Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
148 of your 228 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 18.72s · analysis 21.0s · 22.3 MB · GitHub API rate-limit (preflight)

bbartling/open-fdd

https://github.com/bbartling/open-fdd · scanned 2026-06-05 13:06 UTC (5 days, 7 hours ago) · 10 languages

579 raw signals (213 security + 366 graph) 61st percentile · Python · medium (20-100K LoC) System graph score 47 (higher by 24)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 248 actionable findings from 2 signal sources. 148 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
55.1
/100
Security checks
63
96 findings
System graph
47
88.9% cov · 152 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 59.0 0.25 14.75
testing_score 100.0 0.20 20.00
documentation_score 84.0 0.15 12.60
practices_score 76.0 0.15 11.40
code_quality 33.2 0.10 3.32
Overall 1.00 71.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 73 Medium 16 Low 113 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 96 System graph 152 Crowd 0 Layer: Quality 85 Security 45 Software 53 Cicd 6 Network 5 Hardware 4 Api 50
Scan summary Quality grade B (71/100). Dimensions: security 59, maintainability 60. 213 findings (35 security). 45,420 lines analyzed.

Showing 208 of 248 actionable findings. 396 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
workspace/api/static/app/assets/index-TRH4YIfA.js:3308
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
3 files, 3 locations
bacnet_toolshed/discover_devices.py:113
bacnet_toolshed/discover_points.py:175
workspace/api/openfdd_bridge/zone_temp_analytics.py:314
critical Security checks software dependencies conf 0.90 ✓ Repobility Trojan Source bidi character (LRO) in source
Line 3962 contains a Unicode bidirectional override character (U+202D LRO). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer.
workspace/api/static/app/assets/index-TRH4YIfA.js:3962
critical System graph security Secrets conf 1.00 Possible secret in infra/ansible/edge_operational_sync.yml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
infra/ansible/edge_operational_sync.yml:51
critical System graph security Secrets conf 1.00 Possible secret in infra/ansible/tasks/post_deploy_check.yml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
infra/ansible/tasks/post_deploy_check.yml:274
critical System graph security Secrets conf 1.00 Possible secret in scripts/push_ahu_setpoints.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
scripts/push_ahu_setpoints.py:39
critical System graph security Secrets conf 1.00 Possible secret in workspace/api/openfdd_bridge/auth.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
workspace/api/openfdd_bridge/auth.py:76
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
bacnet_toolshed/smoke_whois.py:76
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
scripts/edge_restore_bacnet_inventory.sh:28
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.address_string` used but never assigned in __init__
Method `log_message` of class `CommissionAgentHandler` reads `self.address_string`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
4 files, 25 locations
bacnet_toolshed/commission_agent.py:481, 486, 489, 493, 498, 500, 610, 612, +1 more (9 hits)
workspace/api/openfdd_bridge/feather_store.py:159, 192, 195, 225, 242, 274, 284, 287, +1 more (9 hits)
tests/workspace_bridge/conftest.py:55, 58, 61, 64, 67, 70 (6 hits)
workspace/api/openfdd_bridge/playground.py:86
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `workspace/data/rules_py/__pycache__/acme_zone_temp_flatline_1h.cpython-312.pyc` committed in source repo
`workspace/data/rules_py/__pycache__/acme_zone_temp_flatline_1h.cpython-312.pyc` is a .pyc binary (1,467 bytes) committed to a repo that otherwise has 341 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a bi…
workspace/data/rules_py/__pycache__/acme_zone_temp_flatline_1h.cpython-312.pyc:1
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `node:22-bookworm-slim` not pinned by digest
`FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 6, 13
docker/Dockerfile:6, 13 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/bacnet/driver/device/{device_instance} has no auth
Handler `bacnet_delete_device` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:288
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/bacnet/driver/point/{point_id} has no auth
Handler `bacnet_delete_point` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:283
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/bacnet/driver/registry has no auth
Handler `bacnet_clear_registry` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:293
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PATCH /api/bacnet/driver/device has no auth
Handler `bacnet_set_device_poll` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:271
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PATCH /api/bacnet/driver/device/remap has no auth
Handler `bacnet_remap_device` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:299
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PATCH /api/bacnet/driver/point has no auth
Handler `bacnet_set_point_poll` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:259
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/discover has no auth
Handler `bacnet_discover_devices` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:313
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/driver/merge-rows has no auth
Handler `bacnet_merge_commission_rows` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:250
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/driver/sync-discovery has no auth
Handler `bacnet_sync_discovery` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:236
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/import-to-model has no auth
Handler `bacnet_import_to_model` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:216
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/point-discovery has no auth
Handler `bacnet_point_discovery` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:365
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/poll/once has no auth
Handler `bacnet_trigger_poll` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:444
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/priority-array has no auth
Handler `bacnet_read_priority_array` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:355
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/read has no auth
Handler `bacnet_read_property` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:331
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/read-multiple has no auth
Handler `bacnet_read_multiple_properties` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:343
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/supervisory-check has no auth
Handler `bacnet_supervisory_check` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:373
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/whois has no auth
Handler `bacnet_whois` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:323
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/bacnet/write has no auth
Handler `bacnet_write_property` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:381
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/modbus/read_registers has no auth
Handler `modbus_read_registers` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/modbus_routes.py:77
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /drafts has no auth
Handler `save_drafts` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/rules_routes.py:225
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /ingest/bacnet has no auth
Handler `ingest_bacnet` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:501
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /internal/bacnet/ingest-samples has no auth
Handler `internal_ingest_poll_samples` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:491
