Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
112 of your 194 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 102.95s for a 115.3 MB repo slow.
  • Repobility's analysis ran in 29.69s after the clone landed.

zts212653/clowder-ai

https://github.com/zts212653/clowder-ai · scanned 2026-06-05 19:55 UTC (4 days, 14 hours ago) · 10 languages

1462 raw signals (174 security + 1288 graph) 11/13 scanners ran 68th percentile · Typescript · huge (>500K LoC) System graph score 59 (higher by 28)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 14 hours ago · v2 · 712 actionable findings from 2 signal sources. 106 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.9
/100
Security checks
83
83 findings
System graph
59
100.0% cov · 629 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 100.0 0.15 15.00
practices_score 84.0 0.15 12.60
code_quality 69.0 0.10 6.90
Overall 1.00 87.5
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 76 Medium 52 Low 241 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 83 System graph 629 Crowd 0 Layer: Software 59 Quality 430 Security 29 Cicd 4 Frontend 118 Network 2 Api 70
Scan summary Quality grade A- (88/100). Dimensions: security 100, maintainability 60. 174 findings (47 security). 834,114 lines analyzed.

Showing 368 of 712 actionable findings. 818 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
3 files, 3 locations
packages/api/src/domains/cats/services/runtime-session/RedisRuntimeSessionStore.ts:105
packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts:96
packages/api/src/domains/cats/services/stores/redis/RedisPendingRequestStore.ts:116
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
packages/api/src/utils/cli-resolve.ts:172
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
packages/api/src/domains/cats/services/agents/providers/catagent/catagent-stream-parser.ts:120
packages/api/src/domains/health/ActivityTracker.ts:172
packages/api/src/infrastructure/websocket/BroadcastRateMonitor.ts:168
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences [MINED108] `self._model_paths` used but never assigned in __init__: Method `_ensure_loaded` of class `PiperAdapter` reads `self._model_paths`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._model_paths = <default>` in __init__, or add a class-level default.
lines 311, 323
scripts/services/tts-api.py:311, 323 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/audio/speech has no auth: Handler `synthesize_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
scripts/services/tts-api.py:481
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/audio/transcriptions has no auth: Handler `transcribe` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
scripts/services/qwen3-asr-api.py:96
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/audio/transcriptions has no auth: Handler `transcribe` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
scripts/services/whisper-api.py:82
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/embeddings has no auth: Handler `create_embeddings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
scripts/services/embed-api.py:128
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/text/refine has no auth: Handler `refine` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
scripts/services/llm-postprocess-api.py:141
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /api/threads/:id has no auth: Express route DELETE /api/threads/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/api/threads/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/threads.ts:538
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/config has no auth: Express route PATCH /api/config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/config', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/config.ts:162
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/config/co-creator has no auth: Express route PATCH /api/config/co-creator declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/config/co-creator', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/config.ts:260
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/config/env has no auth: Express route PATCH /api/config/env declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/config/env', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/config.ts:294
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/config/owner has no auth: Express route PATCH /api/config/owner declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/config/owner', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/config.ts:263
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PATCH /api/threads/:id has no auth: Express route PATCH /api/threads/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.patch('/api/threads/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/threads.ts:461
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/backlog/import-active-features has no auth: Express route POST /api/backlog/import-active-features declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/backlog/import-active-features', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/backlog.ts:327
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/backlog/items has no auth: Express route POST /api/backlog/items declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/backlog/items', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/backlog.ts:301
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/callbacks/get-available-guides has no auth: Express route POST /api/callbacks/get-available-guides declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/callbacks/get-available-guides', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/callback-guide-routes.ts:161
