Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
136 of your 243 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 97.71s for a 147.9 MB repo slow.
  • Repobility's analysis ran in 23.54s after the clone landed.

nexu-io/open-design

https://github.com/nexu-io/open-design · scanned 2026-06-05 09:50 UTC (5 days, 16 hours ago) · 10 languages

2828 raw signals (212 security + 2616 graph) 11/13 scanners ran 51st percentile · Typescript · huge (>500K LoC) System graph score 60 (higher by 25)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 16 hours ago · v2 · 1232 actionable findings from 2 signal sources. 278 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.7
/100
Security checks
82
98 findings
System graph
60
100.0% cov · 1134 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 100.0 0.15 15.00
practices_score 81.0 0.15 12.15
code_quality 45.0 0.10 4.50
Overall 1.00 84.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 111 Medium 77 Low 383 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 98 System graph 1134 Crowd 0 Layer: Quality 917 Cicd 11 Software 85 Security 17 Frontend 86 Network 2 Api 114
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 54th percentile among small-sized repos. Strongest dependencies (90), security (75); weakest testing (0), structure (47). 2 findings (2 critical). Most common pattern: cpp-new-without-delete.

Showing 569 of 1232 actionable findings. 1510 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility [MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
Add `import warnings` at the top of the file.
design-templates/last30days/scripts/lib/pipeline.py:545
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
Add `import warnings` at the top of the file.
skills/hatch-pet/scripts/validate_atlas.py:105
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 203, 204
.github/workflows/landing-page-ci.yml:203, 204 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
apps/landing-page/scripts/blog-indexing/render-status.ts:170
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED108] `self.generate_text` used but never assigned in __init__: Method `generate_json` of class `ReasoningClient` reads `self.generate_text`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generate_text = <default>` in __init__, or add a class-level default.
2 files, 3 locations
design-templates/last30days/scripts/lib/providers.py:47, 88 (2 hits)
design-templates/last30days/scripts/lib/ui.py:250
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/projects/:id has no auth: Express route DELETE /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/projects/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1420
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/projects/:id/conversations/:cid has no auth: Express route DELETE /api/projects/:id/conversations/:cid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/projects/:id/conversations/:cid', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1583
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/projects/:id/conversations/:cid/comments/:commentId has no auth: Express route DELETE /api/projects/:id/conversations/:cid/comments/:commentId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/projects/:id/conversations/:cid/comments/:commentId', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1677
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/projects/:id/folders has no auth: Express route DELETE /api/projects/:id/folders declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/projects/:id/folders', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:2075
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/projects/:id/terminals/:tid has no auth: Express route DELETE /api/projects/:id/terminals/:tid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/projects/:id/terminals/:tid', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/terminal-routes.ts:108
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/templates/:id has no auth: Express route DELETE /api/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/templates/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1809
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/projects/:id has no auth: Express route PATCH /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/projects/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1313
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/projects/:id/conversations/:cid has no auth: Express route PATCH /api/projects/:id/conversations/:cid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/projects/:id/conversations/:cid', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1574
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/projects/:id/conversations/:cid/comments/:commentId has no auth: Express route PATCH /api/projects/:id/conversations/:cid/comments/:commentId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/projects/:id/conversations/:cid/comments/:commentId', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1652
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/artifacts/lint has no auth: Express route POST /api/artifacts/lint declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/artifacts/lint', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1863
