thedotmack/claude-mem

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	0.0	0.25	0.00
`testing_score`	90.0	0.20	18.00
`documentation_score`	84.7	0.15	12.71
`practices_score`	83.0	0.15	12.45
`code_quality`	52.7	0.10	5.27
Overall		1.00	61.2

critical Security checks quality Quality conf 0.80 ✓ Repobility 3 occurrences Admin endpoint without auth: POST /api/admin/restart

Express route on /admin path (/api/admin/restart) with no auth middleware.

3 files, 3 locations

plugin/scripts/server-beta-service.cjs:62

plugin/scripts/worker-service.cjs:1024

src/services/server/Server.ts:280

critical Security checks quality Quality conf 0.80 ✓ Repobility 3 occurrences Admin endpoint without auth: POST /api/admin/shutdown

Express route on /admin path (/api/admin/shutdown) with no auth middleware.

3 files, 3 locations

plugin/scripts/server-beta-service.cjs:62

plugin/scripts/worker-service.cjs:1024

src/services/server/Server.ts:294

critical Security checks security secrets conf 0.95 3 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

Gitleaks detected a committed secret or credential pattern.

3 files, 3 locations

docker/e2e/server-beta-e2e.mjs:152

docs/public/usage/private-tags.mdx:107

plugin/scripts/server-beta-service.cjs:459

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id.

src/server/routes/v1/ServerV1Routes.ts:171

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id.

src/server/routes/v1/ServerV1PostgresRoutes.ts:317

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id/observations.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/events/:id/observations.

src/server/routes/v1/ServerV1PostgresRoutes.ts:365

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/jobs/:id.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/jobs/:id.

src/server/routes/v1/ServerV1PostgresRoutes.ts:579

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/memories/:id.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/memories/:id.

src/server/routes/v1/ServerV1Routes.ts:202

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/projects/:id.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/projects/:id.

src/server/routes/v1/ServerV1Routes.ts:105

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/projects/:projectId/jobs.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/projects/:projectId/jobs.

src/server/routes/v1/ServerV1PostgresRoutes.ts:462

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/teams/:teamId/jobs.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/teams/:teamId/jobs.

src/server/routes/v1/ServerV1PostgresRoutes.ts:415

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/jobs/:id/cancel.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/jobs/:id/cancel.

src/server/routes/v1/ServerV1PostgresRoutes.ts:635

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/jobs/:id/retry.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/jobs/:id/retry.

src/server/routes/v1/ServerV1PostgresRoutes.ts:616

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.

Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.

src/npx-cli/install/error-taxonomy.ts:55

high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.

Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.

docker/claude-mem/run.sh:20

high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences Dockerfile FROM `node:20` not pinned by digest

`FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

4 files, 4 locations

Dockerfile.test-installer:1

docker/claude-mem/Dockerfile:1

evals/swebench/Dockerfile.agent:1

openclaw/Dockerfile.e2e:1

high Security checks cicd CI/CD security conf 0.92 5 occurrences Dockerfile pipes a remote script into a shell

Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.

3 files, 5 locations

docker/claude-mem/Dockerfile:21, 27 (2 hits)

evals/swebench/Dockerfile.agent:18, 23 (2 hits)

Dockerfile.test-installer:20

CI/CD securitycontainers

high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /api/corpus/:name has no auth

Express route DELETE /api/corpus/:name declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/services/worker/http/routes/CorpusRoutes.ts:74

high Security checks quality Quality conf 0.80 ✓ Repobility Express PATCH /v1/memories/:id has no auth

Express route PATCH /v1/memories/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:214

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/context/semantic has no auth

Express route POST /api/context/semantic declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/services/worker/http/routes/SearchRoutes.ts:120

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/corpus has no auth

Express route POST /api/corpus declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/services/worker/http/routes/CorpusRoutes.ts:71

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/corpus/:name/rebuild has no auth

Express route POST /api/corpus/:name/rebuild declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/services/worker/http/routes/CorpusRoutes.ts:75

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/sessions/observations has no auth

Express route POST /api/sessions/observations declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/compat/SessionsObservationsAdapter.ts:63

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/sessions/summarize has no auth

Express route POST /api/sessions/summarize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/compat/SessionsSummarizeAdapter.ts:49