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/callbacks/guide-control has no auth: Express route POST /api/callbacks/guide-control declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/callbacks/guide-control', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/callback-guide-routes.ts:188
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/callbacks/guide-resolve has no auth: Express route POST /api/callbacks/guide-resolve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/callbacks/guide-resolve', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/callback-guide-routes.ts:164
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/callbacks/start-guide has no auth: Express route POST /api/callbacks/start-guide declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/callbacks/start-guide', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/callback-guide-routes.ts:136
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/callbacks/update-guide-state has no auth: Express route POST /api/callbacks/update-guide-state declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/callbacks/update-guide-state', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/callback-guide-routes.ts:101
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/cats has no auth: Express route POST /api/cats declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/cats', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/cats.ts:479
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/memory/publish has no auth: Express route POST /api/memory/publish declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/memory/publish', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/memory-publish.ts:34
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/projects/mkdir has no auth: Express route POST /api/projects/mkdir declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/projects/mkdir', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/projects-mkdir.ts:17
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/sessions/seal has no auth: Express route POST /api/sessions/seal declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/sessions/seal', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/session-hooks.ts:81
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/sessions/sop-bookmark has no auth: Express route POST /api/sessions/sop-bookmark declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/sessions/sop-bookmark', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/session-hooks.ts:267
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/task-outcome/a1 has no auth: Express route POST /api/task-outcome/a1 declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/task-outcome/a1', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/task-outcome.ts:89
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/task-outcome/cancel has no auth: Express route POST /api/task-outcome/cancel declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/task-outcome/cancel', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/task-outcome.ts:69
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/task-outcome/magic-word has no auth: Express route POST /api/task-outcome/magic-word declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/task-outcome/magic-word', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/task-outcome.ts:79
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/task-outcome/terminal-state has no auth: Express route POST /api/task-outcome/terminal-state declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/task-outcome/terminal-state', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/task-outcome.ts:99
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/threads has no auth: Express route POST /api/threads declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/threads', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/threads.ts:253
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/threads/read/mark-all has no auth: Express route POST /api/threads/read/mark-all declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/threads/read/mark-all', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/threads.ts:683
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PUT /api/config/default-cat has no auth: Express route PUT /api/config/default-cat declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.put('/api/config/default-cat', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/api/src/routes/config.ts:419
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED122] package.json dep `eslint-plugin-cafe` pulled from URL/Git: `devDependencies.eslint-plugin-cafe` = `file:eslint-plugins` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/web/package.json:1
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/mcp-server/src/tools/hub-action-tools.ts:73
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
packages/api/src/domains/cats/services/agents/providers/antigravity/antigravity-cascade-health.ts:140
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
packages/api/src/routes/connector-hub.ts:720
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 21 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
4 files, 21 locations
.github/workflows/build-windows-desktop.yml:41, 59, 95, 103 (7 hits)
.github/workflows/ci.yml:28, 30, 41, 43, 56, 58, 70 (7 hits)
.github/workflows/build-mac-dmg.yml:58, 76, 100 (5 hits)
.github/workflows/windows-smoke.yml:28, 30 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 10 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + …
4 files, 10 locations
.github/workflows/build-mac-dmg.yml:74, 93 (3 hits)
.github/workflows/build-windows-desktop.yml:57, 86 (3 hits)
.github/workflows/ci.yml:29, 42, 57 (3 hits)
.github/workflows/windows-smoke.yml:29
CI/CD securitySupply chainGitHub Actions
