qmax-code 1.13: Claude Code and Codex on QA Steroids

All posts

Two versions of qmax-code shipped this week. Together they change the answer to a question we kept hearing: “Does it just find the problem, or does it actually fix it?”

The answer is now: it fixes it. In your terminal. In about two minutes.

v1.12

Multi-model routing

Keyword-based routing across local Ollama endpoints + Claude fallback. Coder model for edits, agent model for planning. No interruptions when an endpoint goes down.

v1.13

In-terminal auto-fix

The agent finds bugs, security gaps, and tech debt — and fixes them on the spot. PR bot flags the issue, qmax-code applies the patch, you review the diff.

PLATFORM

Full execution loop

From your local terminal to the fully deployed production app in one command — UI flows, API endpoints, and performance tests all in the same loop. Nothing falls through the cracks.

PLATFORM

Cloud browser fleet

Playwright browsers spin up in QualityMax cloud and run against your live app. No local setup, no flaky headless installs. Results stream back to your terminal in real time.

What Changed: From Reporter to Fixer

Until now, qmax-code was a very good spotter. It would crawl your app, run tests, scan for security issues, identify tech debt, and surface findings with severity and file locations. Then it stopped. What happened next was up to you.

v1.13 removes that hand-off. When the agent finds something — a failing test, a BOLA vulnerability, a high-severity tech debt pattern — it immediately proposes and applies the fix in your terminal. You see the diff, approve or reject, and move on. The whole cycle, from “this is broken” to “this is fixed and retested,” takes under two minutes.

Before v1.13

Agent finds security gap in auth route
Reports file + line + severity
You read the finding
You open the file
You write the fix
You run tests again

After v1.13

Agent finds security gap in auth route
Agent proposes patch inline
You approve (<enter>)
Agent applies fix + retests

The Full Loop with Claude Code or Codex

Here is how the combined workflow looks. You don’t need to give up your existing CC or Codex subscription — qmax-code runs alongside both:

terminal session

$ claude   # or: codex

CC> Build the new user settings page and push a PR

CC  wrote 4 files, pushed branch feature/user-settings
CC  opened PR #341

— PR bot runs automatically on every push —

QM  PR #341 reviewed
QM  Security:  1 HIGH — missing auth check on PATCH /settings/:id
QM  Tech Debt: 2 MEDIUM — unguarded input, raw SQL string

CC> fix the security and tech debt findings with qmax-code

qmax> Applying fix 1/3: IDOR guard on PATCH /settings/:id
qmax> + assert row["user_id"] == current_user.id
      approve? [Y/n] Y

qmax> Applying fix 2/3: parameterised query
qmax> Applying fix 3/3: input length guard
      3/3 applied — retesting…
      ✓ 14 passed  0 failed  — pushing amended commit

CC writes the feature. The PR bot catches what CC missed. qmax-code fixes it on the spot. You approved one diff. Total time from “push PR” to “clean PR”: under two minutes.

The PR Bot: Cybersecurity + Tech Debt on Every Push

The bot that triggers on every PR is now checking two things in parallel:

Cybersecurity threats — BOLA/IDOR, injection risks, broken auth, insecure defaults, secrets in diffs. The same SAST engine that we use on our own PRs.
Tech debt — unguarded inputs, raw queries, anti-patterns, deprecated APIs, test coverage gaps introduced by the diff. Severity-tagged, file-linked, actionable.

Findings land as structured PR comments with severity, file path, and a one-line fix description. When you’re in a qmax-code session and tell it to fix the PR findings, it reads those comments and applies patches in order of severity.

Your commit history on the platform preserves everything: test runs before and after the fix, the original finding, the patch that was applied, and the retest result. You always have a complete record of what was broken, why, and what fixed it.

What gets preserved on the platform

For every project: test runs with pass/fail history, all generated test cases and automation scripts, PR review comments with security and tech debt findings, and session history showing what the agent did and when. When a test starts failing three weeks from now, you can trace exactly what changed and who (or what) changed it.

v1.12: Multi-Model Routing for Local Setups

v1.12 landed alongside 1.13 and is the version that makes local model workflows reliable. If you run Ollama on your own hardware — or on GPU nodes like we do (GCP L4 + AWS T4) — v1.12 lets you configure all your endpoints and let qmax-code route between them automatically:

qmax> /model list

  gemma3:12b      llm.qualitymax.io   chat · agent   [healthy]
  qwen3:14b       llm.qualitymax.io   agent          [healthy]
  qwen2.5-coder   llm2.qualitymax.io  coder          [healthy]

qmax> /auto   # keyword routing on — coder model for edits, agent for planning

# If all local endpoints fail → falls back to Claude Haiku, then Sonnet

The router uses keyword classification: file edit tasks go to the coder-specialist model, multi-step planning tasks go to the agent model, conversation goes to chat. If any endpoint is down, qmax-code routes around it silently. Final fallback is always Claude, so you never get a hard failure mid-session.

Works with CC and Codex. Free Tier Included.

The two things that surprised people most when we shared early access:

You don’t pay extra for the QA layer if you already have a CC or Codex subscription. qmax-code uses your own LLM API key for its local agent work. The QualityMax platform side — the PR bot, the test runs, the session history, the crawl engine — is on us at the free tier. Five projects, ten AI crawls a month, full qmax-code access, zero additional model spend beyond what you already pay Anthropic or OpenAI.

The free tier is not a trial. There is no credit card, no 14-day window, no feature flag waiting to expire. The free tier is the product. Paid plans add volume (more projects, more crawl runs, more CI execution minutes) and team features. The core loop — crawl → generate → run → fix → review — is free.

The setup is three commands

Install qmax-code: curl -sL https://qualitymax.io/static/install-qmax-code.txt | bash
Log in: qmax-code login
Start a session: qmax-code --project-id <id>

For CC/Codex integration: drop a .mcp.json in your project root with your QualityMax API token. All 50 tools become available to CC or Codex in the same session. The PR bot activates automatically when you connect a GitHub repository.

What This Looks Like in Practice

The pitch is easy to overstate, so let me be specific about what v1.13 does and doesn’t do.

It does fix well-defined, localised problems: a missing auth check, an unguarded input, a broken test selector that moved in the DOM, a deprecated API call. These are the majority of what our PR bot flags. The fix is deterministic, the retest is immediate, and the diff is small enough for a human to review in 30 seconds.

It doesn’t redesign your architecture. If the bot finds that your entire data access layer is built on raw SQL strings, qmax-code will flag it as tech debt and offer to fix the ones in the current diff — not refactor the entire codebase. That decision stays with you.

The goal was never to remove developers from the loop. It was to remove the friction between “something is wrong” and “something is fixed.” Two minutes instead of two context switches and a JIRA ticket.

Try qmax-code 1.13

Free tier. Works with your CC or Codex subscription. One command to install.

curl -sL https://qualitymax.io/static/install-qmax-code.txt | bash

See all features →

qmax-code 1.13:Claude Code and Codexon QA Steroids