Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

openops-cloud/openops

https://github.com/openops-cloud/openops · scanned 2026-05-16 12:50 UTC (1 day, 8 hours ago) · 10 languages

259 findings (9 legacy + 250 scanner) 2/10 scanners ran 95th percentile · Typescript · large (100-500K LoC) Scanner says 56 (higher by 29)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 days ago · v1 · 253 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
68.7
/100
Repobility
82
3 legacy
9-layer
56
100.0% cov · 250 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
{# ── 2026-05-17 R27 #5: score breakdown panel ────────────────────── Surfaces the score_breakdown JSON that's been silently stored on Repository for months. Turns hidden math into a trust signal. #}
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 10 Medium 34 Low 161 Source: Legacy 3 9-layer 250 Crowd 0 Layer: Software 53 Frontend 82 Network 1 Hardware 5 Security 9 Cicd 38 Quality 15 Api 50
Scan summary Repository scanned at 55.8/100 with 100.0% coverage. It contains 7818 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 250 findings — concentrated in frontend (82), software (50), api (50). Risk profile is high: 0 critical, 7 high, 34 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 252 of 253 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
packages/server/api/src/app/slack/slack-interaction-module.ts:146 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
packages/ui-components/src/components/json-viewer/json-viewer-hook.ts:97 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
packages/ui-components/src/components/custom/markdown.tsx:50 ssrflegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/server/shared/src/lib/blocks/file-blocks-utils.ts:97
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/server/shared/src/lib/blocks/file-blocks-utils.ts:97 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/cli/src/lib/commands/sync-blocks.ts:19
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/cli/src/lib/commands/sync-blocks.ts:19 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/cli/src/lib/utils/block-generators.ts:32
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/cli/src/lib/utils/block-generators.ts:32 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/server/shared/src/lib/exec-async.ts:11
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/server/shared/src/lib/exec-async.ts:11 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/server/shared/src/lib/package-manager.ts:121
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/server/shared/src/lib/package-manager.ts:121 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in tools/scripts/utils/package-pre-publish-checks.ts:46
Found a known-risky pattern (exec_used). Review and replace if possible.
tools/scripts/utils/package-pre-publish-checks.ts:46 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in tools/scripts/utils/publish-nx-project.ts:27
Found a known-risky pattern (exec_used). Review and replace if possible.
tools/scripts/utils/publish-nx-project.ts:27 owaspexec_used
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/ui-components/src/components/assistant-ui/mermaid-renderer/mermaid-renderer.tsx:90
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/ui-components/src/ui/chart/chart.tsx:83
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/blocks/cloudhealth/src/lib/common/execute-graphql-query.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/blocks/imap/src/lib/common/fetch-emails.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine/src/get-environment-id.ts:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine/src/get-feature-flag.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine/src/lib/handler/context/engine-constants.ts:230
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine/src/lib/services/files.service.ts:121
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine/src/lib/services/storage.service.ts:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/openops/src/lib/aws/azure-aws-federation.ts:103
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/server/api/src/app/blocks/block-sync-service.ts:123
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/ui-components/src/stories/markdown.stories.tsx:395
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — tools/scripts/sync-models.ts:276
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: .devcontainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
chromaui/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/chromatic.yml:39 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:214 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:217 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:225 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:237 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:255 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:274 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:281 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:47 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:49 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:56 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:58 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:97 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:112 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/ci.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/ui-components/src/components/assistant-ui/mermaid-renderer/mermaid-renderer.tsx:90
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/ui-components/src/components/assistant-ui/mermaid-renderer/mermaid-renderer.tsx:90 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/ui-components/src/ui/chart/chart.tsx:83
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/ui-components/src/ui/chart/chart.tsx:83 owaspdangerous_innerhtml
low 9-layer quality maintenance conf 1.00 42 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer quality integrity conf 1.00 7 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AWS_LAMBDA_FUNCTION_NAME`, `NODE_ENV`, `OPS_BASE_CODE_DIRECTORY`, `OPS_CODE_SANDBOX_TYPE`, `OPS_FINOPS_BENCHMARK_ENABLED`, `TZ`, `VITE_OPS_BACKEND_URL`. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
integrityconfig-drift
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/vscode/devcontainers/javascript-node:${VARIANT}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
.devcontainer/Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20.19-alpine3.20
