Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
239 of your 478 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 8.85s · analysis 43.23s · 121.6 MB · GitHub API rate-limit (preflight)

CopilotKit/CopilotKit

https://github.com/CopilotKit/CopilotKit · scanned 2026-06-06 00:02 UTC (4 days, 1 hour ago) · 10 languages

6546 raw signals (438 security + 6108 graph) 10/13 scanners ran 37th percentile · Typescript · huge (>500K LoC) System graph score 52 (higher by 30)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 1 hour ago · v2 · 3044 actionable findings from 2 signal sources. 448 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
66.2
/100
Security checks
81
133 findings
System graph
52
100.0% cov · 2911 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 78.0 0.20 15.60
documentation_score 95.0 0.15 14.25
practices_score 78.0 0.15 11.70
code_quality 61.0 0.10 6.10
Overall 1.00 81.6
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 244 Medium 213 Low 455 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 133 System graph 2911 Crowd 0 Layer: Software 62 Quality 2094 Security 89 Cicd 18 Frontend 548 Network 3 Hardware 54 Api 176
Scan summary Quality grade A- (82/100). Dimensions: security 100, maintainability 60. 438 findings (90 security). 1,142,393 lines analyzed.

Showing 916 of 3044 actionable findings. 3492 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
3 files, 3 locations
examples/integrations/mcp-apps/threejs-server/src/threejs-app.tsx:152
examples/showcases/generative-ui-playground/mcp-server/src/calculator.ts:79
examples/showcases/open-mcp-client/apps/threejs-server/src/threejs-app.tsx:152
critical Security checks software dependencies conf 0.90 ✓ Repobility [MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable.
Capture the field into an env var first; reference $ENV_VAR in shell.
.github/workflows/publish-release.yml:698
critical Security checks security auth conf 1.00 [SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker.
Use jwt.decode(token, key, algorithms=[...]) without options={'verify_signature': False}. If you genuinely need to peek without verifying (rare — e.g. logging the kid before fetching the key), use jwt.get_unverified_header() instead and clearly comment.
examples/integrations/agentcore/agents/utils/auth.py:64
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 19 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
7 files, 19 locations
.github/workflows/test_e2e-dojo.yml:298, 299, 311, 312, 313 (5 hits)
.github/workflows/showcase_validate.yml:43, 511, 686, 709 (4 hits)
.github/workflows/publish-release.yml:669, 802, 845 (3 hits)
.github/workflows/test_smoke-starter.yml:43, 77, 185 (3 hits)
.github/workflows/showcase_eval_check.yml:25, 108 (2 hits)
.github/workflows/showcase_lint_prod.yml:54
.github/workflows/social_copy-generator.yml:264
CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in packages/react-core/src/hooks/use-copilot-chat-headless_c.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/react-core/src/hooks/use-copilot-chat-headless_c.ts:30
critical System graph security Secrets conf 1.00 Possible secret in showcase/harness/src/cli/config.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
showcase/harness/src/cli/config.ts:47
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/probes/:id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
showcase/harness/src/http/probes.ts:237
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/probes/:id/trigger.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
showcase/harness/src/http/probes.ts:293
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/integrations/agentcore/infra-cdk/lambdas/oauth2-provider/index.py:69
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
examples/showcases/generative-ui-playground/mcp-server/src/calculator.ts:131
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED108] `self.state` used but never assigned in __init__: Method `chat` of class `SharedStateReadWriteFlow` reads `self.state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.state = <default>` in __init__, or add a class-level default.
3 files, 25 locations
showcase/integrations/crewai-crews/src/agents/subagents.py:342, 351, 355, 370, 405, 420, 429, 451, +3 more (11 hits)
showcase/integrations/crewai-crews/src/agents/shared_state_read_write.py:157, 164, 180, 185, 198, 221, 241, 244, +1 more (9 hits)
showcase/integrations/crewai-crews/src/agents/tool_rendering.py:100, 105, 118, 138, 147 (5 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST / has no auth: Handler `run_agent_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agents/agent.py:880
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST / has no auth: Handler `run_agent` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:74
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /a2ui-fixed-schema has no auth: Handler `a2ui_fixed_schema_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:367
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /a2ui-fixed-schema has no auth: Handler `run_a2ui_fixed_schema` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:158
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /agent-config has no auth: Handler `agent_config_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:170
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /api/upload-resume has no auth: Handler `upload_resume` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
examples/showcases/deep-agents-job-search/agent/main.py:47
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /byoc-hashbrown has no auth: Handler `byoc_hashbrown_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:147
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /byoc-hashbrown has no auth: Handler `run_byoc_hashbrown` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:137
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /byoc-json-render has no auth: Handler `byoc_json_render_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:136
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /byoc-json-render has no auth: Handler `run_byoc_json_render` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:148
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /declarative-gen-ui has no auth: Handler `declarative_gen_ui_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:347
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /gen-ui-agent has no auth: Handler `run_gen_ui_agent` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:101
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /hitl-in-chat has no auth: Handler `hitl_in_chat_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:304
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /interrupt-adapted has no auth: Handler `interrupt_adapted_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:324
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /mcp-apps has no auth: Handler `mcp_apps_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:257
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /mcp-apps has no auth: Handler `run_mcp_apps` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:174
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /multimodal has no auth: Handler `multimodal_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:158
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /multimodal has no auth: Handler `run_multimodal` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:126
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /reasoning has no auth: Handler `reasoning_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:210