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/artifacts/save has no auth: Express route POST /api/artifacts/save declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/artifacts/save', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1837
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/project-locations/scan has no auth: Express route POST /api/project-locations/scan declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/project-locations/scan', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:946
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects has no auth: Express route POST /api/projects declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1056
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/conversations has no auth: Express route POST /api/projects/:id/conversations declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/conversations', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1487
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/conversations/:cid/comments has no auth: Express route POST /api/projects/:id/conversations/:cid/comments declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/conversations/:cid/comments', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1633
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/folders has no auth: Express route POST /api/projects/:id/folders declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/folders', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:2051
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/terminals has no auth: Express route POST /api/projects/:id/terminals declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/terminals', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/terminal-routes.ts:49
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/terminals/:tid/kill has no auth: Express route POST /api/projects/:id/terminals/:tid/kill declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/terminals/:tid/kill', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/terminal-routes.ts:107
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/terminals/:tid/resize has no auth: Express route POST /api/projects/:id/terminals/:tid/resize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/terminals/:tid/resize', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/terminal-routes.ts:90
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/:id/terminals/:tid/stdin has no auth: Express route POST /api/projects/:id/terminals/:tid/stdin declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/:id/terminals/:tid/stdin', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/terminal-routes.ts:79
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/templates has no auth: Express route POST /api/templates declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/templates', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1745
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/upload has no auth: Express route POST /api/upload declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/upload', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1823
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PUT /api/project-locations has no auth: Express route PUT /api/project-locations declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.put('/api/project-locations', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:915
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PUT /api/projects/:id/conversations/:cid/messages/:mid has no auth: Express route PUT /api/projects/:id/conversations/:cid/messages/:mid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.put('/api/projects/:id/conversations/:cid/messages/:mid', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1602
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PUT /api/projects/:id/tabs has no auth: Express route PUT /api/projects/:id/tabs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.put('/api/projects/:id/tabs', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
apps/daemon/src/project-routes.ts:1705
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `tools/pack/resources/win/7zip/7z.dll` committed in source repo: `tools/pack/resources/win/7zip/7z.dll` is a .dll binary (1,908,736 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
tools/pack/resources/win/7zip/7z.dll:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `tools/pack/resources/win/7zip/7z.exe` committed in source repo: `tools/pack/resources/win/7zip/7z.exe` is a .exe binary (575,488 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
tools/pack/resources/win/7zip/7z.exe:1
high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
.github/scripts/agent-pr-explore-local.sh:53
high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
.claude/skills/od-contribute/scripts/check-prereqs.sh:87
high Security checks software Xss conf 1.00 [SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS.
Use `django.utils.html.format_html("<p>{}</p>", user_input)` — Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals.
apps/daemon/src/plugins/snapshot-diff.ts:77
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
apps/daemon/src/server.ts:5484
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
apps/web/src/components/SettingsDialog.tsx:4824
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/v3/connected_accounts/${encodeURIComponent(providerConnectionId)} (apps/daemon/src/connectors/composio.ts:775)