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/context has no auth

Express route POST /v1/context declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:243

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/context has no auth

Express route POST /v1/context declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:874

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/events has no auth

Express route POST /v1/events declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:150

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/events has no auth

Express route POST /v1/events declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:152

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/events/batch has no auth

Express route POST /v1/events/batch declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:157

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/events/batch has no auth

Express route POST /v1/events/batch declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:226

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/jobs/:id/cancel has no auth

Express route POST /v1/jobs/:id/cancel declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:635

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/jobs/:id/retry has no auth

Express route POST /v1/jobs/:id/retry declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:616

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/memories has no auth

Express route POST /v1/memories declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:183

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/memories has no auth

Express route POST /v1/memories declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:802

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/projects has no auth

Express route POST /v1/projects declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:95

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/search has no auth

Express route POST /v1/search declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:232

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/search has no auth

Express route POST /v1/search declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:836

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/sessions/:id/end has no auth

Express route POST /v1/sessions/:id/end declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:124

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/sessions/:id/end has no auth

Express route POST /v1/sessions/:id/end declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:749

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/sessions/start has no auth

Express route POST /v1/sessions/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1Routes.ts:117

high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/sessions/start has no auth

Express route POST /v1/sessions/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.

src/server/routes/v1/ServerV1PostgresRoutes.ts:651

low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 21 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

7 files, 21 locations

.github/workflows/convert-feature-requests.yml:28, 89, 107 (6 hits)

.github/workflows/ci.yml:14, 15, 59, 60 (4 hits)

.github/workflows/summary.yml:17, 21 (4 hits)

.github/workflows/claude.yml:29 (2 hits)

.github/workflows/npm-publish.yml:12, 13 (2 hits)

.github/workflows/windows.yml:19, 20 (2 hits)

.github/workflows/deploy-install-scripts.yml:15

CI/CD securitySupply chainGitHub Actions

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `oven-sh/setup-bun` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

3 files, 8 locations

.github/workflows/ci.yml:21, 66 (4 hits)

.github/workflows/claude.yml:35 (2 hits)

.github/workflows/deploy-install-scripts.yml:23 (2 hits)

CI/CD securitySupply chainGitHub Actions

high System graph api Wiring conf 1.00 Dangling fetch: GET http://${getWorkerHost()}:${port}/api/health (src/services/worker-service.ts:1034)

`src/services/worker-service.ts:1034` calls `GET http://${getWorkerHost()}:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/://api/health` If this points at an external API, prefix it w…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${address.port}/api/health (tests/server/server-beta-service.test.ts:49)

`tests/server/server-beta-service.test.ts:49` calls `GET http://127.0.0.1:${address.port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${address.port}/v1/info (tests/server/server-beta-service.test.ts:53)

`tests/server/server-beta-service.test.ts:53` calls `GET http://127.0.0.1:${address.port}/v1/info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/info` If this points at an external API, pref…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${e}/api/readiness (plugin/scripts/worker-cli.js:12)

`plugin/scripts/worker-cli.js:12` calls `GET http://127.0.0.1:${e}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an external API, prefix it with …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${endpointPath} (src/services/infrastructure/HealthMonitor.ts:13)

`src/services/infrastructure/HealthMonitor.ts:13` calls `GET http://127.0.0.1:${port}${endpointPath}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API, prefi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${path} (tests/compat/sessions-observations-adapter.test.ts:166)

`tests/compat/sessions-observations-adapter.test.ts:166` calls `GET http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API, prefix…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${path} (tests/server/runtime/jobs-list-and-operator-routes.test.ts:153)

`tests/server/runtime/jobs-list-and-operator-routes.test.ts:153` calls `GET http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${path} (tests/server/runtime/server-session-routes.test.ts:134)

`tests/server/runtime/server-session-routes.test.ts:134` calls `GET http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API, prefix…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${path} (tests/server/runtime/team-project-jobs-routes.test.ts:174)

`tests/server/runtime/team-project-jobs-routes.test.ts:174` calls `GET http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API, pre…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/ (tests/server/server-runtime-smoke.test.ts:124)

