Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • Clone from GitHub took 36.72s for a 46.1 MB repo slow.
  • Repobility's analysis ran in 16.99s after the clone landed.

chopratejas/headroom

https://github.com/chopratejas/headroom · scanned 2026-06-02 20:56 UTC (1 week, 3 days ago) · 10 languages

1201 raw signals (321 security + 880 graph) 11/13 scanners ran 87th percentile · Python · large (100-500K LoC) System graph score 46 (higher by 42)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 3 days ago · v2 · 494 actionable findings from 2 signal sources. 266 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
64.2
/100
Security checks
83
145 findings
System graph
46
100.0% cov · 349 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 96.0 0.15 14.40
code_quality 45.0 0.10 4.50
Overall 1.00 87.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 0 High 124 Medium 38 Low 199 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 145 System graph 349 Crowd 0 Layer: Quality 273 Security 64 Cicd 16 Software 58 Frontend 22 Hardware 10 Api 51
Scan summary Quality grade A- (88/100). Dimensions: security 100, maintainability 60. 321 findings (66 security). 377,131 lines analyzed.

Showing 130 of 494 actionable findings. 760 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks security secrets conf 1.00 [SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials.
Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential.
benchmarks/dynamic_detector_benchmark.py:97
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
3 files, 3 locations
headroom/cache/registry.py:174
headroom/cli/__init__.py:30
headroom/cli/install.py:74
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
Review and fix per the pattern semantics. See CWE-755 / for context.
3 files, 3 locations
crates/headroom-core/benches/auth_mode.rs:22
crates/headroom-core/benches/ccr_store.rs:63
crates/headroom-core/src/auth_mode.rs:246
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
headroom/utils.py:38
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.
Review and fix per the pattern semantics. See CWE-682 / for context.
headroom/utils.py:238
info Security checks security secrets conf 0.85 3 occurrences [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
3 files, 3 locations
examples/mcp_demo/show_before_after.py:102
examples/mcp_demo/show_compression.py:82
examples/strands_bundle_demo.py:112
info Security checks software Ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
docs/app/docs/[[...slug]]/page.tsx:22
info Security checks software Ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
crates/headroom-proxy/src/websocket.rs:99
info Security checks quality Quality conf 1.00 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy.
Add `timeout=10` (or appropriate value) to every requests call.
headroom/ccr/batch_store.py:83
info Security checks security Injection conf 1.00 3 occurrences [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
3 files, 3 locations
headroom/evals/memory/judge.py:220
headroom/graph/watcher.py:243
headroom/transforms/compression_summary.py:234
info Security checks quality Quality conf 1.00 3 occurrences [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes — DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production.
Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint.
3 files, 3 locations
headroom/image/tile_optimizer.py:190
headroom/install/providers.py:53
headroom/install/runtime.py:69
info Security checks software Log injection conf 1.00 3 occurrences [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117.
Strip control characters before logging: safe = user_input.replace('\n','').replace('\r','').replace('\x00','') logger.info('User action: %s', safe) Always use parameterized logging (`%s` + args), never f-strings or string concat — that's also what mitigates log4shell-style attacks. For structu…
3 files, 3 locations
headroom/evals/cost_tracker.py:87
headroom/integrations/agno/hooks.py:120
headroom/proxy/stage_timer.py:180
info Security checks quality Quality conf 0.45 3 occurrences [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
This hit is in a test, sample, or example path. It is useful as polish/teaching-surface feedback, but should not dominate production risk scoring.