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /login has no auth
Handler `login` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/api/openfdd_bridge/routes/auth_routes.py:20
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /tools/get_doc_section has no auth
Handler `get_doc_section` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/mcp_rag/app.py:95
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /tools/search_docs has no auth
Handler `search_docs` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
workspace/mcp_rag/app.py:88
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `ruby/setup-ruby` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 6 locations
.github/workflows/docs-pdf.yml:58 (2 hits)
.github/workflows/publish-open-fdd.yml:82 (2 hits)
.github/workflows/ci.yml:140
.github/workflows/docs-pages.yml:30
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 22 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v5` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 22 locations
.github/workflows/ci.yml:27, 32, 65, 68, 84, 87, 91, 113, +2 more (12 hits)
.github/workflows/docs-pages.yml:29, 43, 57 (4 hits)
.github/workflows/publish-open-fdd.yml:24, 27 (4 hits)
.github/workflows/docs-pdf.yml:30, 33 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_rule
Test function `test_rule` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
workspace/api/openfdd_bridge/routes/playground_routes.py:116
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_rules_on_frame
Test function `test_rules_on_frame` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/setup_bench_afdd.py:168
high Security checks software dependencies conf 0.90 ✓ Repobility pre-commit hook `https://github.com/psf/black` pinned to mutable rev `26.1.0`
`.pre-commit-config.yaml` references `https://github.com/psf/black` at `rev: 26.1.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:2
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
workspace/dashboard/src/pages/LoginPage.tsx:64
high System graph security auth conf 1.00 FastAPI DELETE `bacnet_clear_registry` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:292
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:292 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `bacnet_delete_device` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:287
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:287 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `bacnet_delete_point` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:282
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:282 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `bacnet_remap_device` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:298
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:298 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `bacnet_set_device_poll` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:270
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:270 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `bacnet_set_point_poll` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:258
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:258 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `agent_chat` without auth dependency — workspace/api/openfdd_bridge/routes/agent_routes.py:136
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/agent_routes.py:136 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_discover_devices` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:312
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:312 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_import_to_model` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:215
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:215 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_merge_commission_rows` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:249
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:249 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_point_discovery` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:364
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:364 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_read_multiple_properties` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:342
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:342 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_read_priority_array` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:354
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:354 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_read_property` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:330
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:330 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_supervisory_check` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:372
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:372 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_sync_discovery` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:235
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:235 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_trigger_poll` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:443
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:443 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_whois` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:322
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:322 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bacnet_write_property` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:380
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:380 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `get_doc_section` without auth dependency — workspace/mcp_rag/app.py:94
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/mcp_rag/app.py:94 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `ingest_bacnet` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:500
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:500 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `internal_ingest_poll_samples` without auth dependency — workspace/api/openfdd_bridge/routes/bacnet_routes.py:490
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/bacnet_routes.py:490 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `lint_code` without auth dependency — workspace/api/openfdd_bridge/routes/playground_routes.py:110
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/playground_routes.py:110 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `modbus_read_registers` without auth dependency — workspace/api/openfdd_bridge/routes/modbus_routes.py:76
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/modbus_routes.py:76 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_script` without auth dependency — workspace/api/openfdd_bridge/routes/playground_routes.py:221
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/playground_routes.py:221 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_tool` without auth dependency — workspace/api/openfdd_bridge/routes/agent_routes.py:63
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/agent_routes.py:63 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `save_drafts` without auth dependency — workspace/api/openfdd_bridge/routes/rules_routes.py:224
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/rules_routes.py:224 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `search_docs` without auth dependency — workspace/mcp_rag/app.py:87
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/mcp_rag/app.py:87 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `test_rule` without auth dependency — workspace/api/openfdd_bridge/routes/playground_routes.py:115
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
workspace/api/openfdd_bridge/routes/playground_routes.py:115 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in open_fdd/engine/checks.py:115
Found a known-risky pattern (eval_used). Review and replace if possible.