`tests/server/server-runtime-smoke.test.ts:124` calls `GET http://127.0.0.1:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/` If this points at an external API, prefix it with `https://`…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/ (tests/server/server-viewer-routes.test.ts:69)

`tests/server/server-viewer-routes.test.ts:69` calls `GET http://127.0.0.1:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/` If this points at an external API, prefix it with `https://` …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/health (src/services/infrastructure/HealthMonitor.ts:26)

`src/services/infrastructure/HealthMonitor.ts:26` calls `GET http://127.0.0.1:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/health (tests/server/server-security-headers.test.ts:42)

`tests/server/server-security-headers.test.ts:42` calls `GET http://127.0.0.1:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/health (tests/server/server-security-headers.test.ts:57)

`tests/server/server-security-headers.test.ts:57` calls `GET http://127.0.0.1:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/health (tests/worker-spawn.test.ts:20)

`tests/worker-spawn.test.ts:20` calls `GET http://127.0.0.1:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with `http…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/readiness (src/services/integrations/WindsurfHooksInstaller.ts:296)

`src/services/integrations/WindsurfHooksInstaller.ts:296` calls `GET http://127.0.0.1:${port}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an ex…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/stats (scripts/bug-report/collector.ts:122)

`scripts/bug-report/collector.ts:122` calls `GET http://127.0.0.1:${port}/api/stats` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/stats` If this points at an external API, prefix it with `…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/echo (tests/server/middleware/request-id.test.ts:17)

`tests/server/middleware/request-id.test.ts:17` calls `GET http://127.0.0.1:${port}/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://echo` If this points at an external API, prefix it with `…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/echo (tests/server/middleware/request-id.test.ts:36)

`tests/server/middleware/request-id.test.ts:36` calls `GET http://127.0.0.1:${port}/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://echo` If this points at an external API, prefix it with `…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/echo (tests/server/middleware/request-id.test.ts:55)

`tests/server/middleware/request-id.test.ts:55` calls `GET http://127.0.0.1:${port}/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://echo` If this points at an external API, prefix it with `…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (scripts/bug-report/collector.ts:111)

`scripts/bug-report/collector.ts:111` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://health` If this points at an external API, prefix it with `https:…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/info (tests/server/server-runtime-smoke.test.ts:88)

`tests/server/server-runtime-smoke.test.ts:88` calls `GET http://127.0.0.1:${port}/v1/info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/info` If this points at an external API, prefix it w…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/info (tests/server/server-viewer-routes.test.ts:61)

`tests/server/server-viewer-routes.test.ts:61` calls `GET http://127.0.0.1:${port}/v1/info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/info` If this points at an external API, prefix it w…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/jobs/${encodeURIComponent(jobId!)} (tests/server/runtime/server-mcp-routes.test.ts:225)

`tests/server/runtime/server-mcp-routes.test.ts:225` calls `GET http://127.0.0.1:${port}/v1/jobs/${encodeURIComponent(jobId!)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/jobs/` If thi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/projects (tests/server/server-runtime-smoke.test.ts:115)

`tests/server/server-runtime-smoke.test.ts:115` calls `GET http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/projects (tests/server/server-runtime-smoke.test.ts:96)

`tests/server/server-runtime-smoke.test.ts:96` calls `GET http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, pre…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/projects (tests/server/v1-routes.test.ts:216)

`tests/server/v1-routes.test.ts:216` calls `GET http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, prefix it wit…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/projects (tests/server/v1-routes.test.ts:259)

`tests/server/v1-routes.test.ts:259` calls `GET http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, prefix it wit…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/teams/${teamAId}/jobs (tests/server/runtime/team-project-jobs-routes.test.ts:243)

`tests/server/runtime/team-project-jobs-routes.test.ts:243` calls `GET http://127.0.0.1:${port}/v1/teams/${teamAId}/jobs` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/teams//jobs` If thi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/hook-execution-e2e.test.ts:139)

`tests/integration/hook-execution-e2e.test.ts:139` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external AP…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/hook-execution-e2e.test.ts:170)

`tests/integration/hook-execution-e2e.test.ts:170` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external AP…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/hook-execution-e2e.test.ts:176)

`tests/integration/hook-execution-e2e.test.ts:176` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external AP…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/hook-execution-e2e.test.ts:74)

