Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
83 of your 189 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 8.93s · analysis 54.08s · 19.9 MB · GitHub API rate-limit (preflight)

BradGroux/veritas-kanban

https://github.com/BradGroux/veritas-kanban · scanned 2026-06-05 15:09 UTC (5 days, 1 hour ago) · 10 languages

626 raw signals (174 security + 452 graph) 29th percentile · Typescript · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 1 hour ago · v2 · 298 actionable findings from 2 signal sources. 100 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
64.4
/100
Security checks
58
78 findings
System graph
71
100.0% cov · 220 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 43.1 0.25 10.78
testing_score 95.0 0.20 19.00
documentation_score 87.7 0.15 13.15
practices_score 85.0 0.15 12.75
code_quality 47.2 0.10 4.72
Overall 1.00 69.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 38 Medium 49 Low 148 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 78 System graph 220 Crowd 0 Layer: Quality 98 Security 8 Cicd 7 Software 66 Frontend 55 Network 6 Hardware 2 Api 56
Scan summary Quality grade B- (69/100). Dimensions: security 43, maintainability 60. 174 findings (41 security). 207,012 lines analyzed.

Showing 238 of 298 actionable findings. 398 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 6 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
5 files, 6 locations
server/src/__tests__/routes/auth.test.ts:28, 73 (2 hits)
cli/src/__tests__/snapshot.test.ts:220
docs/API-REFERENCE.md:671
docs/API-WORKFLOWS.md:1343
web/src/__tests__/multi-user-tab.test.tsx:123
critical Security checks security secrets conf 0.95 12 occurrences Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
7 files, 12 locations
docs/TROUBLESHOOTING.md:179, 207, 210 (3 hits)
docs/features/prd-driven-development.md:95, 775 (2 hits)
docs/security.md:51, 58 (2 hits)
server/.env.example:122, 125 (2 hits)
docs/DEPLOYMENT.md:790
docs/guides/SELF_HOST.md:729
seed-demo-data.sh:45
critical Security checks security secrets conf 0.95 3 occurrences Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
Gitleaks detected a committed secret or credential pattern.
3 files, 3 locations
server/src/__tests__/governance-trace-service.test.ts:22
server/src/__tests__/log-redaction.test.ts:31
server/src/__tests__/skill-capability-service.test.ts:63
high Security checks security Injection conf 1.00 [SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113.
Strip `\r\n` before setting headers: safe = value.replace('\r','').replace('\n','') response.headers['X-Custom'] = safe Most modern frameworks (Django 3+, Express 4.10+) already do this — but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual …
server/src/middleware/request-id.ts:27
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence.
server/src/services/workflow-authoring-service.ts:1800
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `node:22-alpine` not pinned by digest
`FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 17, 66
Dockerfile:17, 66 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /:id has no auth
Express route DELETE /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/scheduled-deliverables.ts:88
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /:id/subtasks/:subtaskId has no auth
Express route DELETE /:id/subtasks/:subtaskId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/task-subtasks.ts:105
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /file/*path has no auth
Express route DELETE /file/*path declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/docs.ts:119
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /repos/:name has no auth
Express route DELETE /repos/:name declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:106
high Security checks quality Quality conf 0.80 ✓ Repobility Express PATCH /:id has no auth
Express route PATCH /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/scheduled-deliverables.ts:66
high Security checks quality Quality conf 0.80 ✓ Repobility Express PATCH /:id/subtasks/:subtaskId has no auth
Express route PATCH /:id/subtasks/:subtaskId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/task-subtasks.ts:64
high Security checks quality Quality conf 0.80 ✓ Repobility Express PATCH /:id/subtasks/:subtaskId/criteria/:index has no auth
Express route PATCH /:id/subtasks/:subtaskId/criteria/:index declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/task-subtasks.ts:123
high Security checks quality Quality conf 0.80 ✓ Repobility Express PATCH /repos/:name has no auth
Express route PATCH /repos/:name declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:83
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST / has no auth
Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/scheduled-deliverables.ts:35
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /:id/runs has no auth
Express route POST /:id/runs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/scheduled-deliverables.ts:98
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /:id/subtasks has no auth
Express route POST /:id/subtasks declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/task-subtasks.ts:26
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /change-password has no auth
Express route POST /change-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:692
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /device-pairing/exchange has no auth
Express route POST /device-pairing/exchange declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:256
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /invitations/accept has no auth
Express route POST /invitations/accept declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:410
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /login has no auth
Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:480
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /logout has no auth
Express route POST /logout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:583
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /pairing/redeem has no auth
Express route POST /pairing/redeem declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:279
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /predict has no auth
Express route POST /predict declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/cost-prediction.ts:41
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /recover has no auth
Express route POST /recover declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:607
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /repos has no auth
Express route POST /repos declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:60
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /repos/validate has no auth
Express route POST /repos/validate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:120
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /setup has no auth
Express route POST /setup declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/auth.ts:336
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /agents has no auth
Express route PUT /agents declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:164
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /default-agent has no auth
Express route PUT /default-agent declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/config.ts:183