`apps/daemon/src/connectors/composio.ts:775` calls `DELETE /api/v3/connected_accounts/${encodeURIComponent(providerConnectionId)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/v3/connected_accounts/<p>` I…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: DELETE http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:584)
`apps/daemon/tests/routine-routes.test.ts:584` calls `DELETE http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /_next/static/missing.js (apps/daemon/tests/static-spa-fallback.test.ts:42)
`apps/daemon/tests/static-spa-fallback.test.ts:42` calls `GET /_next/static/missing.js` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/_next/static/missing.js` If this points at an external API, prefix it w…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/connectors/discovery${params} (apps/web/src/providers/registry.ts:860)
`apps/web/src/providers/registry.ts:860` calls `GET /api/connectors/discovery${params}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/connectors/discovery/<p>` If this points at an external API, prefix it with `htt…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/deploy/config${deployProviderQuery(providerId)} (apps/web/src/providers/registry.ts:1276)
`apps/web/src/providers/registry.ts:1276` calls `GET /api/deploy/config${deployProviderQuery(providerId)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/deploy/config/<p>` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/routines/nope (apps/daemon/tests/static-spa-fallback.test.ts:39)
`apps/daemon/tests/static-spa-fallback.test.ts:39` calls `GET /api/routines/nope` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/routines/nope` If this points at an external API, prefix it with `https://` s…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/runs/${encodeURIComponent(runId)}/events${qs} (apps/web/src/providers/daemon.ts:890)
`apps/web/src/providers/daemon.ts:890` calls `GET /api/runs/${encodeURIComponent(runId)}/events${qs}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/runs/<p>/events/<p>` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v3.1/toolkits?limit=1000 (apps/daemon/src/connectors/composio.ts:995)
`apps/daemon/src/connectors/composio.ts:995` calls `GET /api/v3.1/toolkits?limit=1000` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/v3.1/toolkits` If this points at an external API, prefix it with `https:…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v3.1/tools?${searchParams.toString()} (apps/daemon/src/connectors/composio.ts:1013)
`apps/daemon/src/connectors/composio.ts:1013` calls `GET /api/v3.1/tools?${searchParams.toString()}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/v3.1/tools` If this points at an external API, prefix it w…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /artifacts/missing (apps/daemon/tests/static-spa-fallback.test.ts:40)
`apps/daemon/tests/static-spa-fallback.test.ts:40` calls `GET /artifacts/missing` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/artifacts/missing` If this points at an external API, prefix it with `https:/…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /automations (apps/daemon/tests/static-spa-fallback.test.ts:32)
`apps/daemon/tests/static-spa-fallback.test.ts:32` calls `GET /automations` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/automations` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /automations (apps/daemon/tests/static-spa-fallback.test.ts:51)
`apps/daemon/tests/static-spa-fallback.test.ts:51` calls `GET /automations` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/automations` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /frames/missing (apps/daemon/tests/static-spa-fallback.test.ts:41)
`apps/daemon/tests/static-spa-fallback.test.ts:41` calls `GET /frames/missing` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/frames/missing` If this points at an external API, prefix it with `https://` so …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /projects/proj-1/files/index.html (apps/daemon/tests/static-spa-fallback.test.ts:34)
`apps/daemon/tests/static-spa-fallback.test.ts:34` calls `GET /projects/proj-1/files/index.html` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/proj-1/files/index.html` If this points at an externa…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port(server)}/events (apps/daemon/tests/sidecar-server.test.ts:26)
`apps/daemon/tests/sidecar-server.test.ts:26` calls `GET http://127.0.0.1:${port(server)}/events` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/events` If this points at an external API, prefix…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/automation-templates (apps/daemon/tests/routine-routes.test.ts:91)
`apps/daemon/tests/routine-routes.test.ts:91` calls `GET http://127.0.0.1:${port}/api/automation-templates` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/automation-templates` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/automation-templates/extract-design-system (apps/daemon/tests/routine-routes.test.ts:102)
`apps/daemon/tests/routine-routes.test.ts:102` calls `GET http://127.0.0.1:${port}/api/automation-templates/extract-design-system` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/automation-t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/automation-templates/missing (apps/daemon/tests/routine-routes.test.ts:113)
