New Files

• apps/loan-qc/ - Complete new app structure with 37 files including components, hooks, types, and document assets

Modified Files

• package.json - Added loan-qc workspace
• pnpm-lock.yaml - Updated dependencies
• turbo.json - Added loan-qc build tasks

🤖 Generated with Claude Code

[github-actions]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (PT)
apollo-canvas	❌ Failed: Building: Failure reason: Building: specifiers in the lockfile don't match specifiers in...	N/A, Logs	Jan 28, 2026, 02:09:15 PM
apollo-ui-react	❌ Failed: Building: Failure reason: Building: specifiers in the lockfile don't match specifiers in...	N/A, Logs	Jan 28, 2026, 02:09:14 PM
apollo-vertex	❌ Failed: Building: Failure reason: Building: specifiers in the lockfile don't match specifiers in...	N/A, Logs	Jan 28, 2026, 02:09:15 PM
apollo-wind	❌ Failed: Building: Failure reason: Building: specifiers in the lockfile don't match specifiers in...	N/A, Logs	Jan 28, 2026, 02:09:19 PM

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

apps/loan-qc/package.json

Name	Version	Vulnerability	Severity
next	16.1.1	Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components	high

Only included vulnerabilities with severity high or higher.

License Issues

pnpm-lock.yaml

Package	Version	License	Issue Type
agentation	1.3.2	Null	Unknown License

apps/loan-qc/package.json

Package	Version	License	Issue Type
lucide-react	^0.468.0	Null	Unknown License

Allowed Licenses:

OSL-3.0, BSD-3-Clause-LBNL, AFL-1.1, LGPL-3.0, Artistic-1.0-Perl, APSL-1.1, OSL-2.1, LPPL-1.3c, Entessa, AFL-2.0, Sleepycat, BlueOak-1.0.0, RPL-1.1, ISC, Multics, NGPL, LGPL-2.0-or-later, OFL-1.1-RFN, APSL-1.0, UPL-1.0, CECILL-2.1, CATOSL-1.1, GPL-2.0-or-later, RPSL-1.0, SISSL, Apache-1.1, OLFL-1.3, APL-1.0, BSL-1.0, GPL-3.0+, PHP-3.0, LPL-1.0, GPL-2.0+, EFL-1.0, CPAL-1.0, NCSA, Apache-2.0, RSCPL, LGPL-3.0+, MIT-0, MPL-2.0-no-copyleft-exception, CERN-OHL-S-2.0, OSL-2.0, MulanPSL-2.0, OSET-PL-2.1, IPA, LGPL-2.1-or-later, Fair, AGPL-3.0-only, NPOSL-3.0, CERN-OHL-P-2.0, OFL-1.1-no-RFN, HPND, Artistic-2.0, CERN-OHL-W-2.0, PHP-3.01, LiLiQ-R-1.1, LiLiQ-P-1.1, LiLiQ-Rplus-1.1, EUDatagrid, APSL-1.2, ZPL-2.1, OCLC-2.0, MS-RL, BSD-1-Clause, ICU, Artistic-1.0-cl8, W3C-20150513, LGPL-2.1-only, CUA-OPL-1.0, MIT-Modern-Variant, CAL-1.0, Naumen, Unicode-3.0, Unicode-DFS-2016, 0BSD, EPL-2.0, LGPL-2.0-only, Unlicense, ECL-2.0, SPL-1.0, AFL-3.0, CNRI-Python, OLDAP-2.8, CPL-1.0, Frameworx-1.0, Artistic-1.0, EUPL-1.1, CDDL-1.0, LGPL-2.0+, RPL-1.5, Intel, Zlib, AAL, AGPL-3.0, BSD-2-Clause, wxWindows, NASA-1.3, LGPL-2.1+, SimPL-2.0, GPL-2.0-only, Nokia, GPL-3.0-or-later, AGPL-3.0-or-later, Xnet, Jam, W3C, AFL-1.2, LGPL-3.0-or-later, GPL-3.0, Motosoto, MIT, Watcom-1.0, OGTSL, ZPL-2.0, EPL-1.0, VSL-1.0, BSD-3-Clause, APSL-2.0, CAL-1.0-Combined-Work-Exception, BSD-2-Clause-Patent, IPL-1.0, EUPL-1.2, MPL-2.0, GPL-3.0-with-GCC-exception, EFL-2.0, OFL-1.1, UCL-1.0, NTP, Python-2.0, GPL-3.0-only, LGPL-3.0-only, ECL-1.0, OSL-1.0, LPL-1.02, MPL-1.0, LGPL-2.0, LGPL-2.1, MPL-1.1, AFL-2.1, GPL-2.0, MirOS, QPL-1.0, PostgreSQL, MS-PL