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: jest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: jest.env.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: jest.preset.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: jest.setup.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/jest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/app-connection/app-connection.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/app-connection/dto/read-app-connection-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/app-connection/dto/upsert-app-connection-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/app-connection/oauth2-authorization-method.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/authentication/dto/sign-in-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/authentication/dto/sign-up-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/authentication/model/authentication-type.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/authentication/model/principal-type.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/authentication/model/principal.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/actions/frontend-blocks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/dto/count-flows-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/dto/create-flow-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/dto/flow-template-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/dto/list-flows-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/dto/run-flow-response.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/flow-operations.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/flow-version.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/flow.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/folders/content-type.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/folders/folder-requests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/folders/folder.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/folders/list-folders-response.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/form.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/sample-data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/step-file/step-file.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/step-run/dto/test-step-request.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/test-trigger.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/trigger-events/trigger-event.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/trigger-events/trigger-events-dto.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/flows/triggers/trigger.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/src/lib/workflow-stats/workflow-stats.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/app-connections/connection-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/cloud-providers/cloud-provider-metadata.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/common/utils/extract-string-property.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/email-validation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/flow/string-input-validator.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/shared/test/password-validation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/tests-e2e/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/tests-e2e/tests/auth.setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/tests-e2e/tests/aws-get-price.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/tests-e2e/tests/openops-table-get-records.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/ui-kit/jest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/ui-kit/setup-tests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/ui-kit/src/lib/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/ui-kit/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/chromatic.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/chromatic.yml:27 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cd.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:20 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:37 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:52 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:58 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:80 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:85 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:88 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:135 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:141 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:168 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:174 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:187 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:208 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:136 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:157 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:178 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-internal.yml:14 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/stale@v10 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/stale.yml:24 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/date-helper/src/lib/actions/next-day-of-week.ts:116
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/cron-expression.trigger.ts:55
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/every-day.trigger.ts:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/every-hour.trigger.ts:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/every-month.trigger.ts:104
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/every-week.trigger.ts:104
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/schedule/src/lib/triggers/every-x-minutes.trigger.ts:60
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/blocks/text-helper/src/lib/actions/markdown-to-html.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/commands/create-action.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/commands/create-block.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/commands/create-trigger.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/commands/sync-blocks.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/utils/block-generators.ts:30
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/lib/utils/block-validators.ts:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/engine/src/main.ts:54
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/engine/webpack.config.js:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/openops/src/lib/aws/tags/tag-resources.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/react-ui/src/app/features/builder/hooks/tests/use-paste.test.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/react-ui/src/app/features/connections/components/create-edit-connection-dialog-content.tsx:264
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/server/api/src/main.ts:127
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/server/api/webpack.config.js:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/server/shared/src/lib/logger/index.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/server/shared/src/lib/logger/send-logs.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/server/shared/src/lib/stop-handlers.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shared/test/flow/flow-helper.test.ts:2289
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/ui-components/src/components/flow-canvas/canvas-context.tsx:296
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/ui-components/src/stories/markdown.stories.tsx:403