`apps/daemon/tests/routine-routes.test.ts:113` calls `GET http://127.0.0.1:${port}/api/automation-templates/missing` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/automation-templates/missi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/health (deploy/tests/install.test.ts:31)
`deploy/tests/install.test.ts:31` calls `GET http://127.0.0.1:${port}/api/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/health` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:174)
`apps/daemon/tests/mcp-install-info.test.ts:174` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:194)
`apps/daemon/tests/mcp-install-info.test.ts:194` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:202)
`apps/daemon/tests/mcp-install-info.test.ts:202` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:210)
`apps/daemon/tests/mcp-install-info.test.ts:210` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:216)
`apps/daemon/tests/mcp-install-info.test.ts:216` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:225)
`apps/daemon/tests/mcp-install-info.test.ts:225` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:237)
`apps/daemon/tests/mcp-install-info.test.ts:237` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:238)
`apps/daemon/tests/mcp-install-info.test.ts:238` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:239)
`apps/daemon/tests/mcp-install-info.test.ts:239` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:254)
`apps/daemon/tests/mcp-install-info.test.ts:254` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:275)
`apps/daemon/tests/mcp-install-info.test.ts:275` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/mcp/install-info (apps/daemon/tests/mcp-install-info.test.ts:298)
`apps/daemon/tests/mcp-install-info.test.ts:298` calls `GET http://127.0.0.1:${port}/api/mcp/install-info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/mcp/install-info` If this points at …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:447)
`apps/daemon/tests/routine-routes.test.ts:447` calls `GET http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this po…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:590)
`apps/daemon/tests/routine-routes.test.ts:590` calls `GET http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this po…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs?limit=10 (apps/daemon/tests/routine-routes.test.ts:301)
`apps/daemon/tests/routine-routes.test.ts:301` calls `GET http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs?limit=10` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/routines/missing/runs?limit=10 (apps/daemon/tests/routine-routes.test.ts:601)
`apps/daemon/tests/routine-routes.test.ts:601` calls `GET http://127.0.0.1:${port}/api/routines/missing/runs?limit=10` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/missing/runs` I…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/callback (apps/daemon/tests/xai-oauth-server.test.ts:328)
`apps/daemon/tests/xai-oauth-server.test.ts:328` calls `GET http://127.0.0.1:${port}/callback` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/callback` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com${path} (scripts/approve-fork-pr-workflows.ts:279)
`scripts/approve-fork-pr-workflows.ts:279` calls `GET https://api.github.com${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/<p>` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/${repo} (design-templates/open-design-landing/scripts/compose.ts:739)
`design-templates/open-design-landing/scripts/compose.ts:739` calls `GET https://api.github.com/repos/${repo}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/<p>` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:214)
`apps/daemon/tests/routine-routes.test.ts:214` calls `PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:252)
`apps/daemon/tests/routine-routes.test.ts:252` calls `PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id} (apps/daemon/tests/routine-routes.test.ts:704)
`apps/daemon/tests/routine-routes.test.ts:704` calls `PATCH http://127.0.0.1:${port}/api/routines/${created.routine.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>` If this …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/active (apps/web/src/App.tsx:611)
`apps/web/src/App.tsx:611` calls `POST /api/active` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/active` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/agents/antigravity/oauth-launch (apps/web/src/providers/daemon.ts:677)
`apps/web/src/providers/daemon.ts:677` calls `POST /api/agents/antigravity/oauth-launch` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/agents/antigravity/oauth-launch` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/automation-proposals/${id}/${action} (apps/web/src/components/TasksView.tsx:461)
`apps/web/src/components/TasksView.tsx:461` calls `POST /api/automation-proposals/${id}/${action}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/automation-proposals/<p>/<p>` If this points at an external API, pref…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${encodeURIComponent(projectId)}/plugins/${action} (apps/web/src/state/projects.ts:950)
`apps/web/src/state/projects.ts:950` calls `POST /api/projects/${encodeURIComponent(projectId)}/plugins/${action}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/projects/<p>/plugins/<p>` If this points at an extern…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:132)
`apps/daemon/tests/routine-routes.test.ts:132` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:201)