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /file/*path has no auth
Express route PUT /file/*path declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
server/src/routes/docs.ts:99
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `pnpm/action-setup` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 8 locations
.github/workflows/ci.yml:23, 58, 84, 135 (4 hits)
.github/workflows/scheduled-qa.yml:40, 87 (2 hits)
.github/workflows/desktop-artifacts.yml:33
.github/workflows/desktop-release.yml:35
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 22 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 22 locations
.github/workflows/ci.yml:22, 25, 57, 60, 83, 86, 134, 137 (8 hits)
.github/workflows/scheduled-qa.yml:39, 42, 70, 86, 89, 165 (8 hits)
.github/workflows/desktop-artifacts.yml:32, 57, 100, 141 (4 hits)
.github/workflows/desktop-release.yml:34, 37 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility package.json dep `remote-helper` pulled from URL/Git
`dependencies.remote-helper` = `git+ssh://example.invalid/remote-helper.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
server/src/__fixtures__/skill-security/malicious/unpinned-dependency/package.json:1
high Security checks software dependencies conf 0.90 ✓ Repobility pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.21.2`
`.pre-commit-config.yaml` references `https://github.com/gitleaks/gitleaks` at `rev: v8.21.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:7
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.invalid (server/src/__tests__/routes/workflow-authoring.test.ts:331)
`server/src/__tests__/routes/workflow-authoring.test.ts:331` calls `GET https://example.invalid` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid` If this points at an external API, prefix it wi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.invalid (server/src/__tests__/skill-security-service.test.ts:245)
`server/src/__tests__/skill-security-service.test.ts:245` calls `GET https://example.invalid` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid` If this points at an external API, prefix it with …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.invalid (server/src/__tests__/skill-security-service.test.ts:277)
`server/src/__tests__/skill-security-service.test.ts:277` calls `GET https://example.invalid` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid` If this points at an external API, prefix it with …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.invalid (server/src/__tests__/skill-security-service.test.ts:311)
`server/src/__tests__/skill-security-service.test.ts:311` calls `GET https://example.invalid` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid` If this points at an external API, prefix it with …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.invalid/report?token=sk_test_abcdef12345678 (server/src/__tests__/skill-capability-service.test.ts:63)
`server/src/__tests__/skill-capability-service.test.ts:63` calls `GET https://example.invalid/report?token=sk_test_abcdef12345678` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid/report` If thi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://example.invalid/collect (server/src/__fixtures__/skill-security/malicious/exfiltration/scripts/collect.js:6)
`server/src/__fixtures__/skill-security/malicious/exfiltration/scripts/collect.js:6` calls `POST https://example.invalid/collect` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.invalid/collect` If thi…
Dangling fetchFetch
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
server/src/routes/chat.ts:23
server/src/services/trace-service.ts:57
server/src/services/worktree-service.ts:209
medium Security checks quality Quality conf 1.00 3 occurrences [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
3 files, 3 locations
server/src/services/activity-service.ts:194
server/src/services/shared-resources-service.ts:41
server/src/storage/sqlite/activity-repository.ts:39
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
server/src/services/config-service.ts:35 CI/CD securityagent runtimepermissions
medium Security checks software dependencies conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (9.38.0 -> 10.0.1)
`@eslint/js` is pinned/resolved at 9.38.0 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `commander` is 1 major version(s) behind (^14.0.3 -> 15.0.0)
`commander` is pinned/resolved at ^14.0.3 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cli/package.json
medium Security checks software dependencies conf 0.90 npm package `concurrently` is 1 major version(s) behind (^9.1.0 -> 10.0.3)
`concurrently` is pinned/resolved at ^9.1.0 but the latest stable release on the npm registry is 10.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
server/src/__fixtures__/skill-security/malicious/remote-script/SKILL.md:6
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — web/src/lib/sanitize.ts:7
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/commands/prompts.ts:441
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — mcp/src/tools/summary.ts:40
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/__fixtures__/skill-security/malicious/exfiltration/scripts/collect.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/__tests__/routes/workflow-authoring.test.ts:331
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/__tests__/skill-capability-service.test.ts:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/__tests__/skill-security-service.test.ts:245
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/__tests__/squad-webhook-service.test.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/src/routes/agent-status.ts:352
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/public/sw.js:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/dashboard/ExportDialog.tsx:75
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/docs/DocsViewer.tsx:43
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/settings/tabs/DelegationTab.tsx:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/task/WorkflowSection.tsx:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/agent.ts:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/backlog.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/chat.ts:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/config.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/decisions.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/diff.ts:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/entities.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/feedback.ts:26
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/governance-traces.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/helpers.ts:103
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/integrations.ts:53
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/maintenance.ts:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/managed-list.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/prompt-registry.ts:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/scoring.ts:12
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/search.ts:93
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/tasks.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/time.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/traces.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/lib/api/work-products.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/desktop-release.yml CI/CD securitySupply chainGithub actions