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /shared-state-read-write has no auth: Handler `run_shared_state_read_write` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:89
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /shared-state-read-write has no auth: Handler `shared_state_read_write_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:185
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /subagents has no auth: Handler `run_subagents` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/langroid/src/agent_server.py:114
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /subagents has no auth: Handler `subagents_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:284
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /tool-rendering-reasoning-chain has no auth: Handler `tool_rendering_reasoning_chain_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
showcase/integrations/claude-sdk-python/src/agent_server.py:235
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent/index.ts:141
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1089
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /a2ui-fixed-schema has no auth: Express route POST /a2ui-fixed-schema declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/a2ui-fixed-schema', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1192
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /agent-config has no auth: Express route POST /agent-config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/agent-config', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1116
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /byoc-hashbrown has no auth: Express route POST /byoc-hashbrown declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/byoc-hashbrown', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1097
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /byoc-json-render has no auth: Express route POST /byoc-json-render declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/byoc-json-render', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1093
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /headless-complete has no auth: Express route POST /headless-complete declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/headless-complete', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1207
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /multimodal has no auth: Express route POST /multimodal declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/multimodal', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1103
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /reasoning has no auth: Express route POST /reasoning declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/reasoning', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1136
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /shared-state-read-write has no auth: Express route POST /shared-state-read-write declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/shared-state-read-write', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1149
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /subagents has no auth: Express route POST /subagents declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/subagents', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
showcase/integrations/claude-sdk-typescript/src/agent_server.ts:1173
high Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED118] Dockerfile FROM `ghcr.io/copilotkit/aimock:latest` not pinned by digest: `FROM ghcr.io/copilotkit/aimock:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ghcr.io/copilotkit/aimock:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
11 files, 25 locations
showcase/integrations/langgraph-fastapi/Dockerfile:2, 16, 28 (3 hits)
showcase/integrations/pydantic-ai/Dockerfile:2, 18, 30 (3 hits)
showcase/integrations/strands/Dockerfile:4, 20, 32 (3 hits)
showcase/shell-dashboard/Dockerfile:1, 45, 52 (3 hits)
showcase/eval-webhook/Dockerfile:1, 11 (2 hits)
showcase/harness/Dockerfile:1, 65 (2 hits)
showcase/pocketbase/Dockerfile:7, 34 (2 hits)
showcase/shell-docs/Dockerfile:1, 31 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED122] package.json dep `product-knowledge-base` pulled from URL/Git: `dependencies.product-knowledge-base` = `file:` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
3 files, 3 locations
examples/v1/_legacy/copilot-openai-mongodb-atlas-vector-search/package.json:1
examples/v2/angular/demo/package.json:1
showcase/integrations/built-in-agent/package.json:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED130] Lockfile pulls package from off-canonical host `pkg.pr.new`: `package-lock.json` resolved URL for `node_modules/@copilotkit/runtime` is `https://pkg.pr.new/CopilotKit/CopilotKit/@copilotkit/runtime@4482...` — host `pkg.pr.new` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry.
Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry.
showcase/integrations/built-in-agent/package-lock.json:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `examples/v2/react-native/demo/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/v2/react-native/demo/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 10144 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
examples/v2/react-native/demo/android/gradle/wrapper/gradle-wrapper.jar:1
high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
examples/integrations/ms-agent-framework-dotnet/agent/Program.cs:58
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
examples/integrations/agentcore/deploy-strands.sh:53
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
examples/integrations/agentcore/deploy-langgraph.sh:54
high Security checks cicd CI/CD security conf 0.90 2 occurrences Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
lines 65, 125
examples/integrations/_intelligence/docker-compose.yml:65, 125 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 3 occurrences Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
2 files, 3 locations
examples/integrations/_intelligence/docker-compose.yml:19, 41 (2 hits)
examples/showcases/deep-agents-finance-erp/docker-compose.yml:1
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 25 occurrences Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
12 files, 12 locations
examples/integrations/adk/Dockerfile:19
examples/integrations/agno/Dockerfile:26
examples/integrations/crewai-crews/Dockerfile:19
examples/integrations/langgraph-fastapi/Dockerfile:29
examples/integrations/langgraph-python/Dockerfile:29
examples/integrations/llamaindex/Dockerfile:26
examples/integrations/ms-agent-framework-dotnet/Dockerfile:33
examples/integrations/ms-agent-framework-python/Dockerfile:23
CI/CD securitycontainers
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
showcase/shell-dashboard/src/components/pb-auth-prompt.tsx:100
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/backups/${encodeURIComponent(name)} (showcase/harness/src/storage/pb-client.ts:655)
`showcase/harness/src/storage/pb-client.ts:655` calls `DELETE /api/backups/${encodeURIComponent(name)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/backups/<p>` If this points at an external API, prefix …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/collections/${encodeURIComponent(collection)}/records/${encodeURIComponent(id)} (showcase/harness/src/storage/pb-client.ts:451)
`showcase/harness/src/storage/pb-client.ts:451` calls `DELETE /api/collections/${encodeURIComponent(collection)}/records/${encodeURIComponent(id)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/collections…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/v1/users/${id} (examples/showcases/banking/src/app/team/actions.ts:22)
