Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
42 of your 74 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.29s · analysis 13.82s · 18.7 MB · GitHub preflight 397ms

foru17/make-x-great-again

https://github.com/foru17/make-x-great-again · scanned 2026-06-06 00:36 UTC (4 days ago) · 10 languages

253 raw signals (71 security + 182 graph) 75th percentile · Typescript · small (2-20K LoC) System graph score 72 (higher by 7)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days ago · v2 · 140 actionable findings from 2 signal sources. 22 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
78.9
/100
Security checks
86
53 findings
System graph
72
88.9% cov · 87 findings
Critical
17
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 79.1 0.25 19.77
testing_score 50.0 0.20 10.00
documentation_score 100.0 0.15 15.00
practices_score 90.0 0.15 13.50
code_quality 54.0 0.10 5.40
Overall 1.00 78.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 17 High 14 Medium 18 Low 77 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 53 System graph 87 Crowd 0 Layer: Software 35 Quality 52 Cicd 5 Security 1 Frontend 6 Network 1 Api 40
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Strongest security (90), dependencies (90); weakest testing (55), practices (56). Most common pattern: cpp-new-without-delete.

Showing 126 of 140 actionable findings. 162 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: DELETE /v1/admin/keyword-rules/:id
Express route on /admin path (/v1/admin/keyword-rules/:id) with no auth middleware.
services/edge/src/index.ts:1848
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: DELETE /v1/admin/reporter-bans/:id
Express route on /admin path (/v1/admin/reporter-bans/:id) with no auth middleware.
services/edge/src/index.ts:1192
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: DELETE /v1/admin/whitelist
Express route on /admin path (/v1/admin/whitelist) with no auth middleware.
services/edge/src/index.ts:2082
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: DELETE /v1/admin/whitelist-batch
Express route on /admin path (/v1/admin/whitelist-batch) with no auth middleware.
services/edge/src/index.ts:1718
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: PATCH /v1/admin/keyword-rules/:id
Express route on /admin path (/v1/admin/keyword-rules/:id) with no auth middleware.
services/edge/src/index.ts:1821
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/agent-promote
Express route on /admin path (/v1/admin/agent-promote) with no auth middleware.
services/edge/src/index.ts:3025
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/agent-promote-batch
Express route on /admin path (/v1/admin/agent-promote-batch) with no auth middleware.
services/edge/src/index.ts:3064
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/decide
Express route on /admin path (/v1/admin/decide) with no auth middleware.
services/edge/src/index.ts:1643
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/decide-batch
Express route on /admin path (/v1/admin/decide-batch) with no auth middleware.
services/edge/src/index.ts:1681
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/keyword-rules
Express route on /admin path (/v1/admin/keyword-rules) with no auth middleware.
services/edge/src/index.ts:1800
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/keyword-rules/apply-to-queue
Express route on /admin path (/v1/admin/keyword-rules/apply-to-queue) with no auth middleware.
services/edge/src/index.ts:1899
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/keyword-rules/preview
Express route on /admin path (/v1/admin/keyword-rules/preview) with no auth middleware.
services/edge/src/index.ts:1860
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/reporter-bans
Express route on /admin path (/v1/admin/reporter-bans) with no auth middleware.
services/edge/src/index.ts:1172
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/reporter-fingerprints/backfill
Express route on /admin path (/v1/admin/reporter-fingerprints/backfill) with no auth middleware.
services/edge/src/index.ts:1200
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/sync-mirror
Express route on /admin path (/v1/admin/sync-mirror) with no auth middleware.
services/edge/src/index.ts:3106
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /v1/admin/whitelist
Express route on /admin path (/v1/admin/whitelist) with no auth middleware.
