— Repobility public scan

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	34.6	0.25	8.65
`testing_score`	100.0	0.20	20.00
`documentation_score`	100.0	0.15	15.00
`practices_score`	82.0	0.15	12.30
`code_quality`	44.7	0.10	4.47
Overall		1.00	66.4

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/java-codegen-check.yml:196 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/java-codegen-check.yml:112 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/sdk-consistency-review.lock.yml:1267 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/sdk-consistency-review.lock.yml:854 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/sdk-consistency-review.lock.yml:791 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trust…

.github/workflows/sdk-consistency-review.lock.yml:146 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:855 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:802 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:675 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:443 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:426 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in …

.github/workflows/sdk-consistency-review.lock.yml:424 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1405 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1119 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1082 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1067 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1052 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:1035 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:856 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted…

.github/workflows/sdk-consistency-review.lock.yml:442 dependencylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

python/samples/chat.py:52 qualitylegacy

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.

rust/src/canvas.rs:229 path_traversallegacy

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.

python/copilot/canvas.py:152 path_traversallegacy

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.

go/canvas.go:95 path_traversallegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

python/scripts/build-wheels.mjs:111 qualitylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6.0.2`

`uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:28 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`

`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:137 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`

`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:110 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`

`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:86 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`

`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:53 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`

`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:28 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-dotnet` pinned to mutable ref `@v5`

`uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:61 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-dotnet` pinned to mutable ref `@v5`

`uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:115 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-go` pinned to mutable ref `@v6`

`uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:55 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-go` pinned to mutable ref `@v6`

`uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:91 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-java` pinned to mutable ref `@v4`

`uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:142 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:32 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:138 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:111 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:87 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:54 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`

`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:29 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v6`

`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:43 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v6`

`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:58 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `astral-sh/setup-uv` pinned to mutable ref `@v7`

`uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/copilot-setup-steps.yml:49 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility Action `astral-sh/setup-uv` pinned to mutable ref `@v7`

`uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

.github/workflows/docs-validation.yml:64 dependencylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Blocking call `input` inside async function `main`

`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.

python/samples/chat.py:35 qualitylegacy

high Legacy software dependency conf 0.90 ✓ Repobility go.mod replaces `github.com/github/copilot-sdk/go` — points to a LOCAL path

`replace github.com/github/copilot-sdk/go => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.

go/samples/go.mod:17 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility package.json dep `@github/copilot-sdk` pulled from URL/Git

`dependencies.@github/copilot-sdk` = `file:..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.

nodejs/samples/package.json:1 dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4601

Incorrect parsing of IPv6 host literals in net/url

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4601

Incorrect parsing of IPv6 host literals in net/url

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4602

FileInfo can escape from a Root in os

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4602

FileInfo can escape from a Root in os

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4603

URLs in meta content attribute actions are not escaped in html/template

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4603

URLs in meta content attribute actions are not escaped in html/template

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4864

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4864

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4865

JsBraceDepth Context Tracking Bugs (XSS) in html/template

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4865

JsBraceDepth Context Tracking Bugs (XSS) in html/template

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4869

Unbounded allocation for old GNU sparse in archive/tar

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4869

Unbounded allocation for old GNU sparse in archive/tar

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4870

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4870

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4918

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4918

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4946

Inefficient policy validation in crypto/x509

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4946

Inefficient policy validation in crypto/x509

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4947

Unexpected work during chain building in crypto/x509

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4947

Unexpected work during chain building in crypto/x509

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4971

Panic in Dial and LookupPort when handling NUL byte on Windows in net

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4971

Panic in Dial and LookupPort when handling NUL byte on Windows in net

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4976

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4976

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4977

Quadratic string concatenation in consumePhrase in net/mail

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4977

Quadratic string concatenation in consumePhrase in net/mail

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4980

Escaper bypass leads to XSS in html/template

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4980

Escaper bypass leads to XSS in html/template

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4981

Crash when handling long CNAME response in net

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4981

Crash when handling long CNAME response in net

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4982

Bypass of meta content URL escaping causes XSS in html/template

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4982

Bypass of meta content URL escaping causes XSS in html/template

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4986

Quadratic string concatentation in consumeComment in net/mail

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-4986

Quadratic string concatentation in consumeComment in net/mail

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5037

Inefficient candidate hostname parsing in crypto/x509

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5037

Inefficient candidate hostname parsing in crypto/x509

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5038

Quadratic complexity in WordDecoder.DecodeHeader in mime

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5038

Quadratic complexity in WordDecoder.DecodeHeader in mime

go/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5039

Arbitrary inputs are included in errors without any escaping in net/textproto

go/samples/go.mod dependencylegacy

high Legacy software dependency conf 0.88 stdlib: GO-2026-5039

Arbitrary inputs are included in errors without any escaping in net/textproto

go/go.mod dependencylegacy

high Legacy security llm_injection conf 0.80 User-editable role instructions are inserted into the system prompt

Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior.

python/copilot/generated/session_events.py:6878 llm_injectionlegacy

high Legacy security llm_injection conf 0.80 User-editable role instructions are inserted into the system prompt

Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior.

nodejs/src/generated/session-events.ts:463 llm_injectionlegacy

high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch

github/gh-aw/actions/setup-cli@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/verify-compiled.yml:20 supply-chaingithub-actionspinned-dependencies

high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch

dtolnay/rust-toolchain@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/update-copilot-dependency.yml:54 supply-chaingithub-actionspinned-dependencies

high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch

dtolnay/rust-toolchain@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/codegen-check.yml:54 supply-chaingithub-actionspinned-dependencies

high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in java/src/generated/java/com/github/copilot/generated/rpc/SessionShellApi.java:41

Found a known-risky pattern (exec_used). Review and replace if possible.

java/src/generated/java/com/github/copilot/generated/rpc/SessionShellApi.java:41 owaspexec_used

medium Legacy security path_traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.

Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.

python/scripts/build-wheels.mjs:258 path_traversallegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session.py:1709 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session.py:1658 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:303 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:262 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:255 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:241 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:233 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:226 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:206 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:193 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:186 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:179 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/session_fs_provider.py:171 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently

Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

python/copilot/tools.py:218 qualitylegacy

medium Legacy software dependency conf 0.90 npm package `vscode-jsonrpc` is 1 major version(s) behind (8.2.1 -> 9.0.0)

`vscode-jsonrpc` is pinned/resolved at 8.2.1 but the latest stable release on the npm registry is 9.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/package.json dependencylegacy

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — nodejs/test/e2e/harness/CapiProxy.ts:111

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — test/harness/capturingHttpProxy.test.ts:55

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

astral-sh/setup-uv@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/docs-validation.yml:64 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

astral-sh/setup-uv@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:49 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

extractions/setup-just@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:75 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/update-copilot-dependency.yml:48 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/codegen-check.yml:43 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

NuGet/login@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:140 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:165 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

astral-sh/setup-uv@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:211 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:226 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/java-codegen-fix.lock.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/release-changelog.lock.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/java-publish-maven.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/update-copilot-dependency.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/java-adapt-handwritten-code-to-accept-upgrade-changes.lock.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/java-codegen-check.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/publish.yml supply-chaingithub-actionsleast-privilege

medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — python/e2e/testharness/proxy.py:41

`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

integrityfragile-runtimerobustness

low Legacy quality error_handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

go/mode_empty.go:262 error_handlinglegacy

low Legacy quality error_handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

go/internal/flock/flock.go:13 error_handlinglegacy

low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p

Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.

java/src/main/java/com/github/copilot/rpc/ToolSet.java:112 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.

rust/src/session_fs_dispatch.rs:22 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.

java/src/main/java/com/github/copilot/rpc/ResumeSessionRequest.java:15 qualitylegacy

low Legacy software dependency conf 0.90 npm package `@actions/github` is minor version(s) behind (9.0.0 -> 9.1.1)

`@actions/github` is pinned/resolved at 9.0.0 but the latest stable release on the npm registry is 9.1.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

scripts/corrections/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `@platformatic/vfs` is minor version(s) behind (0.3.0 -> 0.4.0)

`@platformatic/vfs` is pinned/resolved at 0.3.0 but the latest stable release on the npm registry is 0.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `esbuild` is minor version(s) behind (0.27.2 -> 0.28.0)

`esbuild` is pinned/resolved at 0.27.2 but the latest stable release on the npm registry is 0.28.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `semver` is minor version(s) behind (7.7.3 -> 7.8.2)

`semver` is pinned/resolved at 7.7.3 but the latest stable release on the npm registry is 7.8.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

java/scripts/codegen/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/samples/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

scripts/codegen/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

scripts/docs-validation/package.json dependencylegacy

low Legacy software dependency conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)

`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

nodejs/package.json dependencylegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/esbuild-copilotsdk-nodejs.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/eslint.config.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/examples/basic-example.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/scripts/set-version.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/src/generated/session-events.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/call-tool-result.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/cjs-compat.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/ask_user.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/builtin_tools.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/canvas.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/error_resilience.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/event_fidelity.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/hooks.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/hooks_extended.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/pre_mcp_tool_call_hook.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/rpc_event_log.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/rpc_schedule.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/rpc_workspace_checkpoints.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/streaming_fidelity.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/subagent_hooks.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/e2e/tools.e2e.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/extension.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/get-version.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/session-event-codegen.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/shared-codegen.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/test/typescript-codegen.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: nodejs/vitest.config.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: python/copilot/rpc.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: python/copilot/session_events.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/harness/capturingHttpProxy.test.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/harness/server.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/harness/vitest.config.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:28 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:32 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:43 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/setup-go@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:55 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/setup-dotnet@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:61 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/setup-java@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/copilot-setup-steps.yml:67 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:106 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:132 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:184 supply-chaingithub-actionspinned-dependencies

low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/publish.yml:220 supply-chaingithub-actionspinned-dependencies

low 9-layer quality integrity conf 1.00 Legacy-named symbol `import_legacy` in java/scripts/codegen/java.ts:22

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `import_legacy` in nodejs/test/session-event-codegen.test.ts:452

