tinyhumansai/openhuman

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	100.0	0.25	25.00
`testing_score`	98.0	0.20	19.60
`documentation_score`	81.0	0.15	12.15
`practices_score`	92.0	0.15	13.80
`code_quality`	70.0	0.10	7.00
Overall		1.00	90.3

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.

Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.

src/openhuman/integrations/twilio.rs:198 qualitylegacy

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.

Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.

src/openhuman/wallet/rpc.rs:195 qualitylegacy

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.

Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.

src/openhuman/memory/tree/util/redact.rs:96 qualitylegacy

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.

Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.

src/openhuman/memory/tree/jobs/redact.rs:186 qualitylegacy

critical Legacy security credential_exposure conf 1.00 [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.

Remove immediately and rotate the token. Use environment variables.

src/openhuman/memory/tree/jobs/redact.rs:164 credential_exposurelegacy

critical Legacy security credential_exposure conf 1.00 [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.

Remove immediately and rotate the token. Use environment variables.

src/openhuman/agent_experience/types.rs:128 credential_exposurelegacy

critical Legacy security credential_exposure conf 1.00 [SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files.

Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store.

src/openhuman/memory/tree/jobs/redact.rs:137 credential_exposurelegacy

high Legacy security auth conf 0.88 Token handoff appears to use a callback URL or fragment

Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments.

app/src/components/oauth/OAuthProviderButton.tsx:251 authlegacy

low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.

scripts/mock-api/socket/websocket.mjs:84 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.

Review and fix per the pattern semantics. See CWE-682 / for context.

app/src/store/notificationSlice.ts:80 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.

Review and fix per the pattern semantics. See CWE-682 / for context.

app/src/store/accountsSlice.ts:49 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.

Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.

src/openhuman/memory/tree/jobs/redact.rs:164 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.

Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.

src/openhuman/agent_experience/types.rs:128 qualitylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:108 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:99 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:79 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/typecheck.yml:26 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:123 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:33 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:72 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/typecheck.yml:53 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/typecheck.yml:22 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:148 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:110 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:79 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:29 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v5`: `uses: actions/download-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/download-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:161 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.

.github/workflows/contributor-rewards.yml:33 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/setup-python@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:155 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/upload-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:165 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/upload-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:191 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/upload-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:134 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/upload-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:94 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/upload-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:56 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.

.github/workflows/e2e-reusable.yml:87 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.

.github/workflows/typecheck.yml:57 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:115 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.

.github/workflows/coverage.yml:84 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

Dockerfile:65 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `rust:1.93-bookworm` not pinned by digest: `FROM rust:1.93-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM rust:1.93-bookworm@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

Dockerfile:12 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

.github/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

e2e/Dockerfile:14 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/e2e-reusable.yml:195 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/e2e-reusable.yml:68 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/build.yml:21 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/pr-quality.yml:36 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/pr-quality.yml:20 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/weekly-code-review.yml:30 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/typecheck.yml:50 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/typecheck.yml:19 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/coverage.yml:105 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/coverage.yml:72 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/coverage.yml:26 dependencylegacy

high Legacy security credential_exposure conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.

Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.

scripts/act-staging.sh:127 credential_exposurelegacy

high Legacy security credential_exposure conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.

Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.

scripts/act-build-desktop.sh:72 credential_exposurelegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

scripts/mock-api/routes/llm/dynamic.mjs:123 xsslegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

scripts/act-staging.sh:61 xsslegacy

low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

Use a literal RegExp or whitelist-validate user input before constructing patterns.

scripts/mock-api/server.mjs:128 qualitylegacy

low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

Use a literal RegExp or whitelist-validate user input before constructing patterns.

scripts/cancel-stale-pr-ci.mjs:106 qualitylegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

scripts/agent-batch/lib.mjs:116 qualitylegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

app/src/pages/conversations/utils/workerThreadRef.ts:34 qualitylegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

app/src/pages/conversations/utils/format.ts:111 qualitylegacy

high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).

scripts/build-apt-repo.sh:35 injectionlegacy

high Legacy cicd docker conf 0.95 Docker final stage runs as root

Create an application user after package installation and switch to it with USER appuser or USER 10001.

Dockerfile:108 dockerlegacy

high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

e2e/Dockerfile:35 dockerlegacy

high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

e2e/Dockerfile:30 dockerlegacy

high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

.github/Dockerfile:52 dockerlegacy

high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

.github/Dockerfile:46 dockerlegacy

high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value

Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.

app/src/components/settings/panels/ComposioPanel.tsx:295 authlegacy

high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value

Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.

app/src/components/settings/panels/AIPanel.tsx:2741 authlegacy

high 9-layer hardware supply-chain conf 1.00 Dockerfile pipes a remote installer into a shell

Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.

.github/Dockerfile:46 supply-chaindockerremote-installer

high 9-layer hardware supply-chain conf 1.00 Dockerfile pipes a remote installer into a shell

Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.

