Floe

Floe is the security scanner arm.

It exists because AI-generated code can look finished while quietly skipping the parts that keep people out of trouble: auth, ownership checks, secrets, webhook safety, and boring deployment details.

What I Want It To Catch

• Routes that should not be public.
• Data a user should not be able to change.
• Secrets hiding in places they should never be.
• Stripe and webhook code that trusts too much.
• LLM prompts that accept user input like it is harmless.

How It Should Feel

Floe should not produce a theatrical security report. It should give a developer a small number of concrete findings with severity, file context, why it matters, and how to fix it.

The scanner shape is layered:

• Pattern checks for the boring common mistakes.
• Code-aware inspection for auth, ownership, secrets, webhooks, and payment paths.
• LLM-assisted review when the finding needs judgment instead of a regex.
• Re-scan support so a team can prove a fix actually moved the risk down.

The pricing shape is intentionally practical: a quick scan for obvious risk, a deeper scan for teams who need confidence, and a human audit path when the stakes are high enough.

The Useful Part

The output should not be "security happened." It should be a short list of things that are actually worth fixing, with enough context that a developer can move.