open_fdd/engine/checks.py:115 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in open_fdd/playground/rule_lab.py:199
Found a known-risky pattern (exec_used). Review and replace if possible.
open_fdd/playground/rule_lab.py:199 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in open_fdd/playground/sandbox.py:181
Found a known-risky pattern (exec_used). Review and replace if possible.
open_fdd/playground/sandbox.py:181 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in workspace/api/openfdd_bridge/playground.py:291
Found a known-risky pattern (exec_used). Review and replace if possible.
workspace/api/openfdd_bridge/playground.py:291 Exec used
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
workspace/api/openfdd_bridge/playground_exec.py:55
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
workspace/api/openfdd_bridge/brick_model_context.py:171
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
workspace/api/openfdd_bridge/auth.py:124
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
infra/ansible/group_vars/pi_bcn.yml:63
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
docker/bridge-entrypoint.sh:10
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 22 locations
bacnet_toolshed/commission_agent.py:219, 649, 658, 667, 676, 685 (6 hits)
bacnet_toolshed/bacnet_poll_loop.py:87, 115 (2 hits)
bacnet_toolshed/discover.py:96, 103 (2 hits)
bacnet_toolshed/discover_points.py:63, 71 (2 hits)
workspace/api/openfdd_bridge/ollama_client.py:258, 342 (2 hits)
workspace/api/openfdd_bridge/playground.py:190, 315 (2 hits)
bacnet_toolshed/bacnet_ops.py:167
bacnet_toolshed/discover_lib.py:121
Error handlingquality
high Security checks security auth conf 0.82 3 occurrences Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
lines 55, 133, 143
workspace/dashboard/src/lib/api.ts:55, 133, 143 (3 hits)
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/Dockerfile:83 CI/CD securitycontainers
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
workspace/dashboard/package.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 pydantic: GHSA-mr82-8j83-vxmv
Pydantic regular expression denial of service
bacnet_toolshed/requirements.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
scripts/bootstrap_ollama.sh:104
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workspace/dashboard/src/lib/api.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph quality Integrity conf 1.00 9 occurrences Frontend route `faults` has no Link/navigate to it — workspace/dashboard/src/App.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
9 occurrences
repo-level (9 hits)
Orphan pageWiring
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/docker-publish.yml
.github/workflows/docs-pages.yml
.github/workflows/docs-pdf.yml
.github/workflows/publish-open-fdd.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — packages/openfdd-agent-shell/src/openfdd_agent_shell/codex_launcher.py:48
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — packages/openfdd-agent-shell/src/openfdd_agent_shell/cron/scheduler.py:155
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph network Security conf 1.00 Privileged port 1000 in use
Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker/bacnet-commission-entrypoint.sh Ports
medium System graph network Security conf 1.00 Privileged port 15 in use
Port 15 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
infra/ansible/group_vars/pi_bcn.yml Ports
medium System graph network Security conf 1.00 Privileged port 18 in use
Port 18 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker/compose.bench.yml Ports
medium System graph network Security conf 1.00 Privileged port 24 in use
Port 24 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker/bacnet-poll-entrypoint.sh Ports
medium System graph network Security conf 1.00 Privileged port 64 in use
Port 64 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
infra/ansible/group_vars/pi_bcn.yml Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 3 occurrences Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
lines 34, 40, 86
docker/Dockerfile:34, 40, 86 (3 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 19 locations
workspace/api/openfdd_bridge/runtime_metrics.py:49, 52 (2 hits)
workspace/data/rules_py/bench_oa-t_flatline_1h.py:1, 17 (2 hits)
workspace/data/rules_py/bench_oa-t_out_of_bounds.py:1, 2 (2 hits)
workspace/data/rules_py/bench_stat_zn-t_flatline_1h.py:1, 17 (2 hits)
workspace/data/rules_py/duct-t_flatline_1h.py:1, 17 (2 hits)
workspace/data/rules_py/flatline_1h.py:3, 8 (2 hits)
workspace/data/rules_py/oob_rolling.py:1, 2 (2 hits)
scripts/merge_poll_discovery_gap.py:8
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@tanstack/react-query` is minor version(s) behind (5.100.14 -> 5.101.0)
`@tanstack/react-query` is pinned/resolved at 5.100.14 but the latest stable release on the npm registry is 5.101.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
workspace/dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `plotly.js-dist-min` is minor version(s) behind (3.5.1 -> 3.6.0)
`plotly.js-dist-min` is pinned/resolved at 3.5.1 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
workspace/dashboard/package.json
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:6 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:13 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/openfdd-engine/src/openfdd_engine/checks.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/openfdd-engine/src/openfdd_engine/runner.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/api/static/app/assets/index-TRH4YIfA.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/clipboard.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/displayFaults.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/formatDuration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/hostHistory.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/insightTypes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/llm-prompts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/llmModelBundle.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/plot-chart.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/ruleBindings.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/ruleDisplay.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/lib/ttlPopup.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/plotly.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workspace/dashboard/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'document_write' in workspace/dashboard/src/lib/ttlPopup.ts:25
Found a known-risky pattern (document_write). Review and replace if possible.