high Security checks security auth conf 0.83 3 occurrences Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
3 files, 3 locations
packages/web/src/components/UnifiedAuthModal.tsx:313
packages/web/src/components/WeComBotSetupPanel.tsx:124
packages/web/src/components/hub-accounts.sections.tsx:81
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/library/${encodeURIComponent(collectionId)}/documents (packages/web/src/components/memory/CollectionCatalog.tsx:53)
`packages/web/src/components/memory/CollectionCatalog.tsx:53` calls `GET /api/library/${encodeURIComponent(collectionId)}/documents` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/library/<p>/documents` If this poin…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/preview/discovered${query} (packages/web/src/components/first-run-quest/useFirstProjectPreviewAutoOpen.ts:98)
`packages/web/src/components/first-run-quest/useFirstProjectPreviewAutoOpen.ts:98` calls `GET /api/preview/discovered${query}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/preview/discovered/<p>` If this points at…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://${host}:${port}/ (packages/api/src/domains/preview/port-discovery.ts:41)
`packages/api/src/domains/preview/port-discovery.ts:41` calls `GET http://${host}:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/<p>:/<p>` If this points at an external API, prefix it with `https://`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}${path} (packages/api/test/anthropic-proxy-timeout.test.js:49)
`packages/api/test/anthropic-proxy-timeout.test.js:49` calls `GET http://127.0.0.1:${port}${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/<p>` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (packages/api/test/security-boundary.test.js:161)
`packages/api/test/security-boundary.test.js:161` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port} (packages/api/src/domains/cats/services/bootcamp/env-check.ts:64)
`packages/api/src/domains/cats/services/bootcamp/env-check.ts:64` calls `GET http://localhost:${port}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://open.feishu.cn/open-apis/bot/v3/info (packages/api/src/infrastructure/connectors/connector-gateway-bootstrap.ts:444)
`packages/api/src/infrastructure/connectors/connector-gateway-bootstrap.ts:444` calls `GET https://open.feishu.cn/open-apis/bot/v3/info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/open.feishu.cn/open-apis…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/library/${collectionId}/rebuild (packages/web/src/components/memory/CreateCollectionDialog.tsx:78)
`packages/web/src/components/memory/CreateCollectionDialog.tsx:78` calls `POST /api/library/${collectionId}/rebuild` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/library/<p>/rebuild` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/library/${encodeURIComponent(id)}/archive (packages/web/src/components/memory/CollectionCatalog.tsx:124)
`packages/web/src/components/memory/CollectionCatalog.tsx:124` calls `POST /api/library/${encodeURIComponent(id)}/archive` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/library/<p>/archive` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/library/${encodeURIComponent(id)}/rebuild (packages/web/src/components/memory/CollectionCatalog.tsx:150)
`packages/web/src/components/memory/CollectionCatalog.tsx:150` calls `POST /api/library/${encodeURIComponent(id)}/rebuild` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/library/<p>/rebuild` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/library/${encodeURIComponent(id)}/unarchive (packages/web/src/components/memory/CollectionCatalog.tsx:137)
`packages/web/src/components/memory/CollectionCatalog.tsx:137` calls `POST /api/library/${encodeURIComponent(id)}/unarchive` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/library/<p>/unarchive` If this points at an…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/preview/auto-open (packages/web/src/components/first-run-quest/useFirstProjectPreviewAutoOpen.ts:107)
`packages/web/src/components/first-run-quest/useFirstProjectPreviewAutoOpen.ts:107` calls `POST /api/preview/auto-open` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/preview/auto-open` If this points at an external…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${proxy.port}/sponsor/v1/messages (packages/api/test/anthropic-proxy-timeout.test.js:216)
`packages/api/test/anthropic-proxy-timeout.test.js:216` calls `POST http://127.0.0.1:${proxy.port}/sponsor/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/sponsor/v1/messages` If thi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${proxy.port}/sponsor/v1/messages (packages/api/test/anthropic-proxy-timeout.test.js:245)
`packages/api/test/anthropic-proxy-timeout.test.js:245` calls `POST http://127.0.0.1:${proxy.port}/sponsor/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/sponsor/v1/messages` If thi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${proxyPort}/hung-upstream/v1/messages (packages/api/test/anthropic-proxy-timeout.test.js:120)
`packages/api/test/anthropic-proxy-timeout.test.js:120` calls `POST http://127.0.0.1:${proxyPort}/hung-upstream/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/hung-upstream/v1/messa…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${proxyPort}/slow-upstream/v1/messages (packages/api/test/anthropic-proxy-timeout.test.js:177)
`packages/api/test/anthropic-proxy-timeout.test.js:177` calls `POST http://127.0.0.1:${proxyPort}/slow-upstream/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/slow-upstream/v1/messa…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.anthropic.com/v1/messages (packages/api/src/domains/cats/services/game/LlmAIProvider.ts:90)