services/edge/src/index.ts:2047
critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
data/blacklist/v1.json:281586
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/agent/decide has no auth
Express route POST /v1/agent/decide declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
services/edge/src/index.ts:2770
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/appeal has no auth
Express route POST /v1/appeal declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
services/edge/src/index.ts:1103
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/classify has no auth
Express route POST /v1/classify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
services/edge/src/index.ts:845
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/confirm has no auth
Express route POST /v1/confirm declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
services/edge/src/index.ts:1094
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /v1/report has no auth
Express route POST /v1/report declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
services/edge/src/index.ts:1095
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 8 locations
.github/workflows/ci.yml:13, 16, 28, 29, 40, 41 (6 hits)
.github/workflows/publish-public-list.yml:21, 24 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `pnpm/action-setup` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 2 locations
.github/workflows/ci.yml:14
.github/workflows/publish-public-list.yml:22
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
extension/package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/user (services/edge/src/index.ts:75)
`services/edge/src/index.ts:75` calls `GET https://api.github.com/user` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/user` If this points at an external API, prefix it with `https://` so the …
Dangling fetchFetch
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
extension/entrypoints/x-graphql-main.content.ts:135
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
services/agent-runner/run.py:7 CI/CD securityagent runtimepermissions
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
docs/AGENT.md:216 CI/CD securityagent runtimepermissions
low Security checks quality Error handling conf 0.55 ✓ Repobility 6 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
2 files, 6 locations
services/agent-runner/run_openai.py:96, 140, 153, 202 (4 hits)
services/agent-runner/run.py:139, 168 (2 hits)
Error handlingquality
high Security checks software dependencies conf 0.90 GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/ci.yml:13
high Security checks software dependencies conf 0.90 GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/publish-public-list.yml:21
high Security checks software dependencies conf 0.90 GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)
`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/ci.yml:16
high Security checks software dependencies conf 0.90 GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)
`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/publish-public-list.yml:24
high Security checks software dependencies conf 0.90 GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)
`uses: pnpm/action-setup@v4` is 2 major version(s) behind the latest published release v6.0.8. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/ci.yml:14
high Security checks software dependencies conf 0.90 GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)
`uses: pnpm/action-setup@v4` is 2 major version(s) behind the latest published release v6.0.8. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/publish-public-list.yml:22
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
services/edge/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
services/edge/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
services/edge/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
services/edge/package-lock.json
high Security checks quality Quality conf 0.80 4 occurrences localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
4 files, 4 locations
extension/lib/ui.ts:322
services/edge/src/pages/_layout.ts:244
services/edge/src/pages/admin.ts:493
services/edge/src/pages/landing.ts:886
medium Security checks software dependencies conf 0.90 npm package `@biomejs/biome` is 1 major version(s) behind (^1.9.4 -> 2.4.16)
`@biomejs/biome` is pinned/resolved at ^1.9.4 but the latest stable release on the npm registry is 2.4.16 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
extension/package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
services/edge/package-lock.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/edge/src/index.ts:242
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/edge/src/pages/admin.ts:727
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/edge/src/pages/landing.ts:742
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/edge/src/pages/list.ts:240
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/edge/test/edge-reporter-endpoints.test.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/llm.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 6 in use
Port 6 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/publish-public-list.yml Ports
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
services/agent-runner/run_openai.py:22 duplicationquality
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
extension/lib/graphql-users.ts:2 duplicationquality
low Security checks software dependencies conf 0.90 npm package `@cloudflare/workers-types` is minor version(s) behind (4.20260518.1 -> 4.20260605.1)
`@cloudflare/workers-types` is pinned/resolved at 4.20260518.1 but the latest stable release on the npm registry is 4.20260605.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot versio…
services/edge/package.json
low Security checks software dependencies conf 0.90 npm package `@types/chrome` is minor version(s) behind (0.0.287 -> 0.1.43)
`@types/chrome` is pinned/resolved at 0.0.287 but the latest stable release on the npm registry is 0.1.43 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
extension/package.json
low System graph quality Integrity conf 1.00 6 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AGENT_ENV`, `CI`, `CURATION_DB_PATH`, `PORT`, `PUBLIC_LIST_DIR`, `REQUIRE_CURATION_DB`. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/entrypoints/background.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/entrypoints/options/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/entrypoints/popup/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/lib/brand.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/lib/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: extension/wxt.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/compile-blacklist.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/generate-public-list.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/smoke-test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/edge/src/brand.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/public-list/schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/mvp.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/public-list.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/unit.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
6 tests / 44 src (ratio 0.14).