`tests/integration/hook-execution-e2e.test.ts:74` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:101)

`tests/integration/worker-api-endpoints.test.ts:101` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:229)

`tests/integration/worker-api-endpoints.test.ts:229` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:274)

`tests/integration/worker-api-endpoints.test.ts:274` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:280)

`tests/integration/worker-api-endpoints.test.ts:280` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:300)

`tests/integration/worker-api-endpoints.test.ts:300` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:75)

`tests/integration/worker-api-endpoints.test.ts:75` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external A…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:256)

`tests/server/server.test.ts:256` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:270)

`tests/server/server.test.ts:270` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:293)

`tests/server/server.test.ts:293` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:299)

`tests/server/server.test.ts:299` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:310)

`tests/server/server.test.ts:310` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/health (tests/server/server.test.ts:337)

`tests/server/server.test.ts:337` calls `GET http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/nonexistent (tests/integration/hook-execution-e2e.test.ts:188)

`tests/integration/hook-execution-e2e.test.ts:188` calls `GET http://127.0.0.1:${testPort}/api/nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/nonexistent` If this points at an e…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/nonexistent (tests/server/server.test.ts:411)

`tests/server/server.test.ts:411` calls `GET http://127.0.0.1:${testPort}/api/nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/nonexistent` If this points at an external API, pref…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/hook-execution-e2e.test.ts:109)

`tests/integration/hook-execution-e2e.test.ts:109` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an exter…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/hook-execution-e2e.test.ts:89)

`tests/integration/hook-execution-e2e.test.ts:89` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an extern…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/worker-api-endpoints.test.ts:115)

`tests/integration/worker-api-endpoints.test.ts:115` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an ext…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/worker-api-endpoints.test.ts:136)

`tests/integration/worker-api-endpoints.test.ts:136` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an ext…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/worker-api-endpoints.test.ts:251)

`tests/integration/worker-api-endpoints.test.ts:251` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an ext…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/integration/worker-api-endpoints.test.ts:256)

`tests/integration/worker-api-endpoints.test.ts:256` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an ext…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/server/server.test.ts:353)

`tests/server/server.test.ts:353` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an external API, prefix i…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/readiness (tests/server/server.test.ts:376)

`tests/server/server.test.ts:376` calls `GET http://127.0.0.1:${testPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an external API, prefix i…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/search/nonexistent/nested (tests/integration/worker-api-endpoints.test.ts:192)

`tests/integration/worker-api-endpoints.test.ts:192` calls `GET http://127.0.0.1:${testPort}/api/search/nonexistent/nested` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/search/nonexistent/…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/unknown-endpoint (tests/integration/worker-api-endpoints.test.ts:167)

`tests/integration/worker-api-endpoints.test.ts:167` calls `GET http://127.0.0.1:${testPort}/api/unknown-endpoint` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/unknown-endpoint` If this po…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/version (tests/integration/hook-execution-e2e.test.ts:121)

`tests/integration/hook-execution-e2e.test.ts:121` calls `GET http://127.0.0.1:${testPort}/api/version` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/version` If this points at an external …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/version (tests/integration/worker-api-endpoints.test.ts:150)

`tests/integration/worker-api-endpoints.test.ts:150` calls `GET http://127.0.0.1:${testPort}/api/version` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/version` If this points at an externa…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${testPort}/api/version (tests/server/server.test.ts:393)

`tests/server/server.test.ts:393` calls `GET http://127.0.0.1:${testPort}/api/version` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/version` If this points at an external API, prefix it wi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${t}/api/health (plugin/scripts/worker-cli.js:5)

`plugin/scripts/worker-cli.js:5` calls `GET http://127.0.0.1:${t}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it with `https:…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${workerPort}/api/health (src/npx-cli/commands/doctor.ts:87)

`src/npx-cli/commands/doctor.ts:87` calls `GET http://127.0.0.1:${workerPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix it …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${workerPort}/api/health (src/npx-cli/commands/install.ts:1463)

`src/npx-cli/commands/install.ts:1463` calls `GET http://127.0.0.1:${workerPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an external API, prefix …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${workerPort}/api/readiness (src/services/integrations/OpenCodeInstaller.ts:107)