`packages/api/src/domains/cats/services/game/LlmAIProvider.ts:90` calls `POST https://api.anthropic.com/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.anthropic.com/v1/messages` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.moonshot.ai/v1/chat/completions (packages/api/src/domains/cats/services/game/LlmAIProvider.ts:171)
`packages/api/src/domains/cats/services/game/LlmAIProvider.ts:171` calls `POST https://api.moonshot.ai/v1/chat/completions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.moonshot.ai/v1/chat/completions` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.openai.com/v1/chat/completions (packages/api/src/domains/cats/services/game/LlmAIProvider.ts:118)
`packages/api/src/domains/cats/services/game/LlmAIProvider.ts:118` calls `POST https://api.openai.com/v1/chat/completions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.openai.com/v1/chat/completions` If…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://generativelanguage.googleapis.com/v1beta/models/${this.model}:generateContent?key=${apiKey} (packages/api/src/domains/cats/services/game/LlmAIProvider.ts:145)
`packages/api/src/domains/cats/services/game/LlmAIProvider.ts:145` calls `POST https://generativelanguage.googleapis.com/v1beta/models/${this.model}:generateContent?key=${apiKey}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for …
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI POST `create_embeddings` without auth dependency — scripts/services/embed-api.py:127
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
scripts/services/embed-api.py:127 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `refine` without auth dependency — scripts/services/llm-postprocess-api.py:140
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
scripts/services/llm-postprocess-api.py:140 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `synthesize_endpoint` without auth dependency — scripts/services/tts-api.py:480
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
scripts/services/tts-api.py:480 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `transcribe` without auth dependency — scripts/services/qwen3-asr-api.py:95
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
scripts/services/qwen3-asr-api.py:95 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `transcribe` without auth dependency — scripts/services/whisper-api.py:81
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
scripts/services/whisper-api.py:81 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/agents/invocation/RedisAuthInvocationBackend.ts:200
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/agents/invocation/RedisAuthInvocationBackend.ts:200 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisBacklogStore.ts:693
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisBacklogStore.ts:693 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts:96
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts:96 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisPendingRequestStore.ts:116
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisPendingRequestStore.ts:116 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisProposalStore.ts:133
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisProposalStore.ts:133 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisTaskStore.ts:166
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisTaskStore.ts:166 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisThreadStore.ts:347
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisThreadStore.ts:347 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/domains/cats/services/stores/redis/RedisWorkflowSopStore.ts:133
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/domains/cats/services/stores/redis/RedisWorkflowSopStore.ts:133 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/infrastructure/connectors/RedisConnectorThreadBindingStore.ts:106
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/infrastructure/connectors/RedisConnectorThreadBindingStore.ts:106 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/infrastructure/email/RedisPrTrackingStore.ts:73
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/infrastructure/email/RedisPrTrackingStore.ts:73 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/api/src/services/ApiInstanceLease.ts:142
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/api/src/services/ApiInstanceLease.ts:142 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/shared/src/utils/redis.ts:110
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/shared/src/utils/redis.ts:110 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/api/src/domains/terminal/tmux-gateway.ts:79
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/api/src/domains/terminal/tmux-gateway.ts:79 Exec used
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
scripts/services/whisper-api.py:143
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
packages/api/src/domains/cats/services/agents/providers/acp/AcpProcessPool.ts:195
packages/api/src/domains/cats/services/agents/providers/antigravity/executors/McpToolExecutor.ts:207
packages/api/src/domains/cats/services/game/GameNarratorDriver.ts:70
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `3. 状态栏在 kickoff 时默认 `[ ]`,完成后在 quality-gate 阶段改为 `[x]`。` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `3. 状态栏在 kickoff 时默认 `[ ]`,完成后在 quality-gate 阶段改为 `[x]`。` with `3. 状态栏在 kickoff 时默认 `[ ]`,完成后在 quality-gate 阶段改为 `[x]`。==<version>` and manage upgrades through PRs / Dependabot.
cat-cafe-skills/refs/requirements-checklist-template.md:31
medium Security checks software dependencies conf 0.90 ✓ Repobility 8 occurrences [MINED124] requirements.txt: `> 用途:在 kickoff/spec 阶段把需求点结构化,避免 AC 漏项。` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `> 用途:在 kickoff/spec 阶段把需求点结构化,避免 AC 漏项。` with `> 用途:在 kickoff/spec 阶段把需求点结构化,避免 AC 漏项。==<version>` and manage upgrades through PRs / Dependabot.