`apps/daemon/tests/routine-routes.test.ts:201` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:239)
`apps/daemon/tests/routine-routes.test.ts:239` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:272)
`apps/daemon/tests/routine-routes.test.ts:272` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:315)
`apps/daemon/tests/routine-routes.test.ts:315` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:380)
`apps/daemon/tests/routine-routes.test.ts:380` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:419)
`apps/daemon/tests/routine-routes.test.ts:419` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:490)
`apps/daemon/tests/routine-routes.test.ts:490` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:518)
`apps/daemon/tests/routine-routes.test.ts:518` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:547)
`apps/daemon/tests/routine-routes.test.ts:547` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:571)
`apps/daemon/tests/routine-routes.test.ts:571` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:614)
`apps/daemon/tests/routine-routes.test.ts:614` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:638)
`apps/daemon/tests/routine-routes.test.ts:638` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:662)
`apps/daemon/tests/routine-routes.test.ts:662` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines (apps/daemon/tests/routine-routes.test.ts:691)
`apps/daemon/tests/routine-routes.test.ts:691` calls `POST http://127.0.0.1:${port}/api/routines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/run (apps/daemon/tests/routine-routes.test.ts:285)
`apps/daemon/tests/routine-routes.test.ts:285` calls `POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/run` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>/run` I…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/run (apps/daemon/tests/routine-routes.test.ts:503)
`apps/daemon/tests/routine-routes.test.ts:503` calls `POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/run` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/routines/<p>/run` I…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs/run-running-1/crystallize (apps/daemon/tests/routine-routes.test.ts:403)
`apps/daemon/tests/routine-routes.test.ts:403` calls `POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs/run-running-1/crystallize` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs/run-succeeded-1/crystallize (apps/daemon/tests/routine-routes.test.ts:340)
`apps/daemon/tests/routine-routes.test.ts:340` calls `POST http://127.0.0.1:${port}/api/routines/${created.routine.id}/runs/run-succeeded-1/crystallize` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1…
Dangling fetchFetch
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
lowlighter/metrics@latest can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/metrics.yml:31 CI/CD securitySupply chainGithub actions
high System graph security security conf 1.00 Insecure pattern 'eval_used' in apps/desktop/src/main/index.ts:496
Found a known-risky pattern (eval_used). Review and replace if possible.
apps/desktop/src/main/index.ts:496 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in apps/desktop/src/main/runtime.ts:314
Found a known-risky pattern (eval_used). Review and replace if possible.
apps/desktop/src/main/runtime.ts:314 Eval used
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
apps/daemon/src/critique/artifact-handler.ts:208
apps/daemon/src/critique/artifact-writer.ts:121
apps/daemon/src/document-preview.ts:99
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
apps/web/src/components/SocialShareGrid.tsx:82
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
design-templates/html-ppt/assets/animations/fx/knowledge-graph.js:20
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
apps/web/src/components/PrivacySection.tsx:19
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials.
apps/daemon/src/runtimes/defs/trae-cli.ts:19 CI/CD securityagent runtimepermissions
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials.
apps/daemon/src/runtimes/defs/gemini.ts:23 CI/CD securityagent runtimepermissions
low Security checks quality Error handling conf 0.55 ✓ Repobility 24 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 24 locations
design-templates/last30days/scripts/lib/pipeline.py:287, 307, 365, 389, 670, 697, 823, 867, +2 more (10 hits)
design-templates/last30days/scripts/lib/env.py:342, 574 (2 hits)
design-templates/last30days/scripts/lib/quality_nudge.py:39, 93 (2 hits)
design-templates/last30days/scripts/lib/reddit_public.py:278, 286 (2 hits)
design-templates/last30days/scripts/last30days.py:784
design-templates/last30days/scripts/lib/bird_x.py:188
design-templates/last30days/scripts/lib/fanout.py:60
design-templates/last30days/scripts/lib/polymarket.py:358
Error handlingquality
high Security checks quality Quality conf 0.74 Codex auth.json is read or copied without visible secret-file hardening
Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed.
.github/scripts/provision-agent-pr-explore-runner.sh:28
medium Security checks quality Quality conf 0.76 Compliance or security claim is near a placeholder link
Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations.
design-templates/web-prototype-taste-soft/example.html:529
medium Security checks quality Quality conf 0.76 Compliance or security claim is near a placeholder link
Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations.
