Product PhilosophyPricingFree TierVibe Coding

The scan we refused: when your repo is too big for the free tier

V5 Code QA's free tier caps at 100K LOC. When a portfolio scan hit a repo over the limit, we refused it — and that refusal is the most honest upsell in security tooling.

AI Vyuh Engineering · 3 May 2026

A few weeks ago we ran V5 Code QA across an 11-repo portfolio. Eleven of those repos scanned. The twelfth — a 187,000-line codebase — got a polite refusal.

The refusal is the part of the product I’m proudest of.

What the refusal looks like

When V5 sees a repo larger than the free-tier ceiling (100,000 lines of code), it doesn’t:

Run a degraded scan and call it free
Trim the analysis to just the small files
Email you a PDF with “upgrade to Pro for full results”
Bury the limit behind a paywall you discover after waiting

It posts a single PR comment that says, in roughly these words:

This repository exceeds the free-tier scan ceiling (100K LOC). Free scans are intentionally capped to keep the offer real for smaller projects. If you’d like a full audit of this codebase, our Tier 2 Standard Audit covers it for $200–$500 one-off. Otherwise no action — we won’t auto-bill, we won’t drip you, and we won’t run a half-scan and pretend it was useful.

That’s the entire upsell. There is no lock screen. There is no email follow-up. The PR comment links to one page, the audit page, and that’s it.

Why we wrote it this way

Most “free tier with paid upgrade” products have an unspoken contract: the free tier is bad on purpose so the paid tier feels worth it. You’ve used these. Slow free scans. Watermarked exports. “1 of 10 results — upgrade to see the rest.” The free tier exists as a slot machine, not as a useful product.

V5’s free tier is the opposite contract: the free tier is fully functional within its scope. A 100K-LOC scan is a real scan. Same agents, same rules, same dashboard, same PR comment, same severity breakdown. The only thing it isn’t is bigger than 100K LOC.

The reason for the ceiling isn’t punitive — it’s economic. Scans cost real money to run (LLM inference + AWS Lambda + DynamoDB writes). At 100K LOC the cost is small enough that we can give it away forever and still survive. At 187K LOC the math breaks. So we say so. Out loud. In the PR comment. Before anyone has invested time in the install.

If your codebase is under 100K LOC, the free tier is the product. There is no trick.

The “(legacy)” tag and the “Pre-persistence scan” panel

There are two more places where the product chooses honesty over flattery:

Legacy aggregate counts

The dashboard’s portfolio view shows a finding count per repo. For repos scanned before we started persisting individual findings (early-deployment artefact — we shipped per-finding storage in a later release), the dashboard renders:

N findings (legacy)

…with a tooltip explaining that the count came from the scan registry, not from the per-finding store, so the dashboard’s filter and review tools won’t work on those rows. A re-scan replaces the legacy fallback with proper per-finding detail. We don’t fabricate the missing data and we don’t hide the gap.

”Pre-persistence scan” empty-state

Click into a legacy scan’s detail page and you don’t get an empty list with “0 findings.” You get a panel that says “Pre-persistence scan — full per-finding detail wasn’t captured for this run” with a link out to the original PR comment on GitHub, where the findings actually live as markdown.

Why? Because we already know what an empty list looks like in security tooling: it looks like the tool is broken. Better to tell the user the truth — “we have 250 findings here but they’re stored differently because this scan predated the schema migration, here’s where to find them” — than to render a misleading zero.

Honest pricing as product surface

A pricing page is a product feature, not a wall. The pricing page on V5 is short:

Free tier: 1 scan per repo per month, repos under 100K LOC. No card, no trial, no expiry.
Tier 2 Standard Audit: $200–$500 one-off. Written report. Repos of any size. Pay once, no subscription.
Team subscription ($300/mo) and Pro ($500/mo) are coming. We’re transparent about what’s still missing in those tiers (Slack/email notifications, multi-team support, issue-tracker integration). When those features ship, the price will be defensible. Until then we don’t sell them.

That last line is unusual. Most products will sell you what they’re calling “Team” today, defects and all, and hope you don’t notice. We’d rather tell you which tier is actually ready and let you decide whether the work-in-progress upper tiers fit your timeline.

If you find this annoying — “just tell me what to buy!” — fair. The annoyance is the cost of the honesty. The benefit is that what you do buy actually works the way the page says it does.

Try the free tier first

The shortest version of this post is: install the App, point it at a repo under 100K LOC, see what happens. If your codebase is bigger or you want a written audit, the Tier 2 button is right there. If neither is right for you, no harm done — you didn’t get drip-emailed for it.

Install the V5 GitHub App → — free first scan, no card
Book a Tier 2 Standard Audit → — $200–$500 one-off

The refusal is the proof. Everything else is just numbers.