3 files, 3 locations
sdk/typescript/examples/basic-compress.ts:22
sdk/typescript/examples/simulation-dry-run.ts:17
sdk/typescript/examples/tool-calling-agent.ts:21
examplesquality
info Security checks quality Quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
examples/mcp_demo/mock_mcp_servers.py:179
info Security checks quality Error handling conf 0.55 ✓ Repobility 4 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
2 files, 4 locations
examples/strands_mcp_dispatch_test.py:73, 226, 256 (3 hits)
examples/test_intelligent_context_toin_ccr.py:330
Error handlingquality
info Security checks cicd CI/CD security conf 0.90 Dockerfile base image has no explicit tag
Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:...
e2e/wrap/Dockerfile:10 CI/CD securitycontainers
info Security checks cicd CI/CD security conf 0.90 Dockerfile base image has no explicit tag
Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:...
e2e/init/Dockerfile:7 CI/CD securitycontainers
info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `_simulate_mode` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=5, nested_bonus=5.
Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 12.
benchmarks/proxy_mode_benchmark.py:154
info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `print_comparison` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=5, if=1, nested_bonus=5, ternary=1.
Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 13.
benchmarks/dynamic_detector_benchmark.py:257
info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `print_results` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=1, nested_bonus=4, ternary=3.
Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 9.
benchmarks/dynamic_detector_benchmark.py:221
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
3 files, 3 locations
headroom/graph/installer.py:72
headroom/lean_ctx/installer.py:100
headroom/providers/codex/install.py:24
info Security checks quality Quality conf 0.45 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
This hit is in a test, sample, or example path. It is useful as polish/teaching-surface feedback, but should not dominate production risk scoring.
3 files, 3 locations
sdk/typescript/examples/basic-compress.ts:51
sdk/typescript/examples/ccr-retrieve.ts:48
sdk/typescript/examples/hooks-custom-compression.ts:26
examplesquality
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
sdk/typescript/src/utils/stream.ts:11
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
sdk/typescript/src/utils/case.ts:17
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
3 files, 3 locations
benchmarks/proxy_mode_benchmark.py:246
examples/langchain_demo/mock_tools.py:235
examples/langchain_demo/show_compression.py:19
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
Review and fix per the pattern semantics. See CWE-1188 / for context.
3 files, 3 locations
headroom/backends/base.py:169
headroom/cache/backends/__init__.py:19
headroom/cache/backends/base.py:50
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
Review and fix per the pattern semantics. See CWE-704 / for context.
3 files, 3 locations
plugins/openclaw/src/engine.ts:62
plugins/openclaw/src/gateway-config.ts:68
plugins/openclaw/src/plugin/index.ts:26
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
3 files, 3 locations
plugins/openclaw/src/engine.ts:109
plugins/openclaw/src/gateway-config.ts:62
sdk/typescript/examples/ccr-retrieve.ts:44
examplesquality
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context.
headroom/tokenizers/huggingface.py:164
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context.
headroom/prediction/__init__.py:28
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
Review and fix per the pattern semantics. See CWE-755 / for context.
3 files, 3 locations
crates/headroom-core/benches/tokenizer.rs:11
crates/headroom-core/src/ccr/backends/in_memory.rs:68
crates/headroom-core/src/ccr/backends/sqlite.rs:128
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
3 files, 3 locations
benchmarks/dynamic_detector_benchmark.py:20
headroom/backends/base.py:15
headroom/cache/base.py:43
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
headroom/proxy/memory_injection.py:63
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
3 files, 3 locations
crates/headroom-core/src/tokenizer/tiktoken_impl.rs:234
crates/headroom-core/src/transforms/pipeline/offloads/diff_offload.rs:275
crates/headroom-core/src/transforms/pipeline/offloads/log_offload.rs:280
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
headroom/ccr/batch_store.py:83
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data — denial of service.
Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context.
headroom/memory/budget.py:199
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
Review and fix per the pattern semantics.
examples/strands_bundle_demo.py:148
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
Review and fix per the pattern semantics.
examples/langchain_demo/mock_tools.py:67
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.