lines 3, 15, 16, 17, 18, 19, 29, 30
cat-cafe-skills/refs/requirements-checklist-template.md:3, 15, 16, 17, 18, 19, 29, 30 (8 hits)
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: ````` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace ````` with ````==<version>` and manage upgrades through PRs / Dependabot.
cat-cafe-skills/refs/requirements-checklist-template.md:25
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: ````markdown` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace ````markdown` with ````markdown==<version>` and manage upgrades through PRs / Dependabot.
cat-cafe-skills/refs/requirements-checklist-template.md:12
low Security checks security Injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
packages/mcp-server/src/tools/shell-tools.ts:204
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
packages/api/src/routes/callback-bootcamp-routes.ts:236
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
packages/api/src/infrastructure/connectors/adapters/weixin-cdn.ts:220
medium Security checks quality Quality conf 0.73 3 occurrences Codex session log reader may expose prompts or tool-call content
Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles.
3 files, 3 locations
desktop/service-manager.js:186
packages/api/src/domains/cats/services/agents/providers/JobEventConsumer.ts:6
packages/api/src/domains/cats/services/agents/providers/codex-session-context-snapshot.ts:2
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/web/src/components/MermaidDiagram.tsx:78
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/agents/invocation/IAuthInvocationBackend.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/agents/invocation/InvocationRegistry.ts:175
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/agents/providers/antigravity/AntigravityBridge.ts:942
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/game/LlmAIProvider.ts:90
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/session/HandoffDigestGenerator.ts:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/cats/services/session/SessionBootstrap.ts:135
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/signals/fetchers/api-fetcher.ts:141
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/signals/fetchers/types.ts:31
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/domains/signals/fetchers/webpage-fetcher.ts:170
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/infrastructure/connectors/connector-gateway-bootstrap.ts:467
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/infrastructure/harness-eval/telemetry-adapter.ts:122
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/src/routes/audio-proxy.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/api-fetcher.test.js:59
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/backlog-doc-import.test.js:343
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/domains/preview/gateway-injection.test.js:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/rss-fetcher.test.js:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/scheduler/review-feedback-spec.test.js:789
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/signal-fetch-scheduler.test.js:92
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/signal-source-processor.test.js:74
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/webpage-fetcher-content.test.js:43
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/webpage-fetcher-secondary.test.js:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/api/test/webpage-fetcher.test.js:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/src/tools/audio-tools.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/src/tools/library-lifecycle-tools.ts:146
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/src/tools/signal-study-tools.ts:18
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/src/tools/signals-tools.ts:31
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/test/callback-tools.test.js:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/test/refresh-loop.test.js:94
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/components/__tests__/chat-input-game-send-guard.test.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/components/first-run-quest/useFirstProjectPreviewAutoOpen.ts:98
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/components/Lightbox.tsx:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/components/memory/CollectionGraph.tsx:174
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/hooks/__tests__/processThreadSeq.test.ts:177
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/hooks/useVoiceInput.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/stores/__tests__/chatStore-catchup-ack.test.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/utils/api-client.ts:111
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — packages/api/test/harness-eval/eval-capability-wakeup-evidence.test.js:65
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — packages/web/src/components/audit/__tests__/AuditEventsTab.test.ts:19
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/build-mac-dmg.yml
.github/workflows/build-windows-desktop.yml
.github/workflows/release-desktop.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/web/src/components/MermaidDiagram.tsx:78
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/web/src/components/MermaidDiagram.tsx:78 Dangerous innerhtml
medium System graph network Security conf 1.00 Privileged port 23 in use
Port 23 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
cat-cafe-skills/hyperfocus-brake/state.sh Ports
low Security checks quality Quality conf 0.60 26 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 18 locations
packages/api/src/domains/cats/services/agents/providers/OpenCodeAgentService.ts:131, 193, 260 (3 hits)
packages/api/src/domains/cats/services/agents/providers/DareAgentService.ts:113, 174 (2 hits)
packages/api/src/domains/cats/services/runtime-session/RuntimeSessionMetadata.ts:256, 258 (2 hits)
packages/api/src/domains/memory/FlatScanner.ts:5, 133 (2 hits)
packages/api/src/domains/memory/GenericRepoScanner.ts:5, 6 (2 hits)
packages/api/src/config/governance/skills-state.ts:67
packages/api/src/domains/cats/services/agents/providers/CodexAgentService.ts:499
packages/api/src/domains/cats/services/agents/providers/KimiAgentService.ts:108
duplicationquality
low Security checks quality Quality conf 0.68 Multiple AI-agent scaffold marker files are present
Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior.