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/ui-components/src/stories/rename-dialog/rename-dialog.stories.tsx:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/ui-components/src/ui/sortable.tsx:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tools/scripts/sync-models.ts:365
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tools/setup-dev.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tools/webpack-utils.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer api wiring conf 1.00 Unused endpoint: ALL /:id/requests/:executionCorrelationId
`packages/server/api/src/app/flows/flow-run/flow-run-controller.ts` declares `ALL /:id/requests/:executionCorrelationId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — conside…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /
`packages/server/api/src/app/store-entry/store-entry.controller.ts` declares `DELETE /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /:chatId
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `DELETE /:chatId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /:id
`packages/server/api/src/app/flows/folder/folder.module.ts` declares `DELETE /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`packages/server/api/src/app/flow-template/flow-template.controller.ts` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:connectionName
`packages/server/api/src/app/app-connection/app-connection-worker-controller.ts` declares `GET /:connectionName` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removi…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:flowId
`packages/server/api/src/app/flows/flow/form/form.controller.ts` declares `GET /:flowId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:flowVersionId/test-output
`packages/server/api/src/app/flows/flow/flow-version.controller.ts` declares `GET /:flowVersionId/test-output` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id
`packages/server/api/src/app/flow-template/flow-template.controller.ts` declares `GET /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/template
`packages/server/api/src/app/flows/flow/flow.controller.ts` declares `GET /:id/template` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/versions
`packages/server/api/src/app/flows/flow/flow.controller.ts` declares `GET /:id/versions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:provider
`packages/server/api/src/app/ai/providers/ai-providers.controller.ts` declares `GET /:provider` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /active
`packages/server/api/src/app/ai/config/ai-config.controller.ts` declares `GET /active` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /all-chats
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `GET /all-chats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /analytics-embed-id
`packages/server/api/src/app/authentication/authentication.controller.ts` declares `GET /analytics-embed-id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing o…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /analytics-guest-token
`packages/server/api/src/app/authentication/authentication.controller.ts` declares `GET /analytics-guest-token` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removin…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /count
`packages/server/api/src/app/flows/flow/flow.controller.ts` declares `GET /count` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /environment-id
`packages/server/api/src/app/flags/flag.module.ts` declares `GET /environment-id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /flows
`packages/server/api/src/app/flows/folder/folder.module.ts` declares `GET /flows` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /list
`packages/server/api/src/app/store-entry/store-entry.controller.ts` declares `GET /list` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /metadata
`packages/server/api/src/app/app-connection/app-connection.controller.ts` declares `GET /metadata` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or document…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /overview
`packages/server/api/src/app/dashboards/dashboards-module.ts` declares `GET /overview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /poll
`packages/server/api/src/app/flows/trigger-events/trigger-event.module.ts` declares `GET /poll` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /redirect
`packages/server/api/src/app/app.ts` declares `GET /redirect` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /runs/:runId
`packages/server/api/src/app/workers/engine-controller.ts` declares `GET /runs/:runId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /workflows-stats
`packages/server/api/src/app/dashboards/dashboards-module.ts` declares `GET /workflows-stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PATCH /
`packages/server/api/src/app/app-connection/app-connection.controller.ts` declares `PATCH /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PATCH /:chatId/name
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `PATCH /:chatId/name` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /
`packages/server/api/src/app/flow-template/flow-template.controller.ts` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:flowVersionId/test-output
`packages/server/api/src/app/flows/flow/flow-version.controller.ts` declares `POST /:flowVersionId/test-output` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removin…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:flowVersionId/trigger
`packages/server/api/src/app/flows/flow/flow-version.controller.ts` declares `POST /:flowVersionId/trigger` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:id
`packages/server/api/src/app/flows/folder/folder.module.ts` declares `POST /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:id/retry
`packages/server/api/src/app/flows/flow-run/flow-run-controller.ts` declares `POST /:id/retry` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:id/run
`packages/server/api/src/app/flows/flow/flow.controller.ts` declares `POST /:id/run` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:id/stop
`packages/server/api/src/app/flows/flow-run/flow-run-controller.ts` declares `POST /:id/stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /chat-name
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `POST /chat-name` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /code
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `POST /code` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /delete-webhook-simulation
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /delete-webhook-simulation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /execute-variable
`packages/server/api/src/app/block-variable/block-variable-module.ts` declares `POST /execute-variable` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /model
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `POST /model` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /open
`packages/server/api/src/app/ai/chat/ai-mcp-chat.controller.ts` declares `POST /open` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /resume-run