.github/Dockerfile:52 supply-chaindockerremote-installer

high 9-layer hardware supply-chain conf 1.00 Dockerfile pipes a remote installer into a shell

Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.

e2e/Dockerfile:35 supply-chaindockerremote-installer

medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.

authlegacy

high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 22.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.

authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/openhuman/mcp_server/http.rs:449 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/openhuman/mcp_server/http.rs:351 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/openhuman/mcp_server/http.rs:73 authlegacy

medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.

Log the error or rethrow it. Use console.error() at minimum.

app/src-tauri/src/meet_audio/captions_bridge.js:158 error_handlinglegacy

medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.

Log the error or rethrow it. Use console.error() at minimum.

app/src-tauri/src/meet_audio/audio_bridge.js:209 error_handlinglegacy

medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.

Log the error or rethrow it. Use console.error() at minimum.

app/src-tauri/src/meet_video/camera_bridge.js:138 error_handlinglegacy

medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.

Use subprocess with shell=False and a list of args. Never eval user input.

app/src/pages/conversations/utils/workerThreadRef.ts:34 injectionlegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

app/src/utils/openUrl.ts:70 securitylegacy

medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).

Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).

app/src/utils/deviceFingerprint.ts:13 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.

Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.

src/openhuman/tools/impl/network/mcp.rs:300 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.

Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.

src/openhuman/redirect_links/store.rs:301 qualitylegacy

high Legacy security auth conf 0.82 Browser storage is used for session token material

Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.

app/src/utils/configPersistence.ts:256 authlegacy

high Legacy security auth conf 0.82 Browser storage is used for session token material

Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.

app/src/utils/configPersistence.ts:239 authlegacy

high Legacy security auth conf 0.82 Browser storage is used for session token material

Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.

app/src/store/coreModeSlice.ts:67 authlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

e2e/Dockerfile:14 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

.github/Dockerfile:1 dockerlegacy

high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes

Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.

app/src/utils/tauriCommands/localAi.ts:199 qualitylegacy

high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently

Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.

app/src/pages/onboarding/components/BetaBanner.tsx:22 qualitylegacy

high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently

Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.

app/src/overlay/OverlayApp.tsx:486 qualitylegacy

high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently

Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.

app/src/components/settings/panels/AgentChatPanel.tsx:48 qualitylegacy

medium Legacy quality quality conf 0.68 Ollama audio payload path may mislead users about direct model audio

Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model.

app/src/pages/Conversations.tsx:664 qualitylegacy

high Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file

Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.

src/openhuman/memory/tree/canonicalize/email_clean.rs:1 qualitylegacy

high Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file

Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.

remotion/src/Mascot/mascot-yellow-wave-alt.tsx:1 qualitylegacy

high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

README.zh-CN.md:54 dependencylegacy

high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

README.ko.md:56 dependencylegacy

high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

README.ja-JP.md:55 dependencylegacy

high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

README.de.md:55 dependencylegacy

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — app/src/components/notifications/NotificationBody.tsx:20

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — app/src/features/human/Mascot/backend/BackendMascot.tsx:4

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/src/pages/onboarding/steps/ContextGatheringStep.tsx:34

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/src/services/coreRpcClient.ts:424

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/src/test/mockApiCore.headersRedaction.test.ts:10

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/src/test/mockApiCore.portSelection.test.ts:53

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/src/utils/config.ts:41

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/test/e2e/helpers/core-rpc-node.ts:70

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/test/e2e/mock-server.ts:33

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/test/e2e/specs/rewards-progression-persistence.spec.ts:66

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: .github/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: e2e/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer quality integrity conf 1.00 Frontend route `/channels` has no Link/navigate to it — app/src/AppRoutes.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/custom` has no Link/navigate to it — app/src/components/__tests__/ProtectedRoute.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/dashboard` has no Link/navigate to it — app/src/components/__tests__/PublicRoute.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/login` has no Link/navigate to it — app/src/components/__tests__/ProtectedRoute.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/onboarding/*` has no Link/navigate to it — app/src/AppRoutes.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/*` has no Link/navigate to it — app/src/AppRoutesIOS.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/team/invites` has no Link/navigate to it — app/src/components/settings/panels/TeamInvitesPanel.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/team/manage/:teamId/invites` has no Link/navigate to it — app/src/components/settings/panels/TeamInvitesPanel.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/team/manage/:teamId/members` has no Link/navigate to it — app/src/components/settings/panels/TeamMembersPanel.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/team/manage/:teamId` has no Link/navigate to it — app/src/components/settings/panels/TeamManagementPanel.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/settings/team/members` has no Link/navigate to it — app/src/components/settings/panels/TeamMembersPanel.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `/webhooks` has no Link/navigate to it — app/src/AppRoutes.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `about` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `account` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `appearance` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `autocomplete-debug` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `autocomplete` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `billing` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `custom/inference` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `custom/memory` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `custom/oauth` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `custom/search` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `custom/voice` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `developer-options` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `devices` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `features` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `mascot` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `memory-data` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `memory-debug` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `notification-routing` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `runtime-choice` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `screen-awareness-debug` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `team/invites` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `team/manage/:teamId/invites` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `team/manage/:teamId/members` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `team/manage/:teamId` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `team/members` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer quality integrity conf 1.00 Frontend route `voice-debug` has no Link/navigate to it — app/src/pages/Settings.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