AGENTS.md:1
low System graph quality Integrity conf 1.00 236 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ALLOWED_WORKSPACE_DIRS`, `ALL_PROXY`, `ANTHROPIC_API_KEY`, `ANTHROPIC_BASE_URL`, `ANTHROPIC_PROXY_PORT`, `ANTHROPIC_PROXY_UPSTREAMS_PATH`, `ANTIGRAVITY_AUTO_APPROVE`, `ANTIGRAVITY_AUTO_RESUME` + 228 more. Add them (with a placeholder/comment) to .…
config drift
low System graph quality Maintenance conf 1.00 63 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: desktop/preload.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/agent-pane-registry.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-agent-service-diagnostics.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-event-transformer.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-ls-discovery.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-runtime-lifecycle.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-side-effect-journal.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/antigravity-stream-error-telemetry.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/callback-auth-reasons-contract.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/callback-auth-telemetry-d2a.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/catagent-security-baseline.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/cli-diagnostics.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/community-index-wiring.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/connector-permission-store.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/context-window-sizes.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/degradation-policy.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/delivery-status.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/derive-pr-group.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/event-audit-log.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/external-project-store.redis.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/f148-phase-b-search-threadid.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/f148-phase-g.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/f210-agy-profile-smoke.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/feishu-card-formatter.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/game-command-interceptor.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/image-cli-bridge.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/invocation-state-machine.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/limb-pairing.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/message-delivered-at.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/messages-endpoint.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/opencode-mcp-isolation.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/orphan-chrome-cleaner.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/proposal-flow.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/public-test-import-contract.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/public-test-script.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/redis-authorization-stores.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/reviewer-matcher.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/runtime-session-store-factory.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/session-chain-store-factory.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/shared-state-wiring.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/signal-deduplication.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/socket-room-whitelist.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/study-meta-dedup.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/system-info.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/tcp-probe.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/web-digest-template.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/werewolf-definition.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/worklist-registry-f121.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/workspace-git.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/api/test/workspace-project-context.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — packages/web/src/components/audit/SessionEventsViewer.tsx:228
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — packages/web/src/components/first-run-quest/ProfileCard.tsx:179
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — packages/web/src/components/mission-control/DependencyGraphTab.tsx:205
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/services/tts-api.py:warmup, scripts/services/tts-api.py:warmup, scripts/services/tts-api.py:warmup This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: scripts/services/tts-api.py:model_name, scripts/services/tts-api.py:model_name, scripts/services/tts-api.py:model_name, scripts/services/tts-api.py:model_name This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://…
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: scripts/services/tts-api.py:name, scripts/services/tts-api.py:name, scripts/services/tts-api.py:name, scripts/services/tts-api.py:name This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). …
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `catCafeLegacy` in packages/api/test/f041-integration.test.js:429
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `catModePromptLegacy` in packages/api/src/domains/cats/services/agents/routing/route-serial.ts:702
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `cli_old` in packages/api/test/connector-hub-route.test.js:199
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `copy_offsite_backup` in packages/api/test/launchd-agent-path.test.js:41
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `cursorOld` in packages/api/test/route-serial-cursor-monotonic.test.js:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `disabledLegacy` in packages/api/test/harness-eval/eval-domain-daily.test.js:149
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `enabledLegacy` in packages/api/src/infrastructure/harness-eval/domain/eval-domain-daily.ts:131
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mid_v2` in packages/api/test/wecom-agent-adapter.test.js:416
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `migratedProjectLegacy` in packages/api/src/config/catalog-accounts.ts:381