`src/services/integrations/OpenCodeInstaller.ts:107` calls `GET http://127.0.0.1:${workerPort}/api/readiness` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/readiness` If this points at an e…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/${e}/${t} (plugin/ui/viewer-bundle.js:11)

`plugin/ui/viewer-bundle.js:11` calls `GET https://api.github.com/repos/${e}/${t}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos//` If this points at an external API, prefix it wit…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/${username}/${repo} (src/ui/viewer/hooks/useGitHubStars.ts:23)

`src/ui/viewer/hooks/useGitHubStars.ts:23` calls `GET https://api.github.com/repos/${username}/${repo}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos//` If this points at an extern…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/health (tests/integration/worker-api-endpoints.test.ts:202)

`tests/integration/worker-api-endpoints.test.ts:202` calls `OPTIONS http://127.0.0.1:${testPort}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/health` If this points at an exter…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:113)

`tests/worker/middleware/cors-restriction.test.ts:113` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:127)

`tests/worker/middleware/cors-restriction.test.ts:127` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:142)

`tests/worker/middleware/cors-restriction.test.ts:142` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:157)

`tests/worker/middleware/cors-restriction.test.ts:157` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:172)

`tests/worker/middleware/cors-restriction.test.ts:172` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:85)

`tests/worker/middleware/cors-restriction.test.ts:85` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: OPTIONS http://127.0.0.1:${testPort}/api/settings (tests/worker/middleware/cors-restriction.test.ts:99)

`tests/worker/middleware/cors-restriction.test.ts:99` calls `OPTIONS http://127.0.0.1:${testPort}/api/settings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/settings` If this points at an …

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: PATCH http://127.0.0.1:${port}/v1/memories/${memory.id} (tests/server/v1-routes.test.ts:328)

`tests/server/v1-routes.test.ts:328` calls `PATCH http://127.0.0.1:${port}/v1/memories/${memory.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/memories/` If this points at an external…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}${path} (tests/server/v1-routes.test.ts:346)

`tests/server/v1-routes.test.ts:346` calls `POST http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://` If this points at an external API, prefix it with `https://`…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/sessions/observations (tests/compat/sessions-observations-adapter.test.ts:350)

`tests/compat/sessions-observations-adapter.test.ts:350` calls `POST http://127.0.0.1:${port}/api/sessions/observations` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/sessions/observations`…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/events (tests/server/server-beta-service.test.ts:102)

`tests/server/server-beta-service.test.ts:102` calls `POST http://127.0.0.1:${port}/v1/events` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/events` If this points at an external API, prefix…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/events/batch (tests/server/server-beta-service.test.ts:227)

`tests/server/server-beta-service.test.ts:227` calls `POST http://127.0.0.1:${port}/v1/events/batch` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/events/batch` If this points at an external…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/events/batch (tests/server/v1-routes.test.ts:283)

`tests/server/v1-routes.test.ts:283` calls `POST http://127.0.0.1:${port}/v1/events/batch` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/events/batch` If this points at an external API, pref…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/events?generate=false (tests/server/server-beta-service.test.ts:164)

`tests/server/server-beta-service.test.ts:164` calls `POST http://127.0.0.1:${port}/v1/events?generate=false` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/events` If this points at an exter…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/projects (tests/server/server-runtime-smoke.test.ts:106)

`tests/server/server-runtime-smoke.test.ts:106` calls `POST http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, p…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/projects (tests/server/v1-routes.test.ts:188)

`tests/server/v1-routes.test.ts:188` calls `POST http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, prefix it wi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/projects (tests/server/v1-routes.test.ts:208)

`tests/server/v1-routes.test.ts:208` calls `POST http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, prefix it wi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/projects (tests/server/v1-routes.test.ts:232)

`tests/server/v1-routes.test.ts:232` calls `POST http://127.0.0.1:${port}/v1/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://v1/projects` If this points at an external API, prefix it wi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${testPort}/api/auth/session (tests/server/server.test.ts:83)

`tests/server/server.test.ts:83` calls `POST http://127.0.0.1:${testPort}/api/auth/session` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/auth/session` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${testPort}/api/nonexistent (tests/integration/worker-api-endpoints.test.ts:216)