medium System graph network Security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
medium System graph network Security conf 1.00 Privileged port 12 in use
Port 12 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
medium System graph network Security conf 1.00 Privileged port 14 in use
Port 14 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
medium System graph network Security conf 1.00 Privileged port 30 in use
Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
medium System graph network Security conf 1.00 Privileged port 8 in use
Port 8 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
medium System graph network Security conf 1.00 Privileged port 9 in use
Port 9 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
demo/seed.sh Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:15 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 29 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 16 locations
server/src/services/device-session-service.ts:41, 82 (2 hits)
server/src/storage/sqlite/prompt-registry-repository.ts:46, 340 (2 hits)
server/src/storage/sqlite/status-history-repository.ts:107, 242 (2 hits)
web/src/components/dashboard/DashboardPage.tsx:37, 115 (2 hits)
cli/src/commands/snapshot.ts:81
mcp/src/tools/tasks.ts:172
mcp/src/utils/api.ts:1
server/src/routes/scoring.ts:70
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)
`@types/react-dom` is pinned/resolved at ^19.0.0 but the latest stable release on the npm registry is 19.2.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
web/package.json
low Security checks software dependencies conf 0.90 npm package `@types/ws` is minor version(s) behind (^8.5.13 -> 8.18.1)
`@types/ws` is pinned/resolved at ^8.5.13 but the latest stable release on the npm registry is 8.18.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
server/package.json
low Security checks software dependencies conf 0.90 npm package `chalk` is minor version(s) behind (^5.3.0 -> 5.6.2)
`chalk` is pinned/resolved at ^5.3.0 but the latest stable release on the npm registry is 5.6.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cli/package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low System graph quality Integrity conf 1.00 78 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `API_BASE_URL`, `BASE_URL`, `CI`, `CLAWDBOT_GATEWAY`, `CLAWDBOT_GATEWAY_TOKEN`, `CLAWDBOT_GATEWAY_URL`, `CLAWD_ATTACHMENT_DIR`, `CODEX_PATH` + 70 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: node:22-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 17, 66
Dockerfile:17, 66 (2 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cli/src/utils/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cli/src/utils/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cli/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/electron.vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/src/main/app-metadata.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/src/main/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/src/types/preload.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: mcp/src/utils/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: mcp/src/utils/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: mcp/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/agent-health-classifier.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/agent-host.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/agent-registry.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/broadcast.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/changes.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/chat.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/config.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/decision.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/delegation.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/doc-freshness.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/drift.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/evaluation.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/evidence.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/feedback.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/governance-trace.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/governance.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/maintenance.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/policy.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/policy.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/prompt-registry.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/shared-resources.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/skill-capability.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/skill-security.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/system-health.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/task.types.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/task.types.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/task.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/telemetry.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/template.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/time-breakdown.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/transition-hooks.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/watcher-policy.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/websocket.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/types/work-product.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: shared/src/utils/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `handoff_v1` in server/src/__tests__/prompt-registry-service.test.ts:56
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `hasLegacy` in server/src/__tests__/middleware/rate-limit.test.ts:113
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in cli/src/__tests__/prompts.test.ts:163
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `prompt_triage_v1` in server/src/__tests__/sqlite-portability-service.test.ts:116
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `workspace_memberships_legacy` in server/src/storage/sqlite/migrations.ts:882
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/agent-status.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/agents.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/automation.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/backlog.ts:30
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/comments.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/doctor.ts:828
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/github.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/notifications.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/projects.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/prompts.ts:599
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/setup.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/snapshot.ts:674
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/sprints.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/summary.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/tasks.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/time.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/usage.ts:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/src/commands/workflow.ts:62