`examples/showcases/banking/src/app/team/actions.ts:22` calls `DELETE /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `https://` so…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/v1/users/${id} (examples/showcases/enterprise-brex/src/app/team/actions.ts:22)
`examples/showcases/enterprise-brex/src/app/team/actions.ts:22` calls `DELETE /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `http…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/backups/${encodeURIComponent(name)} (showcase/harness/src/storage/pb-client.ts:645)
`showcase/harness/src/storage/pb-client.ts:645` calls `GET /api/backups/${encodeURIComponent(name)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/backups/<p>` If this points at an external API, prefix it …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/probes/internal:s3-backup (showcase/harness/src/http/probes.test.ts:1465)
`showcase/harness/src/http/probes.test.ts:1465` calls `GET /api/probes/internal:s3-backup` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/internal/<p>-backup` If this points at an external API, prefi…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/probes/missing (showcase/harness/src/http/probes.test.ts:406)
`showcase/harness/src/http/probes.test.ts:406` calls `GET /api/probes/missing` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/missing` If this points at an external API, prefix it with `https://` so …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/probes/smoke (showcase/harness/src/http/probes.test.ts:388)
`showcase/harness/src/http/probes.test.ts:388` calls `GET /api/probes/smoke` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke` If this points at an external API, prefix it with `https://` so the …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/probes/smoke (showcase/harness/src/http/probes.test.ts:632)
`showcase/harness/src/http/probes.test.ts:632` calls `GET /api/probes/smoke` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke` If this points at an external API, prefix it with `https://` so the …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/probes/smoke (showcase/harness/src/http/probes.test.ts:917)
`showcase/harness/src/http/probes.test.ts:917` calls `GET /api/probes/smoke` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke` If this points at an external API, prefix it with `https://` so the …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/servicenow/table/sys_user?email=${email} (examples/showcases/enterprise-brex/src/hooks/use-service-now.tsx:57)
`examples/showcases/enterprise-brex/src/hooks/use-service-now.tsx:57` calls `GET /api/servicenow/table/sys_user?email=${email}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/servicenow/table/sys_user` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/cards (examples/showcases/banking/src/app/actions.ts:46)
`examples/showcases/banking/src/app/actions.ts:46` calls `GET /api/v1/cards` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards` If this points at an external API, prefix it with `https://` so the matcher skips…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/cards (examples/showcases/enterprise-brex/src/app/cards/actions.ts:46)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:46` calls `GET /api/v1/cards` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/policies (examples/showcases/banking/src/app/actions.ts:59)
`examples/showcases/banking/src/app/actions.ts:59` calls `GET /api/v1/policies` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/policies` If this points at an external API, prefix it with `https://` so the matcher…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/policies (examples/showcases/enterprise-brex/src/app/cards/actions.ts:59)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:59` calls `GET /api/v1/policies` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/policies` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/transactions (examples/showcases/banking/src/app/actions.ts:72)
`examples/showcases/banking/src/app/actions.ts:72` calls `GET /api/v1/transactions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/transactions (examples/showcases/enterprise-brex/src/app/cards/actions.ts:72)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:72` calls `GET /api/v1/transactions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/users (examples/showcases/banking/src/app/team/actions.ts:9)
`examples/showcases/banking/src/app/team/actions.ts:9` calls `GET /api/v1/users` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users` If this points at an external API, prefix it with `https://` so the matcher s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/users (examples/showcases/enterprise-brex/src/app/team/actions.ts:9)
`examples/showcases/enterprise-brex/src/app/team/actions.ts:9` calls `GET /api/v1/users` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /aws-exports.json (examples/integrations/agentcore/frontend/src/lib/auth.ts:38)
`examples/integrations/agentcore/frontend/src/lib/auth.ts:38` calls `GET /aws-exports.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/aws-exports.json` If this points at an external API, prefix it with `https:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /aws-exports.json (examples/integrations/agentcore/frontend/src/lib/runtime-config.ts:33)
`examples/integrations/agentcore/frontend/src/lib/runtime-config.ts:33` calls `GET /aws-exports.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/aws-exports.json` If this points at an external API, prefix it wit…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:1565)
`showcase/harness/src/orchestrator.test.ts:1565` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:1793)
`showcase/harness/src/orchestrator.test.ts:1793` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:1825)
`showcase/harness/src/orchestrator.test.ts:1825` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:1901)
`showcase/harness/src/orchestrator.test.ts:1901` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:1914)
`showcase/harness/src/orchestrator.test.ts:1914` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:3962)
`showcase/harness/src/orchestrator.test.ts:3962` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/api/probes (showcase/harness/src/orchestrator.test.ts:4105)
`showcase/harness/src/orchestrator.test.ts:4105` calls `GET http://127.0.0.1:${port}/api/probes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:132)
`showcase/harness/src/orchestrator.test.ts:132` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it wi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:164)
`showcase/harness/src/orchestrator.test.ts:164` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it wi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:1670)
`showcase/harness/src/orchestrator.test.ts:1670` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:3540)
`showcase/harness/src/orchestrator.test.ts:3540` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:3630)
`showcase/harness/src/orchestrator.test.ts:3630` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:3692)
`showcase/harness/src/orchestrator.test.ts:3692` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/health (showcase/harness/src/orchestrator.test.ts:407)
`showcase/harness/src/orchestrator.test.ts:407` calls `GET http://127.0.0.1:${port}/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/health` If this points at an external API, prefix it wi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/ (scripts/doc-tests/run.ts:77)
`scripts/doc-tests/run.ts:77` calls `GET http://localhost:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix it with `https://` so the matcher sk…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/ (showcase/shell-dashboard/tests/runtime-env-switch.spike.test.ts:81)