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `migrateLegacy` in packages/api/test/capability-orchestrator.test.js:2611
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in packages/api/test/memory/global-index-builder.test.js:253
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in packages/api/test/memory/index-builder.test.js:1809
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `oci_group_legacy` in packages/api/test/dingtalk-adapter.test.js:161
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `parCatModePromptLegacy` in packages/api/src/domains/cats/services/agents/routing/route-parallel.ts:407
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `patchToOld` in packages/web/src/hooks/__tests__/useAgentMessages-catchup-ref-desync.test.ts:358
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `phaseWasLegacy` in packages/api/src/routes/callback-bootcamp-routes.ts:131
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `preOld` in packages/api/test/redis-invocation-record-store.test.js:708
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `receive_v1` in packages/api/src/infrastructure/connectors/adapters/FeishuAdapter.ts:141
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `receive_v1` in packages/api/src/infrastructure/connectors/connector-gateway-bootstrap.ts:546
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `receive_v1` in packages/api/test/connector-gateway-bootstrap.test.js:122
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `receive_v1` in packages/api/test/f088-gateway-integration.test.js:168
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `receive_v1` in packages/api/test/feishu-adapter.test.js:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resolvedOld` in packages/api/src/routes/workspace-edit.ts:265
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resolveLegacy` in packages/api/src/domains/memory/KnowledgeResolver.ts:48
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `t_z16_old` in packages/api/test/agent-router.test.js:3161
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `thread_old` in packages/api/test/memory/raw-passage-semantic.test.js:52
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/src/domains/memory/f188-library-health.ts:76
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/src/domains/memory/f188-verification-migration.ts:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/src/domains/memory/f188-verification-workflow.ts:18
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/test/memory/f163-health-unverified.test.js:29
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/test/memory/f188-library-health.test.js:218
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/test/memory/f188-verification-migration.test.js:24
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `trusted_legacy` in packages/api/test/memory/f188-verification-workflow.test.js:46
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `unrelated_legacy` in packages/api/test/antigravity-image-publisher.test.js:529
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 3 occurrences package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
3 files, 3 locations
package.json
packages/finance/package.json
packages/shared/package.json
CI/CD securitySupply chainNpm
low System graph software Dead code conf 1.00 4 occurrences Possibly dead Python function: handle_sigterm
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
4 files, 4 locations
scripts/services/embed-api.py:270
scripts/services/llm-postprocess-api.py:273
scripts/services/tts-api.py:559
scripts/services/whisper-api.py:200
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cat-cafe-skills/writing-skills/render-graphs.js:127
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — desktop/afterPack.js:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/scripts/f163-eval.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/scripts/f163-tag-constitutional.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/src/agent-hooks/sync-targets.ts:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/src/domains/cats/services/context/SystemPromptBuilder.ts:329
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/src/infrastructure/connectors/connector-command-helpers.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/src/scripts/f210-agy-profile-smoke.ts:247
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/src/scripts/project-init.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/acp/acp-bootstrap-cwd.test.js:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/acp/acp-client-windows-spawn.test.js:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/cli-spawn-win.test.js:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/cli-spawn.test.js:171
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/connector-invoke-trigger.test.js:547
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/domains/preview/gateway-injection.test.js:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/harness-eval/sop-predicate-evaluator.test.js:591
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/infrastructure/lark-e2e-golden-chain.test.js:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/infrastructure/wecom-e2e-golden-chain.test.js:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/integration/multi-cat.test.js:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/logger-console-patch.test.js:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/memory/eval-runner.test.js:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/memory/signal-noise-comparison.test.js:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/preflight-race.test.js:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/shared-state-preflight.test.js:148
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/skill-mount.test.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/system-prompt-builder.test.js:1919
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/weixin-adapter.test.js:898
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/api/test/workspace-security.test.js:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/shared/src/utils/redis.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/web/eslint-plugins/no-hardcoded-colors.test.js:146