apps/daemon/src/design-system-showcase.ts:369
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
apps/daemon/src/prompts/deck-framework.ts:287
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
high Security checks software dependencies conf 0.70 3 occurrences Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
3 files, 3 locations
.claude/skills/od-contribute/install.sh:10
README.md:302
apps/daemon/src/runtimes/defs/grok-build.ts:5
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/app/layout.tsx:36
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/components/FileViewer.tsx:10052
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/components/IframeKeepAlivePool.tsx:323
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/runtime/markdown.tsx:11
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/tests/components/FileViewer.test.tsx:2641
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — .github/scripts/release/r2/summary-beta.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — .github/scripts/release/r2/verify-beta-metadata.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/artifact-create.ts:92
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/byok-tools.ts:1054
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/chat-routes.ts:1193
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/cli.ts:1793
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/community-pets-sync.ts:115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/connectionTest.ts:153
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/deploy.ts:393
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/design-system-shadcn-import.ts:837
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/elevenlabs-voices.ts:127
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/live-artifacts/refresh.ts:691
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/mcp.ts:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/media-adapters/index.ts:12
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/media.ts:885
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/routes/xai.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/server.ts:1486
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/daemon/src/tools-connectors-cli.ts:509
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/desktop/src/main/runtime.ts:336
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/landing-page/app/_lib/github.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/landing-page/functions/release-metadata.ts:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/landing-page/functions/subscribe.ts:126
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/landing-page/scripts/blog-indexing/post-feishu-digest.ts:159
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/landing-page/scripts/seo-daily-report.ts:575
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/packaged/src/logging.ts:254
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/telemetry-worker/src/index.ts:181
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/GenUIInbox.tsx:112
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/MarketplaceView.tsx:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/MemoryModelInline.tsx:170
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/MemorySection.tsx:171
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/pet/pets.ts:327
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/plugins-home/cards/HtmlSurface.tsx:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/ProjectView.tsx:3571
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/SettingsDialog.tsx:5035
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/Theater/CritiqueTheaterMount.tsx:94
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/Theater/hooks/useCritiqueReplay.ts:254
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/hooks/useDesignMdState.ts:94
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/providers/registry.ts:304
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/state/apiProtocols.ts:225
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/state/projects.ts:81
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — design-templates/open-design-landing/scripts/compose.ts:739
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — design-templates/open-design-landing/scripts/imagegen.ts:223
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/lib/vitest/http.ts:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/lib/vitest/pets.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/specs/linux.spec.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/specs/mac.spec.ts:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/specs/namespace/main.spec.ts:88
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/specs/win.spec.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/ui/amr-logout-requires-relogin.test.ts:83
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/approve-fork-pr-workflows.ts:279
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/bake-community-pets.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/batch-design-system-test.ts:536
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/sync-community-pets.ts:185
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 39 occurrences GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 35 locations
.github/workflows/docker-image.yml:24, 29, 33, 41, 56 (5 hits)
.github/workflows/landing-page-production.yml:56, 152 (4 hits)
.github/workflows/release-beta.yml:195, 370, 440, 614 (4 hits)
.github/workflows/release-preview.yml:87, 123, 331, 402 (4 hits)
.github/workflows/release-stable.yml:188, 242, 457, 531 (4 hits)
.github/workflows/blog-3day-report.yml:54, 176 (2 hits)
.github/workflows/blog-indexing-monitor.yml:52, 275 (2 hits)
.github/workflows/blog-indexing-on-deploy.yml:70, 265 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/blog-indexing-on-deploy.yml
.github/workflows/docker-image.yml
.github/workflows/notify-release-feishu.yml
.github/workflows/release-stable.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/app/layout.tsx:36
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/app/layout.tsx:36 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/components/FileViewer.tsx:10052
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/components/FileViewer.tsx:10052 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/components/IframeKeepAlivePool.tsx:323
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/components/IframeKeepAlivePool.tsx:323 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in tools/pack/src/win/sign.ts:149
Found a known-risky pattern (weak_hash). Review and replace if possible.
