leehockin-ai/strategy-sim-coach

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Scan timing: clone 1.71s · analysis 1.11s · 1.2 MB · GitHub API rate-limit (preflight)

https://github.com/leehockin-ai/strategy-sim-coach.git · scanned 2026-05-25 16:10 UTC (1 week, 3 days ago) · 10 languages

140 findings (24 legacy + 116 scanner) 9th percentile · Typescript · small (2-20K LoC) Scanner says 66 (lower by 20)

File as issue Image v2 schema

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 3 days ago · v2 · 82 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	66.7	0.25	16.68
`testing_score`	0.0	0.20	0.00
`documentation_score`	0.0	0.15	0.00
`practices_score`	42.0	0.15	6.30
`code_quality`	80.0	0.10	8.00
Overall		1.00	46.0

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 2 High 2 Medium 13 Low 49 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 24 9-layer 58 Crowd 0 Layer: Quality 30 Security 6 Software 40 Api 1 Frontend 3 Data 1 Cicd 1

Exclude dismissed / FP Exclude test files

Scan summary Repository scanned at 66.4/100 with 77.8% coverage. It contains 297 nodes across 8 cross-layer flows, written primarily in mixed languages. Engine surfaced 58 findings — concentrated in software (39), quality (10), frontend (3). Risk profile is high: 0 critical, 1 high, 10 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 66 of 82 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy security security .env file committed to repository

Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials.

.env securitylegacy

critical Legacy security credential_exposure conf 1.00 [SEC009] .env File Committed: .env file with secrets committed to repository.

Add .env to .gitignore. Rotate all exposed credentials.

.env credential_exposurelegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

src/components/ui/chart.tsx:75 xsslegacy

high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value

Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.

src/routes/login.tsx:118 authlegacy

high 9-layer security secrets conf 1.00 .env file present in repo: .env

A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.

secretsconfig

medium Legacy quality documentation No README file found

Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines.

documentationlegacy

medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy

A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.

index.html qualitylegacy

medium Legacy quality quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt qualitylegacy

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/ui/chart.tsx:73

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/evaluation.functions.ts:296

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/playbook.functions.ts:118

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/simulator.functions.ts:57

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/voice.functions.ts:17

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/ui/chart.tsx:73

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

src/components/ui/chart.tsx:73 owaspdangerous_innerhtml

medium 9-layer security coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

coverageauth

medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected

No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.

coverage

medium 9-layer data coverage conf 1.00 ORM models found but no DB engine detected

The repo defines tables/models but no DB connection string was found. Likely lives in env vars or a config file the scanner didn't read.

coverage

medium 9-layer quality tests conf 1.00 Very low test-to-source ratio

0 test file(s) for 83 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.

testscoverage

low Legacy quality documentation No LICENSE file

Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).

documentationlegacy

low Legacy quality quality conf 0.50 Public web app has no humans.txt

humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.

humans.txt qualitylegacy

low Legacy quality quality conf 0.74 Public web app has no robots.txt

Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.

robots.txt qualitylegacy

low Legacy quality quality conf 0.72 Public web app has no sitemap

A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.

sitemap.xml qualitylegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eslint.config.js