integrityorphan-pagewiring

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/coverage.yml:84 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

taiki-e/install-action@cargo-llvm-cov can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/coverage.yml:90 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/coverage.yml:115 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

taiki-e/install-action@cargo-llvm-cov can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/coverage.yml:130 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/typecheck.yml:57 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:87 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:217 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:252 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:261 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:275 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:355 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-reusable.yml:364 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-staging.yml:102 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-staging.yml:286 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-staging.yml:288 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/docker-ci-image.yml:27 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/docker-ci-image.yml:33 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/ios-compile.yml:45 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/ios-compile.yml:51 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/ios-compile.yml:60 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:122 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:459 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:461 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:483 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:536 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:538 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:725 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-production.yml:727 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-windows.yml:30 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

lycheeverse/lychee-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/pr-quality.yml:57 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

maxim-lobanov/setup-xcode@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-desktop.yml:149 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-desktop.yml:153 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-desktop.yml:161 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-agent-review.yml:40 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/e2e-agent-review.yml:50 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/deploy-smoke.yml:52 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/deploy-smoke.yml:55 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/deploy-smoke.yml:151 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/deploy-smoke.yml:154 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-packages.yml:43 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-packages.yml:45 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/release-packages.yml:172 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/android-compile.yml:37 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/android-compile.yml:43 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/android-compile.yml:51 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build.yml:29 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/release-staging.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/docker-ci-image.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/release-production.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/release-packages.yml supply-chaingithub-actionsleast-privilege

medium 9-layer network security conf 1.00 Privileged port 16 in use

Port 16 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

app/src-tauri/src/loopback_oauth.rs securityports

medium 9-layer network security conf 1.00 Privileged port 55 in use

Port 55 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

app/src-tauri/src/lib.rs securityports

low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults

Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.

.dockerignore dockerlegacy

low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p

Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.

app/src-tauri/src/meet_audio/audio_bridge.js:71 qualitylegacy

high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user

Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.

docker-compose.yml:17 dockerlegacy

low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages

Add `--no-install-recommends` and explicitly list only packages the image needs.

e2e/Dockerfile:35 dockerlegacy

low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages

Add `--no-install-recommends` and explicitly list only packages the image needs.

e2e/Dockerfile:19 dockerlegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/TeamMembersPanel.tsx:120 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/TeamMembersPanel.tsx:118 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/TeamInvitesPanel.tsx:115 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/TeamInvitesPanel.tsx:114 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/ScreenIntelligencePanel.tsx:128 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/RecoveryPhrasePanel.tsx:397 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/DevicesPanel.tsx:227 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/settings/panels/AutocompletePanel.tsx:7 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/ios/MobileTabBar.tsx:46 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/intelligence/MemoryWorkspace.tsx:420 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/intelligence/MemorySyncConnections.tsx:33 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/intelligence/IntelligenceSubconsciousTab.tsx:381 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src/components/channels/TelegramConfig.tsx:5 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/whatsapp_scanner/idb.rs:99 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/whatsapp_scanner/idb.rs:85 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/wechat_scanner/dom_snapshot.rs:227 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/mod.rs:418 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/mod.rs:381 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/mod.rs:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/idb.rs:147 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/deep_link_ipc_windows.rs:89 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/idb.rs:14 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/telegram_scanner/dom_snapshot.rs:37 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/slack_scanner/mod.rs:505 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/slack_scanner/mod.rs:468 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/slack_scanner/idb.rs:144 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/slack_scanner/dom_snapshot.rs:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/meet_video/inject.rs:39 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/meet_scanner/mod.rs:55 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

app/src-tauri/src/imessage_scanner/mod.rs:321 qualitylegacy

low 9-layer frontend frontend-quality conf 1.00 "active" state uses light bg in a dark theme — app/src/components/BottomTabBar.tsx:214

A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`. Why: P-E in CHEC…

frontend-qualityfq.active-light-bg

low 9-layer frontend frontend-quality conf 1.00 "active" state uses light bg in a dark theme — app/src/pages/Intelligence.tsx:157

A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`. Why: P-E in CHEC…

frontend-qualityfq.active-light-bg

low 9-layer quality integrity conf 1.00 51 env vars used in code but missing from .env.example

Drift between code and config docs. The first few: `APPIUM_PORT`, `BACKEND_URL`, `CEF_CDP_HOST`, `CEF_CDP_PORT`, `DEBUG_E2E_DEEPLINK`, `DEBUG_TESTS`, `DEV`, `E2E_ARTIFACT_DIR` + 43 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.

integrityconfig-drift

low 9-layer quality maintenance conf 1.00 70 TODO/FIXME markers

High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.

maintenance

low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

coveragedeployment

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:bookworm-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

Dockerfile:65 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: rust:1.93-bookworm

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

Dockerfile:12 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:22.04

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

.github/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:22.04

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

e2e/Dockerfile:14 supply-chaindockerpinned-dependencies

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: app/eslint.config.js