Review and fix per the pattern semantics. See CWE-772 / for context.
headroom/install/runtime.py:202
info System graph quality Integrity conf 1.00 Commented-code block (10 lines) in tests/test_release_workflows.py:44
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (10 lines) in tests/test_request_outcome.py:428
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (11 lines) in headroom/cache/compression_cache.py:86
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (11 lines) in headroom/proxy/outcome.py:53
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (11 lines) in tests/test_cli/test_mcp.py:133
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (12 lines) in headroom/transforms/compression_units.py:45
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (12 lines) in headroom/transforms/content_router.py:460
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in benchmarks/bench_transforms.py:366
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in docs/app/robots.ts:1
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in e2e/init/run.py:95
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/strands_via_proxy_demo.py:68
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/backends/litellm.py:26
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/cache/base.py:102
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/ccr/mcp_server.py:788
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/ccr/response_handler.py:679
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/cli/proxy.py:233
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/cli/tools.py:59
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/learn/plugins/claude.py:337
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/memory/adapters/__init__.py:26
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/memory/adapters/hnsw.py:28
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/memory/factory.py:32
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/memory/traffic_learner.py:870
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/perf/analyzer.py:217
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/cost.py:135
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/handlers/gemini.py:223
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/handlers/streaming.py:188
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/interceptors/astgrep.py:28
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/loopback_guard.py:39
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/memory_handler.py:133
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/request_logger.py:43
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/proxy/server.py:190
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/subscription/tracker.py:77
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/telemetry/toin.py:85
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/transforms/content_detector.py:50
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/transforms/kompress_compressor.py:841
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in headroom/transforms/read_lifecycle.py:316
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in scripts/audit_wheel_glibc_symbols.py:50
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_anthropic_pre_upstream_backpressure.py:173
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_codex_ws_compression_scheduler.py:219
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_compression_decision.py:147
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_compression_policy.py:53
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_header_isolation.py:452
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_memory/test_traffic_learner.py:2189
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_memory_auto_tail.py:319
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_proxy_anthropic_cache_stability.py:764
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_proxy_ccr.py:487
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_transforms/test_code_compressor.py:1109
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in tests/test_transforms/test_smart_crusher_ccr_roundtrip.py:85
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in docs/app/layout.tsx:10
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/ccr/context_tracker.py:220
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/ccr/tool_injection.py:197
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/cli/wrap.py:805
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/compress.py:340
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/image/compressor.py:41
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/memory/storage_router.py:222
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/proxy/auth_mode.py:210
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/proxy/handlers/openai.py:255
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/proxy/helpers.py:214
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/telemetry/collector.py:747
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/tokenizers/base.py:140
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/transforms/pipeline.py:74
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in headroom/transforms/smart_crusher.py:61
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_ccr_context_tracker.py:774
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_compression_policy_toin_gate.py:281
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_proxy_openai_cache_stability.py:174
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_realignment_live_multi_turn.py:203
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_toin_observation_only.py:237
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_token_headroom_mode.py:90
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/test_transforms_log_compressor.py:90
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/pricing/litellm_pricing.py:14
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/providers/proxy_routes.py:31
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/proxy/models.py:59
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/proxy/prometheus_metrics.py:89
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/subscription/models.py:433
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/transforms/adaptive_sizer.py:71
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in headroom/transforms/compression_policy.py:26
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in tests/e2e_real_compression.py:23
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in tests/parity/recorder.py:524
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in tests/test_proxy/test_compute_turn_id.py:160
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in tests/test_transforms/test_smart_crusher_bugs.py:34
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in headroom/integrations/strands/bundle.py:142
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in headroom/telemetry/models.py:399
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in tests/test_proxy_hooks_regression.py:40
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/cache/compression_store.py:239
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/config.py:202
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/integrations/mcp/server.py:250
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/proxy/compression_decision.py:50
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/proxy/handlers/anthropic.py:449
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in headroom/proxy/memory_decision.py:52
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — plugins/openclaw/src/engine.ts:180
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — sdk/typescript/examples/streaming-chat.ts:49
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/04f454c6-373b-476d-b668-bef91275fe42/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/04f454c6-373b-476d-b668-bef91275fe42/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.