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/next	16.1.1	🟢 5.3	Details Check Score Reason Code-Review 🟢 8 Found 24/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 257 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@biomejs/biome	^2.3.6	Unknown	Unknown
npm/@radix-ui/react-avatar	^1.1.6	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-popover	^1.1.15	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-separator	^1.1.8	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-slot	^1.2.4	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-toggle	^1.1.10	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-toggle-group	^1.1.11	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@radix-ui/react-tooltip	^1.2.8	🟢 3.9	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 14 existing vulnerabilities detected
npm/@tailwindcss/postcss	^4.1.17	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/26 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected
npm/@types/node	^24.10.1	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/react	^19.2.6	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/react-dom	^19.2.2	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/class-variance-authority	^0.7.1	Unknown	Unknown
npm/clsx	^2.1.1	🟢 3.6	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/framer-motion	^11.18.2	Unknown	Unknown
npm/lucide-react	^0.468.0	🟢 3.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 9 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities ⚠️ 0 49 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/postcss	^8.5.6	🟢 4.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 1 1 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 1 Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/react	19.2.3	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 22/30 approved changesets -- score normalized to 7 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 244 existing vulnerabilities detected
npm/react-dom	19.2.3	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 22/30 approved changesets -- score normalized to 7 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 244 existing vulnerabilities detected
npm/react-resizable-panels	^3.0.6	Unknown	Unknown
npm/tailwind-merge	^2.6.0	🟢 6.5	Details Check Score Reason Code-Review 🟢 5 Found 3/6 approved changesets -- score normalized to 5 Maintained 🟢 10 24 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool detected but not run on all commits Vulnerabilities 🟢 7 3 existing vulnerabilities detected
npm/tailwindcss	^4.1.17	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/26 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected
npm/typescript	^5.9.3	🟢 8.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities 🟢 8 2 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 35 contributing companies or organizations
npm/agentation	1.3.2	Unknown	Unknown
npm/framer-motion	11.18.2	Unknown	Unknown
npm/motion-dom	11.18.1	Unknown	Unknown
npm/motion-utils	11.18.1	Unknown	Unknown

Scanned Files

• apps/loan-qc/package.json
• pnpm-lock.yaml

[github-actions]

🤖 AI Code Review (Claude)

⚠️ Automated Review: This is an AI-generated review. Use as guidance, not gospel.

Code Review: Loan QC Document Checklist Application

Summary

This PR introduces a new showcase application (apps/loan-qc) for demonstrating document quality control functionality. It's a Next.js 16 app with React 19 that implements a split-view interface for reviewing loan documents with AI-assisted validation. The application includes interactive document viewers with zoom/pan, validation checklists, and human review capabilities.

Code Quality

✅ Strengths

• Well-structured component hierarchy with clear separation of concerns
• Good use of TypeScript for type safety throughout
• Clean implementation of custom hooks (useValidationState, useDocumentView)
• Consistent naming conventions and file organization
• Good use of Framer Motion for smooth animations with custom bezier curves

⚠️ Issues to Address

1. Hardcoded User Data (ValidationItem.tsx:22)

   author: 'Current User',

   Consider passing user context or making it configurable rather than hardcoding.

2. Missing Error Boundaries
   The app lacks error boundaries. Consider adding them for better error handling, especially around document loading.