low System graph quality Integrity conf 1.00 5 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: services/agent-runner/run_openai.py:load_env, services/agent-runner/run.py:load_env This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
5 occurrences
repo-level (5 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `fromLegacy` in extension/lib/detect.ts:276
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mxga_stats_v1` in extension/lib/stats.ts:22
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mxga_whitelist_v1` in extension/lib/whitelist-cache.ts:17
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
extension/package.json CI/CD securitySupply chainNpm
low System graph software Dead code conf 1.00 Possibly dead Python function: process_one
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
services/agent-runner/run_openai.py:192
low System graph software Dead code conf 1.00 Possibly dead Python function: process_one
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
services/agent-runner/run.py:203
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/compile-blacklist.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/generate-public-list.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/smoke-test.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/server.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /v1/admin/keyword-rules/:id
`services/edge/src/index.ts` declares `DELETE /v1/admin/keyword-rules/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /v1/admin/reporter-bans/:id
`services/edge/src/index.ts` declares `DELETE /v1/admin/reporter-bans/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /v1/admin/whitelist
`services/edge/src/index.ts` declares `DELETE /v1/admin/whitelist` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /v1/admin/whitelist-batch
`services/edge/src/index.ts` declares `DELETE /v1/admin/whitelist-batch` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`services/edge/src/index.ts` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /admin
`services/edge/src/index.ts` declares `GET /admin` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /list
`services/edge/src/index.ts` declares `GET /list` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/agent-list
`services/edge/src/index.ts` declares `GET /v1/admin/agent-list` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/blacklist
`services/edge/src/index.ts` declares `GET /v1/admin/blacklist` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/keyword-rules
`services/edge/src/index.ts` declares `GET /v1/admin/keyword-rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/log
`services/edge/src/index.ts` declares `GET /v1/admin/log` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/queue
`services/edge/src/index.ts` declares `GET /v1/admin/queue` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/reporter-bans
`services/edge/src/index.ts` declares `GET /v1/admin/reporter-bans` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/stats
`services/edge/src/index.ts` declares `GET /v1/admin/stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/admin/whitelist
`services/edge/src/index.ts` declares `GET /v1/admin/whitelist` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/agent/queue
`services/edge/src/index.ts` declares `GET /v1/agent/queue` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/agent/stats
`services/edge/src/index.ts` declares `GET /v1/agent/stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/artifacts/:key
`services/edge/src/index.ts` declares `GET /v1/artifacts/:key` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/check
`services/edge/src/index.ts` declares `GET /v1/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/health
`services/edge/src/index.ts` declares `GET /v1/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/list/trends
`services/edge/src/index.ts` declares `GET /v1/list/trends` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/whitelist
`services/edge/src/index.ts` declares `GET /v1/whitelist` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /v1/admin/keyword-rules/:id
`services/edge/src/index.ts` declares `PATCH /v1/admin/keyword-rules/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/agent-promote
`services/edge/src/index.ts` declares `POST /v1/admin/agent-promote` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/agent-promote-batch
`services/edge/src/index.ts` declares `POST /v1/admin/agent-promote-batch` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/decide
`services/edge/src/index.ts` declares `POST /v1/admin/decide` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/decide-batch
`services/edge/src/index.ts` declares `POST /v1/admin/decide-batch` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/keyword-rules
`services/edge/src/index.ts` declares `POST /v1/admin/keyword-rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/keyword-rules/apply-to-queue
`services/edge/src/index.ts` declares `POST /v1/admin/keyword-rules/apply-to-queue` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/keyword-rules/preview
`services/edge/src/index.ts` declares `POST /v1/admin/keyword-rules/preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/reporter-bans
`services/edge/src/index.ts` declares `POST /v1/admin/reporter-bans` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/reporter-fingerprints/backfill
`services/edge/src/index.ts` declares `POST /v1/admin/reporter-fingerprints/backfill` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/sync-mirror
`services/edge/src/index.ts` declares `POST /v1/admin/sync-mirror` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/admin/whitelist
`services/edge/src/index.ts` declares `POST /v1/admin/whitelist` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/agent/decide
`services/edge/src/index.ts` declares `POST /v1/agent/decide` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/appeal
`services/edge/src/index.ts` declares `POST /v1/appeal` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/classify
`services/edge/src/index.ts` declares `POST /v1/classify` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/confirm
`services/edge/src/index.ts` declares `POST /v1/confirm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/report
`services/edge/src/index.ts` declares `POST /v1/report` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: services/edge/src/index.ts (3216 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: services/edge/src/pages/admin.ts (2244 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: services/edge/src/pages/landing.ts (930 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/619231a0-27a9-46bf-9e43-749c2349349b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/619231a0-27a9-46bf-9e43-749c2349349b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.