tools/pack/src/win/sign.ts:149 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — skills/hatch-pet/scripts/finalize_pet_run.py:19
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — skills/hatch-pet/scripts/render_animation_videos.py:101
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/e2e-coverage-reminder.yml Ports
medium System graph network Security conf 1.00 Privileged port 18 in use
Port 18 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/e2e-coverage-reminder.yml Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
tools/pack/docker-compose.yml:20 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
tools/pack/docker-compose.yml:20 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 22 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 14 locations
apps/daemon/src/tools-live-artifacts-cli.ts:33, 146 (2 hits)
apps/web/sidecar/server.ts:290, 553 (2 hits)
.github/scripts/release/r2/publish-platform.ts:11
.github/scripts/release/r2/verify-beta-metadata.ts:1
apps/daemon/src/copilot-stream.ts:8
apps/daemon/src/critique/interrupt-handler.ts:17
apps/daemon/src/design-system-showcase.ts:574
apps/daemon/src/live-artifacts/schema.ts:160
duplicationquality
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
apps/landing-page/app/_lib/home-copy.ts:1
low System graph quality Integrity conf 1.00 169 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AIHUBMIX_API_KEY`, `ANTHROPIC_API_KEY`, `ANTHROPIC_BASE_URL`, `APPDATA`, `AUTH_TOKEN`, `AZURE_API_KEY`, `AZURE_OPENAI_API_KEY`, `CI` + 161 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph quality Maintenance conf 1.00 94 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/amr-image-staging.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/artifact-publication-guard.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/automation-routine-evolution.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/chat-attachments.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/craft.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/critique-composer.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/critique-rollout.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/design-token-contract.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/memory-tree.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/plugins-bundled-atoms-roster.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/plugins-discovery-question-form-contract.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/project-classifiers.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/redact.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/route-registration-guard.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/run-diagnostics.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/run-tool-bundle.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/sanitize-name.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/user-facing-agent-label.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/tests/version-route.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/daemon/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/desktop/src/main/splash-video.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/desktop/tests/main/mint-home-working-dir-token.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/desktop/tests/main/preload-host-boundary.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/desktop/tests/main/window-chrome.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/desktop/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/content.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/ar.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/de.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/en.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/es.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/fr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/id.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/it.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/ja.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/ko.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/nl.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/pl.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/pt-br.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/ru.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/tr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/uk.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/vi.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/zh-tw.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/app/solution-pages-i18n/zh.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/astro.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/landing-page/functions/release-metadata.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: apps/telemetry-worker/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: design-systems/_schema/tokens.schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 149 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 102 locations
.github/workflows/release-beta.yml:127, 133, 190, 200, 291, 317, 353, 365, +8 more (18 hits)
.github/workflows/release-preview.yml:50, 55, 82, 92, 118, 128, 270, 296, +8 more (16 hits)
.github/workflows/release-stable.yml:128, 134, 182, 193, 236, 247, 394, 420, +8 more (16 hits)
.github/workflows/ci.yml:144, 216, 227, 266, 325, 371, 399, 419, +2 more (10 hits)
.github/workflows/landing-page-production.yml:47, 61, 77, 85 (8 hits)
.github/workflows/landing-page-ci.yml:79, 88, 214 (6 hits)
.github/workflows/ui-extended-main.yml:76, 101, 130, 155, 174, 199 (6 hits)
.github/workflows/visual-pr-comment.yml:40, 52, 58, 247, 261, 373 (6 hits)
CI/CD securitySupply chainGitHub Actions
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — apps/daemon/tests/qa-cta-hierarchy.test.ts:107
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph security security conf 1.00 Insecure pattern 'document_write' in apps/web/src/runtime/srcdoc.ts:109
Found a known-risky pattern (document_write). Review and replace if possible.