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `import_legacy` in scripts/codegen/utils.ts:25

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `isNodeFullyDeprecated` in scripts/codegen/csharp.ts:37

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `isNodeFullyDeprecated` in scripts/codegen/go.ts:35

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `isNodeFullyDeprecated` in scripts/codegen/python.ts:26

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `isNodeFullyDeprecated` in scripts/codegen/typescript.ts:37

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `isSchemaDeprecated` in scripts/codegen/rust.ts:39

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `pruneOld` in nodejs/src/generated/rpc.ts:10541

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Legacy-named symbol `pruneOld` in nodejs/test/e2e/rpc_server.e2e.test.ts:326

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

integritylegacy-markerdead-code

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 14 places

Functions with the same first-5-line body hash: python/copilot/client.py:from_dict, python/copilot/client.py:from_dict, python/copilot/client.py:from_dict, python/copilot/client.py:from_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hy…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 14 places

Functions with the same first-5-line body hash: python/copilot/client.py:to_dict, python/copilot/client.py:to_dict, python/copilot/client.py:to_dict, python/copilot/client.py:to_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). …

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/client.py:handle_notification, python/copilot/client.py:handle_notification This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:read_file, python/copilot/session_fs_provider.py:read_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:write_file, python/copilot/session_fs_provider.py:write_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:append_file, python/copilot/session_fs_provider.py:append_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'r…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:exists, python/copilot/session_fs_provider.py:exists This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:stat, python/copilot/session_fs_provider.py:stat This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:mkdir, python/copilot/session_fs_provider.py:mkdir This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:readdir, python/copilot/session_fs_provider.py:readdir This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separa…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:readdir_with_types, python/copilot/session_fs_provider.py:readdir_with_types This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docum…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:rm, python/copilot/session_fs_provider.py:rm This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:rename, python/copilot/session_fs_provider.py:rename This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:sqlite_query, python/copilot/session_fs_provider.py:sqlite_query This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session_fs_provider.py:sqlite_exists, python/copilot/session_fs_provider.py:sqlite_exists This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why th…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/session.py:send, python/copilot/session.py:send_and_wait This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/canvas.py:to_dict, python/copilot/canvas.py:to_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: python/copilot/generated/session_events.py:to_timedelta_int, python/copilot/generated/session_events.py:to_timedelta This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or doc…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places

Functions with the same first-5-line body hash: python/copilot/client.py:on_lifecycle, python/copilot/client.py:on_lifecycle, python/copilot/client.py:on_lifecycle This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…

integrityduplicatedry

low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places

Functions with the same first-5-line body hash: python/copilot/tools.py:define_tool, python/copilot/tools.py:define_tool, python/copilot/tools.py:define_tool, python/copilot/tools.py:define_tool This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-cod…

integrityduplicatedry

low 9-layer software dead-code conf 1.00 Possibly dead Python function: add_tool_approval

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18687 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: add_trusted

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18706 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: apply

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18681 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: from_none

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:31 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_notification

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/client.py:3469 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_session_fs_append_file

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:19119 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_session_fs_exists

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:19126 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_session_fs_read_file

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:19105 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_session_fs_write_file

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:19112 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_path_within_allowed_directories

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18656 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_path_within_workspace

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18662 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_trusted

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18700 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: modify_rules

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18768 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: notify

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/_jsonrpc.py:216 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: notify_prompt_shown

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18784 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: pending_requests

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18748 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: rpc_from_dict

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:17460 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: rpc_to_dict

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:17463 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: send_attachments_to_message

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18497 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_allow_all

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18758 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_required

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18774 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_unrestricted_mode

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18719 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: spawn

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:17942 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: unsubscribe_typed

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/client.py:2965 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: unsubscribe_wildcard

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/client.py:2952 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_primary

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

python/copilot/generated/rpc.py:18650 dead-code

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — java/scripts/codegen/java.ts:189

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/examples/basic-example.ts:8

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/samples/chat.ts:17

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/samples/manual-tool-resume.ts:28

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/scripts/get-version.js:38

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/scripts/update-protocol-version.ts:28

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/src/client.ts:288

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/src/session.ts:108

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — nodejs/test/cjs-compat.test.ts:33

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/codegen/csharp.ts:315

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/codegen/go.ts:401

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/codegen/python.ts:2686

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/codegen/rust.ts:2093

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/codegen/typescript.ts:341

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/corrections/collect-corrections.js:110

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/docs-validation/extract.ts:429

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/docs-validation/validate.ts:49

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — test/harness/server.ts:54

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

frontend-qualityfq.console-leak

low 9-layer quality integrity conf 1.00 Stub function `define_tool` (body is just `pass`/`return`) — python/copilot/tools.py:72

Likely an AI scaffold that was never filled in. Remove or implement.

integrityempty-handlerdead-code

low 9-layer quality integrity conf 1.00 Stub function `on_lifecycle` (body is just `pass`/`return`) — python/copilot/client.py:2901

Likely an AI scaffold that was never filled in. Remove or implement.

integrityempty-handlerdead-code

low 9-layer quality complexity conf 1.00 Very large file: go/client.go (2065 lines)