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — server/src/__tests__/batch-reads-benchmark.test.ts:131
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — server/src/__tests__/mime-validation.test.ts:168
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — server/src/config/security.ts:439
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — server/src/middleware/auth.ts:241
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — server/src/scripts/reset-password.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — web/src/components/workflows/WorkflowRunView.tsx:217
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /:id
`server/src/routes/scheduled-deliverables.ts` declares `DELETE /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /repos/:name
`server/src/routes/config.ts` declares `DELETE /repos/:name` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`server/src/index.ts` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /:id
`server/src/routes/scheduled-deliverables.ts` declares `GET /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /:id/runs
`server/src/routes/scheduled-deliverables.ts` declares `GET /:id/runs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /accuracy
`server/src/routes/cost-prediction.ts` declares `GET /accuracy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /accuracy/stats
`server/src/routes/cost-prediction.ts` declares `GET /accuracy/stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /agents
`server/src/routes/config.ts` declares `GET /agents` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api-docs/swagger.json
`server/src/index.ts` declares `GET /api-docs/swagger.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/auth/diagnostics
`server/src/index.ts` declares `GET /api/auth/diagnostics` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/auth/diagnostics
`server/src/index.ts` declares `GET /api/v1/auth/diagnostics` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /context
`server/src/routes/auth.ts` declares `GET /context` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /deep
`server/src/routes/health.ts` declares `GET /deep` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /items
`server/src/middleware/validate.ts` declares `GET /items` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /items/:id
`server/src/middleware/validate.ts` declares `GET /items/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /live
`server/src/routes/health.ts` declares `GET /live` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /ready
`server/src/routes/health.ts` declares `GET /ready` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /repos
`server/src/routes/config.ts` declares `GET /repos` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /repos/:name/branches
`server/src/routes/config.ts` declares `GET /repos/:name/branches` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /rotation-status
`server/src/routes/auth.ts` declares `GET /rotation-status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /:id
`server/src/routes/scheduled-deliverables.ts` declares `PATCH /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /:id/subtasks/:subtaskId
`server/src/routes/task-subtasks.ts` declares `PATCH /:id/subtasks/:subtaskId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /repos/:name
`server/src/routes/config.ts` declares `PATCH /repos/:name` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`server/src/routes/scheduled-deliverables.ts` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /:id/runs
`server/src/routes/scheduled-deliverables.ts` declares `POST /:id/runs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /:id/subtasks
`server/src/routes/task-subtasks.ts` declares `POST /:id/subtasks` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /change-password
`server/src/routes/auth.ts` declares `POST /change-password` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /device-pairing/exchange
`server/src/routes/auth.ts` declares `POST /device-pairing/exchange` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /invitations/accept
`server/src/routes/auth.ts` declares `POST /invitations/accept` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /items
`server/src/middleware/validate.ts` declares `POST /items` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`server/src/routes/auth.ts` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /logout
`server/src/routes/auth.ts` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /pairing/redeem
`server/src/routes/auth.ts` declares `POST /pairing/redeem` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /predict
`server/src/routes/cost-prediction.ts` declares `POST /predict` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /recover
`server/src/routes/auth.ts` declares `POST /recover` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /repos
`server/src/routes/config.ts` declares `POST /repos` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /repos/validate
`server/src/routes/config.ts` declares `POST /repos/validate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /rotate-secret
`server/src/routes/auth.ts` declares `POST /rotate-secret` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /setup
`server/src/routes/auth.ts` declares `POST /setup` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /agents
`server/src/routes/config.ts` declares `PUT /agents` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /default-agent
`server/src/routes/config.ts` declares `PUT /default-agent` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /items/:id
`server/src/middleware/validate.ts` declares `PUT /items/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api
`server/src/index.ts` declares `USE /api` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api-docs
`server/src/index.ts` declares `USE /api-docs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/auth
`server/src/index.ts` declares `USE /api/auth` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/health
`server/src/index.ts` declares `USE /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/v1
`server/src/index.ts` declares `USE /api/v1` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/v1/auth
`server/src/index.ts` declares `USE /api/v1/auth` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/webhook
`server/src/index.ts` declares `USE /api/webhook` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /assets
`server/src/index.ts` declares `USE /assets` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: server/src/services/clawdbot-agent-service.ts (1644 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/src/services/sqlite-portability-service.ts (2251 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/src/services/task-service.ts (1965 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/src/services/workflow-authoring-service.ts (1914 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: web/src/components/settings/tabs/MultiUserTab.tsx (1295 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/52ffb460-31b3-4e4c-8fbc-f948099ce16c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/52ffb460-31b3-4e4c-8fbc-f948099ce16c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.