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /resume-run` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /save-payloads
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /save-payloads` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /send-webhook-update
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /send-webhook-update` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /sign-in
`packages/server/api/src/app/authentication/authentication.controller.ts` declares `POST /sign-in` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or document…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /sign-out
`packages/server/api/src/app/authentication/authentication.controller.ts` declares `POST /sign-out` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /sign-up
`packages/server/api/src/app/authentication/authentication.controller.ts` declares `POST /sign-up` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or document…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /submit-payload
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /submit-payload` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /submit-payloads
`packages/server/api/src/app/workers/worker-controller.ts` declares `POST /submit-payloads` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /
`packages/server/api/src/app/user-settings/user-settings.module.ts` declares `PUT /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: packages/server/api/test/integration/ce/flows/flow.test.ts (1551 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/shared/test/flow/flow-helper.test.ts (3953 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/react-ui/src/app/features/builder/data-selector/data-selector-node-content.tsx:100
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/react-ui/src/app/features/builder/flow-canvas/nodes/step-node.tsx:258
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/react-ui/src/app/features/builder/step-settings/block-settings/connection-select.tsx:187
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/react-ui/src/app/features/builder/test-step/catch-webhook-test-info.tsx:48
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/react-ui/src/app/features/flows/components/flow-details-panel.tsx:67
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/ai-chat-container/ai-scope-selector.tsx:55
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/assistant-ui/assistant-top-bar.tsx:124
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/assistant-ui/history/assistant-ui-history-item.tsx:121
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/custom/markdown.tsx:61
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/finops-benchmark-banner/finops-benchmark-banner.tsx:73
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/flow-template/flow-template-filter-sidebar.tsx:56
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/components/flow-template/template-step-node.tsx:49
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/ui/tree-view.tsx:141
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 `truncate` class without `title=` for hover reveal — packages/ui-components/src/ui/user-avatar-menu.tsx:54
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
frontend-qualityfq.truncate.no-title
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/blocks/aws-compute-optimizer/src/lib/actions/ebs-get-recommendations-action.ts:42
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/blocks/aws-compute-optimizer/src/lib/common/compute-optimizer-ebs-client.ts:156
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/blocks/framework/src/lib/property/input/common.ts:40
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/blocks/framework/src/lib/trigger/trigger.ts:151
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/blocks/snowflake/test/run-query.test.ts:190
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine/src/engine-executor.ts:20
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine/src/lib/services/files.service.ts:37
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/openops/src/lib/openops-tables/applications-service.ts:13
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/openops/src/lib/openops-tables/openops-tables-common-properties.ts:158
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/react-ui/src/app/features/benchmark/components/read-more-link.tsx:7
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/react-ui/src/app/features/builder/block-properties/utils.tsx:18
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/authentication/authorization.ts:10
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/blocks/block-metadata-service/db-block-metadata-service.ts:89
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/flow-template/flow-template.module.ts:8
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/flows/flow/flow.controller.ts:98
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/openops-tables/rename-database.ts:7
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/workers/engine-controller.ts:275
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/workers/machine/machine-controller.ts:24
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/workers/queue/queue-manager.ts:27
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/workers/redis/redis-queue.ts:43
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/api/src/app/workers/worker-controller.ts:265
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/shared/src/lib/blocks-builder/dependency-analyzer.ts:45
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/shared/src/lib/cache/redis-lock.ts:34
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/server/shared/src/lib/system/system-prop.ts:90
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/shared/src/lib/app-connection/oauth2-authorization-method.ts:1
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/shared/src/lib/flows/actions/action.ts:310
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/collapsible.stories.tsx:36
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/dialog.stories.tsx:47
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/drawer.stories.tsx:43
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/dropdown-menu.stories.tsx:46
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/popover.stories.tsx:28
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/select.stories.tsx:60
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/stories/toast.stories.tsx:33
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
info 9-layer frontend frontend-quality conf 1.00 TODO/FIXME marker in shipping code — packages/ui-components/src/ui/calendar.tsx:13
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
frontend-qualityfq.todo-marker
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/48fc393f-1836-47d4-82d1-6e5622dc46fc/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/48fc393f-1836-47d4-82d1-6e5622dc46fc/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.