`showcase/shell-dashboard/tests/runtime-env-switch.spike.test.ts:81` calls `GET http://localhost:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, pref…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/ (showcase/shell-dashboard/tests/runtime-env-switch.spike.test.ts:88)
`showcase/shell-dashboard/tests/runtime-env-switch.spike.test.ts:88` calls `GET http://localhost:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, pref…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/boom (packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:88)
`packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:88` calls `GET http://localhost:${port}/boom` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/boom` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/custom (packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:150)
`packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:150` calls `GET http://localhost:${port}/custom` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/custom` If this points at an…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/sse (packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:122)
`packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:122` calls `GET http://localhost:${port}/sse` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/sse` If this points at an exter…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/test (packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:40)
`packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:40` calls `GET http://localhost:${port}/test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/test` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.test (packages/react-native/src/__tests__/streaming-fetch.test.ts:396)
`packages/react-native/src/__tests__/streaming-fetch.test.ts:396` calls `GET https://api.test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.test` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.unsplash.com/search/photos?query=${encodeURIComponent( topic, )}&per_page=10&order_by=relevant&content_filter=high (examples/showcases/presentation/src/app/api/copilotkit/route.ts:43)
`examples/showcases/presentation/src/app/api/copilotkit/route.ts:43` calls `GET https://api.unsplash.com/search/photos?query=${encodeURIComponent( topic, )}&per_page=10&order_by=relevant&content_filter=high` but no backend route matches that path. This is a runtime 404 wai…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.unsplash.com/search/photos?query=${encodeURIComponent(topic)}&per_page=10&order_by=relevant&content_filter=high (examples/v1/next-openai/src/app/api/copilotkit/[[...slug]]/route.ts:25)
`examples/v1/next-openai/src/app/api/copilotkit/[[...slug]]/route.ts:25` calls `GET https://api.unsplash.com/search/photos?query=${encodeURIComponent(topic)}&per_page=10&order_by=relevant&content_filter=high` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fe…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://fonts.gstatic.com/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuLyfMZg.ttf (docs/app/og/[...slug]/route.tsx:9)
`docs/app/og/[...slug]/route.tsx:9` calls `GET https://fonts.gstatic.com/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuLyfMZg.ttf` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/fonts.gstatic.com/s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth (examples/v2/angular/storybook/stories/CopilotChatAssistantMessage.stories.ts:141)
`examples/v2/angular/storybook/stories/CopilotChatAssistantMessage.stories.ts:141` calls `POST /api/auth` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth (examples/v2/angular/storybook/stories/CopilotChatAssistantMessage.stories.ts:704)
`examples/v2/angular/storybook/stories/CopilotChatAssistantMessage.stories.ts:704` calls `POST /api/auth` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth (examples/v2/react/storybook/stories/CopilotAssistantMessage.stories.tsx:319)
`examples/v2/react/storybook/stories/CopilotAssistantMessage.stories.tsx:319` calls `POST /api/auth` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth (examples/v2/vue/storybook/stories/CopilotAssistantMessage.stories.ts:138)
`examples/v2/vue/storybook/stories/CopilotAssistantMessage.stories.ts:138` calls `POST /api/auth` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth` If this points at an external API, prefix it with `https://` so …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/backups (showcase/harness/src/storage/pb-client.ts:629)
`showcase/harness/src/storage/pb-client.ts:629` calls `POST /api/backups` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/backups` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/collections/${encodeURIComponent(collection)}/records (showcase/harness/src/storage/pb-client.ts:517)
`showcase/harness/src/storage/pb-client.ts:517` calls `POST /api/collections/${encodeURIComponent(collection)}/records` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/collections/<p>/records` If this points…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/crm/move (examples/showcases/strands-crm/frontend/hooks/use-crm.ts:61)
`examples/showcases/strands-crm/frontend/hooks/use-crm.ts:61` calls `POST /api/crm/move` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/crm/move` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/mcp-introspect (examples/showcases/open-mcp-client/apps/web/app/hooks/useMcpIntrospect.ts:79)
`examples/showcases/open-mcp-client/apps/web/app/hooks/useMcpIntrospect.ts:79` calls `POST /api/mcp-introspect` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/mcp-introspect` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/internal:s3-backup/trigger (showcase/harness/src/http/probes.test.ts:1442)
`showcase/harness/src/http/probes.test.ts:1442` calls `POST /api/probes/internal:s3-backup/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/internal/<p>-backup/trigger` If this points at an ex…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/missing/trigger (showcase/harness/src/http/probes.test.ts:505)
`showcase/harness/src/http/probes.test.ts:505` calls `POST /api/probes/missing/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/missing/trigger` If this points at an external API, prefix it wi…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/other/trigger (showcase/harness/src/http/probes.test.ts:571)
`showcase/harness/src/http/probes.test.ts:571` calls `POST /api/probes/other/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/other/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1010)
`showcase/harness/src/http/probes.test.ts:1010` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1027)
`showcase/harness/src/http/probes.test.ts:1027` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1046)
`showcase/harness/src/http/probes.test.ts:1046` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1072)
`showcase/harness/src/http/probes.test.ts:1072` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1085)
`showcase/harness/src/http/probes.test.ts:1085` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1119)
`showcase/harness/src/http/probes.test.ts:1119` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1130)
`showcase/harness/src/http/probes.test.ts:1130` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1145)
`showcase/harness/src/http/probes.test.ts:1145` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1184)
`showcase/harness/src/http/probes.test.ts:1184` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1227)
`showcase/harness/src/http/probes.test.ts:1227` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1268)
`showcase/harness/src/http/probes.test.ts:1268` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1278)