`tests/integration/worker-api-endpoints.test.ts:216` calls `POST http://127.0.0.1:${testPort}/api/nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/nonexistent` If this points at a…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${testPort}/api/test-json (tests/integration/hook-execution-e2e.test.ts:200)

`tests/integration/hook-execution-e2e.test.ts:200` calls `POST http://127.0.0.1:${testPort}/api/test-json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/test-json` If this points at an exte…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${testPort}/api/unknown-endpoint (tests/integration/worker-api-endpoints.test.ts:179)

`tests/integration/worker-api-endpoints.test.ts:179` calls `POST http://127.0.0.1:${testPort}/api/unknown-endpoint` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/unknown-endpoint` If this p…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${t}/api/admin/shutdown (plugin/scripts/worker-cli.js:5)

`plugin/scripts/worker-cli.js:5` calls `POST http://127.0.0.1:${t}/api/admin/shutdown` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1://api/admin/shutdown` If this points at an external API, prefi…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.telegram.org/bot${botToken}/sendMessage (openclaw/src/index.ts:424)

`openclaw/src/index.ts:424` calls `POST https://api.telegram.org/bot${botToken}/sendMessage` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.telegram.org/bot//sendmessage` If this points at an external …

Dangling fetchFetch

high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell

Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.

docker/claude-mem/Dockerfile:21 containersRemote installer

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/admin/doctor.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/admin/doctor.

src/services/server/Server.ts:308

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/chroma/status.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/chroma/status.

src/services/worker/http/routes/ChromaRoutes.ts:11

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/logs.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/logs.

src/services/worker/http/routes/LogsRoutes.ts:88

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/search.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/search.

src/services/worker/http/routes/SearchRoutes.ts:103

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/search/help.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/search/help.

src/services/worker/http/routes/SearchRoutes.ts:124

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/timeline/by-query.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/timeline/by-query.

src/services/worker/http/routes/SearchRoutes.ts:123

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /v1/jobs.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /v1/jobs.

src/server/routes/v1/ServerV1PostgresRoutes.ts:523

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/admin/restart.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/admin/restart.

src/services/server/Server.ts:280

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/admin/shutdown.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/admin/shutdown.

src/services/server/Server.ts:294

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/logs/clear.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/logs/clear.

src/services/worker/http/routes/LogsRoutes.ts:89

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/corpus/:name.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/corpus/:name.

src/services/worker/http/routes/CorpusRoutes.ts:74

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/corpus.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/corpus.

src/services/worker/http/routes/CorpusRoutes.ts:72

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/corpus/:name.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/corpus/:name.

src/services/worker/http/routes/CorpusRoutes.ts:73

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/branch/switch.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/branch/switch.

src/services/worker/http/routes/SettingsRoutes.ts:44

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus.

src/services/worker/http/routes/CorpusRoutes.ts:71

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/prime.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/prime.

src/services/worker/http/routes/CorpusRoutes.ts:76

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/query.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/query.

src/services/worker/http/routes/CorpusRoutes.ts:77

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/rebuild.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/rebuild.

src/services/worker/http/routes/CorpusRoutes.ts:75

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/reprime.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/corpus/:name/reprime.

src/services/worker/http/routes/CorpusRoutes.ts:78

low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.

Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.

scripts/bug-report/collector.ts:115

high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth

Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.

src/services/worker/http/routes/SettingsRoutes.ts:2

low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review

This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.

evals/swebench/run-batch.py:485 Error handlingquality

medium Security checks quality Quality conf 0.73 Codex session log reader may expose prompts or tool-call content

Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.

src/services/transcripts/config.ts:10

high Security checks quality Quality conf 0.74 5 occurrences Frontend API reference is not matched by discovered backend routes

A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.

5 files, 5 locations

openclaw/src/index.ts:717

src/cli/handlers/session-init.ts:97

src/integrations/opencode-plugin/index.ts:170

src/server/auth/auth.ts:14

src/services/worker/http/routes/SessionRoutes.ts:162

medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy

A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.

index.html

medium Security checks quality Quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt

high Security checks software dependencies conf 0.70 3 occurrences Remote install command pipes network code directly to a shell

Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.