apps/web/src/runtime/srcdoc.ts:109 Document write
low System graph quality Integrity conf 1.00 9 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: skills/hatch-pet/scripts/make_contact_sheet.py:checker, skills/hatch-pet/scripts/render_animation_videos.py:checker This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
9 occurrences
repo-level (9 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: skills/hatch-pet/scripts/pet_job_status.py:load_manifest, skills/hatch-pet/scripts/generate_pet_images.py:load_manifest, skills/hatch-pet/scripts/derive_running_left_from_running_right.py:load_manifest This is *the* AI-coder failure mode (4× more dup…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: skills/hatch-pet/scripts/queue_pet_repairs.py:job_list, skills/hatch-pet/scripts/generate_pet_images.py:manifest_jobs, skills/hatch-pet/scripts/record_imagegen_result.py:job_list, skills/hatch-pet/scripts/derive_running_left_from_running_right.py:job_…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: design-templates/last30days/scripts/lib/polymarket.py:search_polymarket, design-templates/last30days/scripts/lib/hackernews.py:search_hackernews, design-templates/last30days/scripts/lib/youtube_yt.py:search_youtube, design-templates/last30days/scripts…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: design-templates/last30days/scripts/lib/providers.py:generate_text, design-templates/last30days/scripts/lib/providers.py:generate_json, design-templates/last30days/scripts/lib/providers.py:generate_text, design-templates/last30days/scripts/lib/provide…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 9 places
Functions with the same first-5-line body hash: design-templates/last30days/scripts/lib/threads.py:search_threads, design-templates/last30days/scripts/lib/youtube_yt.py:search_youtube_sc, design-templates/last30days/scripts/lib/pinterest.py:search_pinterest, design-templates/last30days/scripts/lib/…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/components/SettingsDialog.tsx:5818
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/ar.ts:1932
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/de.ts:1870
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/es-ES.ts:1821
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/fa.ts:1975
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/fr.ts:2562
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/hu.ts:1942
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/id.ts:500
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/it.ts:1788
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/ja.ts:1869
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/ko.ts:1982
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/pl.ts:1932
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/pt-BR.ts:1973
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/ru.ts:1973
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/th.ts:1721
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/tr.ts:1919
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/locales/uk.ts:1974
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `artifactKickerLegacy` in apps/web/src/i18n/types.ts:577
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `card__copy` in apps/web/src/components/AssistantMessage.tsx:1822
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `card__copy` in apps/web/src/components/ChatPane.tsx:3346
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_text_to_sound_v2` in apps/daemon/src/media.ts:2426
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_text_to_sound_v2` in apps/daemon/tests/media-elevenlabs.test.ts:163
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `extract_copy` in apps/web/src/components/DesignBrowserPanel.tsx:532
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `extract_copy` in apps/web/src/i18n/locales/en.ts:1683
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `extract_copy` in apps/web/src/i18n/locales/zh-CN.ts:1673
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `extract_copy` in apps/web/src/i18n/locales/zh-TW.ts:1266
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `hero__copy` in apps/web/src/components/TasksView.tsx:568
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/src/live-artifacts/render.ts:3
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/src/live-artifacts/schema.ts:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/src/live-artifacts/store.ts:601
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/tests/live-artifacts-routes.test.ts:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/tests/live-artifacts-schema.test.ts:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/tests/live-artifacts-store.test.ts:62
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/daemon/tests/tools-live-artifacts-cli.test.ts:55
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in apps/web/tests/components/FileViewer.test.tsx:5090
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in e2e/lib/fake-agents.ts:320
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in packages/contracts/src/api/live-artifacts.ts:38
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `html_template_v1` in packages/contracts/src/examples.ts:195
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `link__copy` in apps/web/src/components/AvatarMenu.tsx:273
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nLegacy` in apps/daemon/tests/design-systems.test.ts:183
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nLegacy` in apps/daemon/tests/tools-connectors-cli.test.ts:889
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `Report_v2` in apps/daemon/tests/sanitize-name.test.ts:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `share_copy` in apps/landing-page/app/_lib/posthog-analytics.ts:104
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `snippet__copy` in apps/web/src/components/UseEverywhereModal.tsx:347
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `summary__copy` in apps/web/src/components/pet/PetSettings.tsx:537
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `t2a_v2` in apps/daemon/src/byok-tools.ts:503
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code

Showing first 300 of 569. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/4f01aef0-39c8-44fa-a798-a497d4fe9632/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/4f01aef0-39c8-44fa-a798-a497d4fe9632/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.