`showcase/harness/src/http/probes.test.ts:1278` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1329)
`showcase/harness/src/http/probes.test.ts:1329` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1338)
`showcase/harness/src/http/probes.test.ts:1338` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1362)
`showcase/harness/src/http/probes.test.ts:1362` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:1373)
`showcase/harness/src/http/probes.test.ts:1373` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:431)
`showcase/harness/src/http/probes.test.ts:431` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:439)
`showcase/harness/src/http/probes.test.ts:439` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:451)
`showcase/harness/src/http/probes.test.ts:451` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:474)
`showcase/harness/src/http/probes.test.ts:474` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:494)
`showcase/harness/src/http/probes.test.ts:494` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:520)
`showcase/harness/src/http/probes.test.ts:520` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:527)
`showcase/harness/src/http/probes.test.ts:527` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:542)
`showcase/harness/src/http/probes.test.ts:542` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:548)
`showcase/harness/src/http/probes.test.ts:548` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:566)
`showcase/harness/src/http/probes.test.ts:566` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:585)
`showcase/harness/src/http/probes.test.ts:585` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:595)
`showcase/harness/src/http/probes.test.ts:595` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:665)
`showcase/harness/src/http/probes.test.ts:665` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:680)
`showcase/harness/src/http/probes.test.ts:680` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:695)
`showcase/harness/src/http/probes.test.ts:695` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:733)
`showcase/harness/src/http/probes.test.ts:733` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:744)
`showcase/harness/src/http/probes.test.ts:744` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:767)
`showcase/harness/src/http/probes.test.ts:767` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:777)
`showcase/harness/src/http/probes.test.ts:777` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:822)
`showcase/harness/src/http/probes.test.ts:822` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:830)
`showcase/harness/src/http/probes.test.ts:830` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:852)
`showcase/harness/src/http/probes.test.ts:852` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:878)
`showcase/harness/src/http/probes.test.ts:878` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:956)
`showcase/harness/src/http/probes.test.ts:956` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:975)
`showcase/harness/src/http/probes.test.ts:975` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/probes/smoke/trigger (showcase/harness/src/http/probes.test.ts:993)
`showcase/harness/src/http/probes.test.ts:993` calls `POST /api/probes/smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/probes/smoke/trigger` If this points at an external API, prefix it with `…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/sheets/import (examples/canvas/llamaindex-composio/src/app/page.tsx:1461)
`examples/canvas/llamaindex-composio/src/app/page.tsx:1461` calls `POST /api/sheets/import` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/sheets/import` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/sheets/import (examples/canvas/llamaindex-composio/src/app/page.tsx:1508)
`examples/canvas/llamaindex-composio/src/app/page.tsx:1508` calls `POST /api/sheets/import` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/sheets/import` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/sheets/import (examples/canvas/llamaindex-composio/src/app/page.tsx:1626)
`examples/canvas/llamaindex-composio/src/app/page.tsx:1626` calls `POST /api/sheets/import` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/sheets/import` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/cards (examples/showcases/banking/src/app/actions.ts:105)
`examples/showcases/banking/src/app/actions.ts:105` calls `POST /api/v1/cards` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards` If this points at an external API, prefix it with `https://` so the matcher ski…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/cards (examples/showcases/enterprise-brex/src/app/cards/actions.ts:105)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:105` calls `POST /api/v1/cards` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards` If this points at an external API, prefix it with `https://` so t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/cards/${cardId}/policy (examples/showcases/banking/src/app/actions.ts:130)
`examples/showcases/banking/src/app/actions.ts:130` calls `POST /api/v1/cards/${cardId}/policy` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards/<p>/policy` If this points at an external API, prefix it with `…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/cards/${cardId}/policy (examples/showcases/enterprise-brex/src/app/cards/actions.ts:130)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:130` calls `POST /api/v1/cards/${cardId}/policy` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards/<p>/policy` If this points at an external API, pr…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/users (examples/showcases/banking/src/app/team/actions.ts:39)
`examples/showcases/banking/src/app/team/actions.ts:39` calls `POST /api/v1/users` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users` If this points at an external API, prefix it with `https://` so the matcher…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/v1/users (examples/showcases/enterprise-brex/src/app/team/actions.ts:39)
`examples/showcases/enterprise-brex/src/app/team/actions.ts:39` calls `POST /api/v1/users` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/workspace/download (examples/showcases/open-mcp-client/apps/web/app/components/McpServerManager.tsx:179)
`examples/showcases/open-mcp-client/apps/web/app/components/McpServerManager.tsx:179` calls `POST /api/workspace/download` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/workspace/download` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/workspace/download (examples/showcases/open-mcp-client/apps/web/app/components/ToolCallRenderer.tsx:18)
`examples/showcases/open-mcp-client/apps/web/app/components/ToolCallRenderer.tsx:18` calls `POST /api/workspace/download` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/workspace/download` If this points at an exter…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/workspace/info (examples/showcases/open-mcp-client/apps/web/app/page.tsx:226)
`examples/showcases/open-mcp-client/apps/web/app/page.tsx:226` calls `POST /api/workspace/info` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/workspace/info` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:107)
`showcase/harness/src/http/auth.test.ts:107` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:116)
`showcase/harness/src/http/auth.test.ts:116` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:127)
`showcase/harness/src/http/auth.test.ts:127` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:136)
`showcase/harness/src/http/auth.test.ts:136` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:147)