3 files, 3 locations

README.md:164

docs/public/architecture/worker-service.mdx:620

src/services/integrations/WindsurfHooksInstaller.ts:204

medium Security checks quality Quality conf 0.78 Suspicious implementation file appears unreferenced

A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path.

scripts/verify-timestamp-fix.ts:1

medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — plugin/ui/viewer-bundle.js:9

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

Fq dangerous html

medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/ui/viewer/components/TerminalPreview.tsx:134

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

Fq dangerous html

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — plugin/ui/viewer-bundle.js:11

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/discord-release-notify.js:84

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/import-memories.ts:39

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/servers/mcp-server.ts:511

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/integrations/OpenCodeInstaller.ts:107

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/integrations/TelegramNotifier.ts:50

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/integrations/WindsurfHooksInstaller.ts:296

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/worker/GeminiProvider.ts:43

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/worker/OpenRouterProvider.ts:52

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/shared/worker-utils.ts:55

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/ui/viewer/utils/api.ts:2

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/claude-mem/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/claude.yml CI/CD securitySupply chainGithub actions

medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in plugin/ui/viewer-bundle.js:9

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

plugin/ui/viewer-bundle.js:9 Dangerous innerhtml

medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/ui/viewer/components/TerminalPreview.tsx:134

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

src/ui/viewer/components/TerminalPreview.tsx:134 Dangerous innerhtml

low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults

.dockerignore exists but does not cover common secret or VCS patterns.

.dockerignore CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.62 2 occurrences Compose service lacks no-new-privileges hardening

no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.

lines 90, 140

docker-compose.yml:90, 140 (2 hits)

CI/CD securitycontainers

low Security checks cicd CI/CD security conf 0.58 Database password is wired through an environment variable placeholder

Environment placeholders are not committed secrets, but database official images often support *_FILE variables so Compose secrets can provide narrower filesystem-based access.

docker-compose.yml:54 CI/CD securitycontainers

low Security checks quality Quality conf 0.60 23 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

12 files, 15 locations

scripts/validate-timestamp-logic.ts:1, 4 (2 hits)

src/services/sqlite/transactions.ts:43, 80 (2 hits)

src/services/worker/OpenRouterProvider.ts:19, 20 (2 hits)

scripts/clear-pending-queue.ts:14

scripts/fix-corrupted-timestamps.ts:23

scripts/investigate-timestamps.ts:4

scripts/translate-readme/index.ts:54

src/cli/claude-md-commands.ts:19

duplicationquality

low Security checks software dependencies conf 0.90 npm package `@anthropic-ai/claude-agent-sdk` is minor version(s) behind (^0.2.138 -> 0.3.165)

`@anthropic-ai/claude-agent-sdk` is pinned/resolved at ^0.2.138 but the latest stable release on the npm registry is 0.3.165 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-up…

package.json

low Security checks software dependencies conf 0.90 npm package `@clack/prompts` is minor version(s) behind (^1.3.0 -> 1.5.1)

`@clack/prompts` is pinned/resolved at ^1.3.0 but the latest stable release on the npm registry is 1.5.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `ioredis` is minor version(s) behind (^5.10.1 -> 5.11.1)

`ioredis` is pinned/resolved at ^5.10.1 but the latest stable release on the npm registry is 5.11.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `pg` is minor version(s) behind (^8.20.0 -> 8.21.0)

`pg` is pinned/resolved at ^8.20.0 but the latest stable release on the npm registry is 8.21.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `tsx` is minor version(s) behind (^4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at ^4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `yaml` is minor version(s) behind (^2.8.4 -> 2.9.0)

`yaml` is pinned/resolved at ^2.8.4 but the latest stable release on the npm registry is 2.9.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks quality Quality conf 0.64 Public docs site has no llms.txt

AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.

llms.txt

low Security checks quality Quality conf 0.50 Public web app has no humans.txt

humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.

humans.txt

low Security checks quality Quality conf 0.74 Public web app has no robots.txt

Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.

robots.txt

low Security checks quality Quality conf 0.72 Public web app has no sitemap

A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.

sitemap.xml

high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact

Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.

scripts/verify-timestamp-fix.ts:1

low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

Deployment

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

docker/claude-mem/Dockerfile:1 containersPinned dependencies

low System graph software Dead code candidate conf 1.00 File has no detected symbols: install/public/installer.js