workspace/dashboard/src/lib/ttlPopup.ts:25 Document write
low System graph quality Integrity conf 1.00 11 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: workspace/api/openfdd_bridge/plot_readings.py:read_plot_readings, workspace/api/openfdd_bridge/timeseries_api.py:read_plot_series This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Conso…
11 occurrences
repo-level (11 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: workspace/api/openfdd_bridge/playground.py:sweep_rule, open_fdd/playground/sandbox.py:sweep_rule, open_fdd/playground/rule_lab.py:sweep_rule This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygi…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: bacnet_toolshed/models.py:validate_object_identifier, bacnet_toolshed/models.py:validate_object_identifier, bacnet_toolshed/models.py:validate_object_identifier, bacnet_toolshed/models.py:validate_object_identifier This is *the* AI-coder failure mode…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `chunked_v1` in open_fdd/playground/rule_lab.py:1112
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `edge_backup` in scripts/gl36_mechanical_validate.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `edge_backup` in scripts/lib/site_pack_paths.py:13
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `edge_backup` in workspace/api/openfdd_bridge/site_pack.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `edge_site_backup` in infra/ansible/scripts/http_probes.py:437
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: add_direct_bounds_flags
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:62
low System graph software Dead code conf 1.00 Possibly dead Python function: auth_enabled
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/auth.py:63
low System graph software Dead code conf 1.00 Possibly dead Python function: backup_site
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/site_pack.py:129
low System graph software Dead code conf 1.00 Possibly dead Python function: bacnet_priority_array
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/commission_client.py:150
low System graph software Dead code conf 1.00 Possibly dead Python function: columns_for_equipment
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/timeseries_api.py:50
low System graph software Dead code conf 1.00 Possibly dead Python function: commission_poll_status_quick
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/commission_client.py:177
low System graph software Dead code conf 1.00 Possibly dead Python function: dataframe_from_records
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/playground.py:419
low System graph software Dead code conf 1.00 Possibly dead Python function: export_json
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/model_service.py:44
low System graph software Dead code conf 1.00 Possibly dead Python function: inject_rule_helpers
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/fdd_row_prep.py:183
low System graph software Dead code conf 1.00 Possibly dead Python function: load_dataset
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:17
low System graph software Dead code conf 1.00 Possibly dead Python function: load_point_map
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/gl36_mechanical_validate.py:50
low System graph software Dead code conf 1.00 Possibly dead Python function: model_ttl_path
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/paths.py:52
low System graph software Dead code conf 1.00 Possibly dead Python function: plot_series_with_fault_shading
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:101
low System graph software Dead code conf 1.00 Possibly dead Python function: point_keys_for_equipment
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/timeseries_api.py:68
low System graph software Dead code conf 1.00 Possibly dead Python function: require_user
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/deps.py:9
low System graph software Dead code conf 1.00 Possibly dead Python function: resolve_workdir_under_repo
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/paths.py:60
low System graph software Dead code conf 1.00 Possibly dead Python function: rule_binds_target
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/rule_bindings.py:95
low System graph software Dead code conf 1.00 Possibly dead Python function: rules_store_path
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/rule_store.py:56
low System graph software Dead code conf 1.00 Possibly dead Python function: run_openfdd
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:33
low System graph software Dead code conf 1.00 Possibly dead Python function: site_ref_from_env
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
workspace/api/openfdd_bridge/site_pack.py:239
low System graph software Dead code conf 1.00 Possibly dead Python function: sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_docs_pdf.py:176
low System graph software Dead code conf 1.00 Possibly dead Python function: summarize_bad_sensors
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:75
low System graph software Dead code conf 1.00 Possibly dead Python function: summarize_flags
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/AHU/openfdd_notebook_helpers_v2.py:52
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/bacnet/driver/device/{device_instance}
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `DELETE /api/bacnet/driver/device/{device_instance}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider re…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/bacnet/driver/point/{point_id}
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `DELETE /api/bacnet/driver/point/{point_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing o…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/bacnet/driver/registry
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `DELETE /api/bacnet/driver/registry` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /equipment/{equipment_id}
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `DELETE /equipment/{equipment_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /points/{point_id}
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `DELETE /points/{point_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`workspace/api/openfdd_bridge/main.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/audit/summary