`showcase/harness/src/http/auth.test.ts:147` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:158)
`showcase/harness/src/http/auth.test.ts:158` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:169)
`showcase/harness/src/http/auth.test.ts:169` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:186)
`showcase/harness/src/http/auth.test.ts:186` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:201)
`showcase/harness/src/http/auth.test.ts:201` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:88)
`showcase/harness/src/http/auth.test.ts:88` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /protected/trigger (showcase/harness/src/http/auth.test.ts:96)
`showcase/harness/src/http/auth.test.ts:96` calls `POST /protected/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/protected/trigger` If this points at an external API, prefix it with `https://` so …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/probes/probe:does-not-exist/trigger (showcase/harness/src/orchestrator.test.ts:1938)
`showcase/harness/src/orchestrator.test.ts:1938` calls `POST http://127.0.0.1:${port}/api/probes/probe:does-not-exist/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes/probe/<p>…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/probes/probe:e2e_smoke/trigger (showcase/harness/src/orchestrator.test.ts:4058)
`showcase/harness/src/orchestrator.test.ts:4058` calls `POST http://127.0.0.1:${port}/api/probes/probe:e2e_smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes/probe/<p>/trig…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/probes/probe:nope/trigger (showcase/harness/src/orchestrator.test.ts:4081)
`showcase/harness/src/orchestrator.test.ts:4081` calls `POST http://127.0.0.1:${port}/api/probes/probe:nope/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes/probe/<p>/trigger` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/probes/probe:smoke/trigger (showcase/harness/src/orchestrator.test.ts:4012)
`showcase/harness/src/orchestrator.test.ts:4012` calls `POST http://127.0.0.1:${port}/api/probes/probe:smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes/probe/<p>/trigger`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/api/probes/probe:smoke/trigger (showcase/harness/src/orchestrator.test.ts:4039)
`showcase/harness/src/orchestrator.test.ts:4039` calls `POST http://127.0.0.1:${port}/api/probes/probe:smoke/trigger` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/api/probes/probe/<p>/trigger`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/ (packages/runtime/src/v2/runtime/__tests__/express-single-sse.test.ts:91)
`packages/runtime/src/v2/runtime/__tests__/express-single-sse.test.ts:91` calls `POST http://localhost:${port}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/data (packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:64)
`packages/runtime/src/v2/runtime/__tests__/node-fetch-handler.test.ts:64` calls `POST http://localhost:${port}/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/data` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloud.copilotkit.ai/check-for-updates (packages/react-ui/src/components/dev-console/utils.ts:36)
`packages/react-ui/src/components/dev-console/utils.ts:36` calls `POST https://api.cloud.copilotkit.ai/check-for-updates` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.cloud.copilotkit.ai/check-for-updat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.tavily.com/search (examples/showcases/spreadsheet/src/app/api/copilotkit/tavily.ts:4)
`examples/showcases/spreadsheet/src/app/api/copilotkit/tavily.ts:4` calls `POST https://api.tavily.com/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.tavily.com/search` If this points at an extern…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.tavily.com/search (examples/v1/next-openai/src/app/api/copilotkit/travel/tavily.ts:5)
`examples/v1/next-openai/src/app/api/copilotkit/travel/tavily.ts:5` calls `POST https://api.tavily.com/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.tavily.com/search` If this points at an extern…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/cards/${cardId} (examples/showcases/banking/src/app/actions.ts:28)
`examples/showcases/banking/src/app/actions.ts:28` calls `PUT /api/v1/cards/${cardId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards/<p>` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/cards/${cardId} (examples/showcases/enterprise-brex/src/app/cards/actions.ts:28)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:28` calls `PUT /api/v1/cards/${cardId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/cards/<p>` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/transactions/${id} (examples/showcases/banking/src/app/actions.ts:184)
`examples/showcases/banking/src/app/actions.ts:184` calls `PUT /api/v1/transactions/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions/<p>` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/transactions/${id} (examples/showcases/enterprise-brex/src/app/cards/actions.ts:184)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:184` calls `PUT /api/v1/transactions/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions/<p>` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/transactions/${transactionId} (examples/showcases/banking/src/app/actions.ts:159)
`examples/showcases/banking/src/app/actions.ts:159` calls `PUT /api/v1/transactions/${transactionId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions/<p>` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/transactions/${transactionId} (examples/showcases/enterprise-brex/src/app/cards/actions.ts:159)
`examples/showcases/enterprise-brex/src/app/cards/actions.ts:159` calls `PUT /api/v1/transactions/${transactionId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/transactions/<p>` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/users/${id} (examples/showcases/banking/src/app/team/actions.ts:58)
`examples/showcases/banking/src/app/team/actions.ts:58` calls `PUT /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `https://` so th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/users/${id} (examples/showcases/banking/src/app/team/actions.ts:77)
`examples/showcases/banking/src/app/team/actions.ts:77` calls `PUT /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `https://` so th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/users/${id} (examples/showcases/enterprise-brex/src/app/team/actions.ts:58)
`examples/showcases/enterprise-brex/src/app/team/actions.ts:58` calls `PUT /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `https:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/v1/users/${id} (examples/showcases/enterprise-brex/src/app/team/actions.ts:77)
`examples/showcases/enterprise-brex/src/app/team/actions.ts:77` calls `PUT /api/v1/users/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/users/<p>` If this points at an external API, prefix it with `https:/…
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI POST `a2ui_fixed_schema_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:366
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:366 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `agent_config_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:169
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:169 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `byoc_hashbrown_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:146
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:146 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `byoc_json_render_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:135
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:135 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `declarative_gen_ui_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:346