3. Image Loading Without Error Handling (DocumentViewer.tsx:159-163)

   <img
     src={document.imageUrl}
     alt={document.name}
     className="w-full h-auto opacity-90"
   />

   Should handle image loading errors and loading states.

4. Drag State Not Reset on Click Outside (DocumentViewer.tsx)
   The isDragging state could get stuck if user drags outside the component. Consider adding a global mouse-up listener or using onMouseLeave more defensively.

5. Magic Numbers in Zoom Calculations (DocumentViewer.tsx:98-110)

   const targetWidthPercent = 60;
   const scale = targetWidthPercent / width;

   Consider extracting these as named constants at the top of the file.

Security

✅ No Major Security Issues

• This is a playground/showcase app with static mock data
• No user input is processed in an unsafe manner
• No API calls or external data fetching

💡 Minor Considerations

• If this becomes a real feature, ensure document URLs are validated/sanitized
• Consider adding Content Security Policy headers in production

Type Safety

✅ Good Type Coverage

• Comprehensive type definitions in lib/types.ts
• Proper use of discriminated unions for status types
• Good component prop typing

⚠️ Minor Issues

1. Loose Type in CSS Variable (SplitViewLayout.tsx:31)

   style={{ "--gap": spacing } as React.CSSProperties}

   This cast masks a type issue. Consider using proper CSS custom properties typing.

2. Optional Chaining Could Be Cleaner (page.tsx:29-32)

   item.documentHighlights?.filter((h) => h.documentId === doc1.id) || []

   This pattern works but could use nullish coalescing for clarity.

Testing

⚠️ No Tests Included

As this is in the apps/ folder (playground), missing tests are acceptable per project guidelines. However, if this code is extracted to packages later, tests should be added for:

• Custom hooks (useValidationState, useDocumentView)
• Validation logic
• Document highlight calculations

Performance

✅ Generally Good

• Proper use of useCallback for handler memoization
• Efficient state updates using functional updates

💡 Potential Optimizations

1. Document Highlights Calculation (page.tsx:29-36)

   const doc1Highlights = items.flatMap(
     (item) => item.documentHighlights?.filter((h) => h.documentId === doc1.id) || []
   );

   This recalculates on every render. Consider using useMemo:

   const doc1Highlights = useMemo(
     () => items.flatMap((item) => 
       item.documentHighlights?.filter((h) => h.documentId === doc1.id) || []
     ),
     [items]
   );

2. Framer Motion Animation Instances
   Multiple animated elements could be optimized by reducing animation complexity or using CSS transforms where possible.

Additional Observations

Dependency Management

• Added agentation: ^1.3.2 to root package.json but it's not used anywhere in the codebase. Should this be removed?
• The --concurrency=20 flag added to the dev script seems arbitrary. Is there a reason for this specific number?

UI/UX Considerations

1. Accessibility: Missing ARIA labels on interactive elements like zoom buttons and document highlights
2. Keyboard Navigation: No keyboard shortcuts for zoom controls or document switching
3. Mobile Responsiveness: Layout appears desktop-focused; consider responsive breakpoints

Documentation

• Consider adding a README.md to apps/loan-qc explaining:
  • Purpose and scope of the demo
  • How to run it
  • Key features demonstrated
  • Any limitations or known issues

Recommendation: APPROVE ✅

This is a well-implemented showcase application that demonstrates the design system effectively. The code quality is good, with no blocking security or type safety issues.

Suggested Follow-ups (Non-blocking):

1. Add error handling for image loading
2. Optimize document highlight calculations with useMemo
3. Extract magic numbers to named constants
4. Remove unused agentation dependency if not needed
5. Add basic accessibility improvements (ARIA labels)
6. Consider adding a README for the app

The issues identified are minor and don't prevent merging. This serves its purpose as a playground/showcase application well. Great work on the animations and interaction patterns! 🎉

---

This automated review is temporary for solo development. Will be replaced with human reviews once the team grows.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[CalinaCristian]

Current Stack

• main
  • Test 0128 finqc - QC doc checklist view  #136 test-0128-finqc ← THIS PR

Managed with stacked-prs