`workspace/api/openfdd_bridge/routes/health.py` declares `GET /api/audit/summary` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/bacnet/commission/status
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `GET /api/bacnet/commission/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/bacnet/driver/tree
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `GET /api/bacnet/driver/tree` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/bacnet/inventory
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `GET /api/bacnet/inventory` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/bacnet/server/points
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `GET /api/bacnet/server/points` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /bacnet-sync
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /bacnet-sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /building-insight
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /building-insight` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /config/bacnet
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `GET /config/bacnet` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /context
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /context` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /device-poll-health
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /device-poll-health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /errors
`workspace/api/openfdd_bridge/routes/audit_routes.py` declares `GET /errors` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /events
`workspace/api/openfdd_bridge/routes/audit_routes.py` declares `GET /events` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /export
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /graph
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /graph` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /me
`workspace/api/openfdd_bridge/routes/auth_routes.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /ollama/health
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /ollama/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /operational-brief
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /operational-brief` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /plot
`workspace/api/openfdd_bridge/routes/timeseries_routes.py` declares `GET /plot` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /readings
`workspace/api/openfdd_bridge/routes/timeseries_routes.py` declares `GET /readings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /scope
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /scope` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /series
`workspace/api/openfdd_bridge/routes/timeseries_routes.py` declares `GET /series` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /sites
`workspace/api/openfdd_bridge/routes/timeseries_routes.py` declares `GET /sites` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /tools
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /tools` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /tree
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /tree` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /ttl
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `GET /ttl` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /zone-temps
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `GET /zone-temps` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{full_path:path}
`workspace/api/openfdd_bridge/main.py` declares `GET /{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{site_id}/frame
`workspace/api/openfdd_bridge/routes/sites_routes.py` declares `GET /{site_id}/frame` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/bacnet/driver/device
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `PATCH /api/bacnet/driver/device` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/bacnet/driver/device/remap
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `PATCH /api/bacnet/driver/device/remap` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/bacnet/driver/point
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `PATCH /api/bacnet/driver/point` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documentin…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/bacnet/discover
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `POST /api/bacnet/discover` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/bacnet/driver/merge-rows
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `POST /api/bacnet/driver/merge-rows` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/bacnet/driver/sync-discovery
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `POST /api/bacnet/driver/sync-discovery` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or do…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/bacnet/import-to-model
`workspace/api/openfdd_bridge/routes/bacnet_routes.py` declares `POST /api/bacnet/import-to-model` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or document…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/modbus/read_registers
`workspace/api/openfdd_bridge/routes/modbus_routes.py` declares `POST /api/modbus/read_registers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /bacnet-sync
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `POST /bacnet-sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /chat
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `POST /chat` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /import
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `POST /import` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`workspace/api/openfdd_bridge/routes/auth_routes.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /sites
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `POST /sites` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /sync-ttl
`workspace/api/openfdd_bridge/routes/model_routes.py` declares `POST /sync-ttl` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /tool
`workspace/api/openfdd_bridge/routes/agent_routes.py` declares `POST /tool` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /ws-ticket
`workspace/api/openfdd_bridge/routes/auth_routes.py` declares `POST /ws-ticket` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/263848d0-b8f2-4c3c-acce-63b1e80054da/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/263848d0-b8f2-4c3c-acce-63b1e80054da/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.