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:346 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `hitl_in_chat_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:303
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:303 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `interrupt_adapted_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:323
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:323 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `mcp_apps_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:256
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:256 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `multimodal_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:157
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:157 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `reasoning_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:209
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:209 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_a2ui_fixed_schema` without auth dependency — showcase/integrations/langroid/src/agent_server.py:157
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:157 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_agent_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agents/agent.py:879
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agents/agent.py:879 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_agent` without auth dependency — showcase/integrations/langroid/src/agent_server.py:73
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:73 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_byoc_hashbrown` without auth dependency — showcase/integrations/langroid/src/agent_server.py:136
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:136 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_byoc_json_render` without auth dependency — showcase/integrations/langroid/src/agent_server.py:147
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:147 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_gen_ui_agent` without auth dependency — showcase/integrations/langroid/src/agent_server.py:100
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:100 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_mcp_apps` without auth dependency — showcase/integrations/langroid/src/agent_server.py:173
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:173 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_multimodal` without auth dependency — showcase/integrations/langroid/src/agent_server.py:125
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:125 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_shared_state_read_write` without auth dependency — showcase/integrations/langroid/src/agent_server.py:88
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:88 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_subagents` without auth dependency — showcase/integrations/langroid/src/agent_server.py:113
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/langroid/src/agent_server.py:113 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `shared_state_read_write_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:184
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:184 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `subagents_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:283
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:283 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `tool_rendering_reasoning_chain_endpoint` without auth dependency — showcase/integrations/claude-sdk-python/src/agent_server.py:234
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
showcase/integrations/claude-sdk-python/src/agent_server.py:234 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/ag2/recorded.json:96
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/ag2/recorded.json:96 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/agno/gen-ui-open.json:47
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/agno/gen-ui-open.json:47 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/agno/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/agno/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/built-in-agent/gen-ui-open.json:48
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/built-in-agent/gen-ui-open.json:48 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/built-in-agent/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/built-in-agent/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/claude-sdk-python/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/claude-sdk-python/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/claude-sdk-typescript/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/claude-sdk-typescript/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/crewai-crews/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/crewai-crews/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/google-adk/recorded.json:96
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/google-adk/recorded.json:96 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/langgraph-fastapi/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/langgraph-fastapi/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/langgraph-python/recorded.json:96
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/langgraph-python/recorded.json:96 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/langgraph-typescript/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/langgraph-typescript/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/langroid/gen-ui-open.json:48
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/langroid/gen-ui-open.json:48 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/langroid/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/langroid/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/llamaindex/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/llamaindex/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/mastra/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/mastra/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/ms-agent-dotnet/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/ms-agent-dotnet/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/ms-agent-python/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/ms-agent-python/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/pydantic-ai/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/pydantic-ai/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/spring-ai/gen-ui-open.json:48
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/spring-ai/gen-ui-open.json:48 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/spring-ai/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/spring-ai/recorded.json:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in showcase/aimock/d6/strands/recorded.json:97
Found a known-risky pattern (eval_used). Review and replace if possible.
showcase/aimock/d6/strands/recorded.json:97 Eval used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/probes/:id/trigger.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
showcase/harness/src/http/probes.ts:293
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /debug/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
showcase/integrations/claude-sdk-typescript/src/app/api/debug/route.ts:3
medium Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED124] requirements.txt: `a2a-sdk[http-server]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `a2a-sdk[http-server]` with `a2a-sdk[http-server]==<version>` and manage upgrades through PRs / Dependabot.