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/web/src/components/rich/__tests__/HtmlWidgetBlock.test.tsx:144
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/web/src/components/ThreadSidebar/DirectoryPickerModal.tsx:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/web/src/components/ThreadSidebar/ThreadSidebar.tsx:180
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/web/src/hooks/useSocket.ts:236
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/threads/:id
`packages/api/src/routes/threads.ts` declares `DELETE /api/threads/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/backlog/items
`packages/api/src/routes/backlog.ts` declares `GET /api/backlog/items` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/backlog/self-claim-policy
`packages/api/src/routes/backlog.ts` declares `GET /api/backlog/self-claim-policy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/capabilities
`packages/api/src/routes/capabilities.ts` declares `GET /api/capabilities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/cat-templates
`packages/api/src/routes/cats.ts` declares `GET /api/cat-templates` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/cats
`packages/api/src/routes/cats.ts` declares `GET /api/cats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config
`packages/api/src/routes/config.ts` declares `GET /api/config` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/default-cat
`packages/api/src/routes/config.ts` declares `GET /api/config/default-cat` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/env-summary
`packages/api/src/routes/config.ts` declares `GET /api/config/env-summary` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/diagnostics/acp-pool
`packages/api/src/index.ts` declares `GET /api/diagnostics/acp-pool` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`packages/api/src/index.ts` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/plugins
`packages/api/src/routes/plugin-routes.ts` declares `GET /api/plugins` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/ready
`packages/api/src/index.ts` declares `GET /api/ready` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/rules
`packages/api/src/routes/rules.ts` declares `GET /api/rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/task-outcome/episode/:episodeId
`packages/api/src/routes/task-outcome.ts` declares `GET /api/task-outcome/episode/:episodeId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/task-outcome/episodes/:threadId
`packages/api/src/routes/task-outcome.ts` declares `GET /api/task-outcome/episodes/:threadId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/threads
`packages/api/src/routes/threads.ts` declares `GET /api/threads` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /ready
`packages/api/src/index.ts` declares `GET /ready` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/capabilities
`packages/api/src/routes/capabilities.ts` declares `PATCH /api/capabilities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/config
`packages/api/src/routes/config.ts` declares `PATCH /api/config` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/config/co-creator
`packages/api/src/routes/config.ts` declares `PATCH /api/config/co-creator` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/config/env
`packages/api/src/routes/config.ts` declares `PATCH /api/config/env` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/config/owner
`packages/api/src/routes/config.ts` declares `PATCH /api/config/owner` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/backlog/import-active-features
`packages/api/src/routes/backlog.ts` declares `POST /api/backlog/import-active-features` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/backlog/items
`packages/api/src/routes/backlog.ts` declares `POST /api/backlog/items` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/callbacks/get-available-guides
`packages/api/src/routes/callback-guide-routes.ts` declares `POST /api/callbacks/get-available-guides` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/callbacks/guide-control
`packages/api/src/routes/callback-guide-routes.ts` declares `POST /api/callbacks/guide-control` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/callbacks/guide-resolve
`packages/api/src/routes/callback-guide-routes.ts` declares `POST /api/callbacks/guide-resolve` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/callbacks/start-guide
`packages/api/src/routes/callback-guide-routes.ts` declares `POST /api/callbacks/start-guide` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/callbacks/update-guide-state
`packages/api/src/routes/callback-guide-routes.ts` declares `POST /api/callbacks/update-guide-state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/cats
`packages/api/src/routes/cats.ts` declares `POST /api/cats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/guide-actions/cancel
`packages/api/src/routes/guide-action-routes.ts` declares `POST /api/guide-actions/cancel` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/guide-actions/complete
`packages/api/src/routes/guide-action-routes.ts` declares `POST /api/guide-actions/complete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/guide-actions/preview
`packages/api/src/routes/guide-action-routes.ts` declares `POST /api/guide-actions/preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/guide-actions/start
`packages/api/src/routes/guide-action-routes.ts` declares `POST /api/guide-actions/start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/memory/publish
`packages/api/src/routes/memory-publish.ts` declares `POST /api/memory/publish` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/projects/mkdir
`packages/api/src/routes/projects-mkdir.ts` declares `POST /api/projects/mkdir` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/sessions/seal
`packages/api/src/routes/session-hooks.ts` declares `POST /api/sessions/seal` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/sessions/sop-bookmark
`packages/api/src/routes/session-hooks.ts` declares `POST /api/sessions/sop-bookmark` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint

Showing first 300 of 368. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5b66fd59-9503-4ef3-990f-ff5ca22a2c7d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5b66fd59-9503-4ef3-990f-ff5ca22a2c7d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.