7 files, 25 locations
examples/showcases/research-canvas/agent/requirements.txt:1, 2, 3, 4, 6, 7, 8, 9, +2 more (10 hits)
scripts/qa/lib/langserve/requirements.txt:1, 2, 3, 4, 5, 6, 7, 8 (8 hits)
showcase/integrations/google-adk/requirements.txt:3, 4, 5 (3 hits)
examples/integrations/a2a-middleware/agents/requirements.txt:19
examples/showcases/research-canvas/final/agent/requirements.txt:1
showcase/integrations/ms-agent-python/requirements.txt:9
showcase/integrations/pydantic-ai/requirements.txt:7
medium Security checks quality Quality conf 1.00 3 occurrences [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
3 files, 3 locations
examples/integrations/a2a-middleware/agents/orchestrator.py:80
examples/integrations/a2a-middleware/agents/research_agent.py:158
examples/integrations/adk/agent/main.py:202
low Security checks quality Error handling conf 0.55 ✓ Repobility 23 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 19 locations
showcase/integrations/agno/src/agent_server.py:230, 337, 350, 437, 622 (5 hits)
showcase/integrations/agno/src/agents/multimodal_agent.py:60, 77 (2 hits)
showcase/integrations/claude-sdk-python/src/agents/multimodal_agent.py:64, 83 (2 hits)
showcase/integrations/ms-agent-python/src/agents/multimodal_agent.py:68, 87 (2 hits)
showcase/integrations/claude-sdk-python/src/agents/a2ui_dynamic.py:235
showcase/integrations/claude-sdk-python/src/agents/a2ui_fixed.py:239
showcase/integrations/claude-sdk-python/src/agents/agent.py:755
showcase/integrations/claude-sdk-python/src/agents/hitl_in_chat_agent.py:299
Error handlingquality
medium Security checks cicd CI/CD security conf 0.56 6 occurrences Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
3 files, 6 locations
examples/integrations/_intelligence/docker-compose.yml:19, 65, 125, 149 (4 hits)
examples/integrations/agentcore/docker/docker-compose.yml:12
examples/showcases/deep-agents-finance-erp/docker-compose.yml:1
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 3 occurrences Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
2 files, 3 locations
examples/integrations/_intelligence/docker-compose.yml:65, 125 (2 hits)
examples/showcases/deep-agents-finance-erp/docker-compose.yml:1
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 43 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
12 files, 12 locations
examples/integrations/adk/Dockerfile:16
examples/integrations/adk/docker/Dockerfile.agent:1
examples/integrations/agentcore/docker/Dockerfile.bridge.dev:1
examples/integrations/agentcore/docker/Dockerfile.frontend.dev:4
examples/integrations/agno/Dockerfile:23
examples/integrations/agno/docker/Dockerfile.agent:1
examples/integrations/crewai-crews/Dockerfile:16
examples/integrations/crewai-crews/docker/Dockerfile.agent:1
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.94 Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
showcase/aimock/Dockerfile:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 40 occurrences Dockerfile copies broad context with incomplete .dockerignore
Tighten .dockerignore or replace COPY . with explicit COPY statements.
12 files, 12 locations
examples/integrations/adk/docker/Dockerfile.app:12
examples/integrations/agentcore/docker/Dockerfile.bridge.dev:5
examples/integrations/agentcore/docker/Dockerfile.frontend.dev:15
examples/integrations/agno/docker/Dockerfile.app:12
examples/integrations/crewai-crews/docker/Dockerfile.app:12
examples/integrations/langgraph-fastapi/docker/Dockerfile.app:24
examples/integrations/langgraph-js/docker/Dockerfile.app:24
examples/integrations/langgraph-python/docker/Dockerfile.app:24
CI/CD securitycontainers
high Security checks quality Quality conf 0.74 15 occurrences Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
12 files, 15 locations
packages/runtime/src/v2/runtime/intelligence-platform/client.ts:542, 550, 596 (3 hits)
showcase/harness/src/fleet/job-claim.ts:206, 215 (2 hits)
scripts/qa/lib/css/page.tsx:62
scripts/qa/lib/langchain/page.tsx:62
scripts/qa/lib/langchain/route.ts:41
scripts/qa/lib/langserve/next/page.tsx:62
scripts/qa/lib/langserve/next/route.ts:85
scripts/qa/lib/next/page.tsx:62
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/app/layout.tsx:45
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/components/react/custom-code-block.tsx:32
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/canvas/gemini/components/ui/chart.tsx:83
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/canvas/langgraph-python/src/components/ui/chart.tsx:84
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/integrations/agent-spec/src/app/layout.tsx:21
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/showcases/adk-dashboard/src/components/ui/chart.tsx:83
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/showcases/chatkit-studio/apps/playground/src/app/preview/page.tsx:123
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/showcases/chatkit-studio/apps/playground/src/utils/codeGenerator.ts:73
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/showcases/chatkit-studio/apps/world/src/components/MyChat.tsx:106
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — examples/showcases/multi-page/app/root.tsx:83
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/ag2/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/agno/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/built-in-agent/src/app/layout.tsx:19
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/claude-sdk-python/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/claude-sdk-typescript/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/crewai-crews/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/google-adk/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/langgraph-fastapi/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/langgraph-python/src/app/layout.tsx:20
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/langgraph-typescript/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/langroid/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/llamaindex/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/ms-agent-dotnet/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/ms-agent-harness-dotnet/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/ms-agent-python/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/pydantic-ai/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/spring-ai/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/integrations/strands/src/app/layout.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/scripts/create-integration/index.ts:436
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shared/starter-template/app/layout.tsx:19
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell-dashboard/src/app/layout.tsx:73
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell-docs/src/app/layout.tsx:122
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell-docs/src/lib/docs-render.tsx:1383
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell-dojo/src/app/layout.tsx:60
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell-dojo/src/components/code-block.tsx:129
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — showcase/shell/src/app/layout.tsx:105
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/canvas/llamaindex-composio/src/app/api/sheets/create/route.ts:17
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/canvas/llamaindex-composio/src/app/api/sheets/import/route.ts:17
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/canvas/llamaindex-composio/src/app/api/sheets/list/route.ts:17
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/canvas/llamaindex-composio/src/app/api/sheets/sync/route.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/canvas/llamaindex-composio/src/app/page.tsx:1406
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/integrations/a2a-a2ui/app/components/threads-drawer/threads-drawer.tsx:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/integrations/a2a-middleware/components/threads-drawer/threads-drawer.tsx:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/integrations/adk/src/components/threads-drawer/threads-drawer.tsx:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness

Showing first 300 of 916. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5c865d8d-bd31-4274-81bf-8558cfd5f077/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5c865d8d-bd31-4274-81bf-8558cfd5f077/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.