Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
141 of your 260 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 5.23s · analysis 32.48s · 5.5 MB · GitHub API rate-limit (preflight)

lfnovo/open-notebook

https://github.com/lfnovo/open-notebook · scanned 2026-06-04 23:17 UTC (1 week, 1 day ago) · 10 languages

828 raw signals (278 security + 550 graph) 10th percentile · Typescript · medium (20-100K LoC) System graph score 57 (lower by 5)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 396 actionable findings from 2 signal sources. 435 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
47.2
/100
Security checks
38
169 findings
System graph
57
100.0% cov · 227 findings
Critical
14
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 0.9 0.25 0.23
testing_score 53.0 0.20 10.60
documentation_score 100.0 0.15 15.00
practices_score 86.0 0.15 12.90
code_quality 43.9 0.10 4.39
Overall 1.00 52.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 14 High 137 Medium 27 Low 147 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 169 System graph 227 Crowd 0 Layer: Quality 97 Security 112 Software 107 Cicd 16 Frontend 11 Hardware 3 Api 50
Scan summary Quality grade C- (52/100). Dimensions: security 1, maintainability 60. 278 findings (78 security). 59,590 lines analyzed.

Showing 325 of 396 actionable findings. 831 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks cicd CI/CD security conf 0.96 2 occurrences Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
lines 14
docker-compose.yml:14 (2 hits)
CI/CD securitycontainers
critical Security checks security secrets conf 0.95 18 occurrences Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
3 files, 18 locations
docs/5-CONFIGURATION/security.md:154, 174, 182, 368, 376, 394 (12 hits)
docs/7-DEVELOPMENT/api-reference.md:18, 101 (4 hits)
docs/5-CONFIGURATION/reverse-proxy.md:819 (2 hits)
critical Security checks cicd CI/CD security conf 0.96 8 occurrences Docker image bakes a secret-like ENV value
ENV values are stored in the image configuration and are visible to anyone who can inspect the image.
2 files, 8 locations
Dockerfile:39, 99 (4 hits)
Dockerfile.single:49, 88 (4 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 12 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 54, 55, 107, 108, 185, 186
.github/workflows/build-dev.yml:54, 55, 107, 108, 185, 186 (12 hits)
CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/bn-IN/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/bn-IN/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/ca-ES/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/ca-ES/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/de-DE/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/de-DE/index.ts:164
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/en-US/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/en-US/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/es-ES/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/es-ES/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/fr-FR/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/fr-FR/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/it-IT/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/it-IT/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/ja-JP/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/ja-JP/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/pl-PL/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/pl-PL/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/pt-BR/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/pt-BR/index.ts:161
critical System graph security Secrets conf 1.00 Possible secret in frontend/src/lib/locales/ru-RU/index.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
frontend/src/lib/locales/ru-RU/index.ts:161
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /commands/jobs/{job_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /commands/jobs/{job_id}.
lines 108
api/routers/commands.py:108 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /episode-profiles/{profile_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /episode-profiles/{profile_id}.
lines 165
api/routers/episode_profiles.py:165 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /podcasts/episodes/{episode_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /podcasts/episodes/{episode_id}.
lines 272
api/routers/podcasts.py:272 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /commands/jobs/{job_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /commands/jobs/{job_id}.
lines 74
api/routers/commands.py:74 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/episodes/{episode_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/episodes/{episode_id}.
lines 144
api/routers/podcasts.py:144 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/episodes/{episode_id}/audio.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/episodes/{episode_id}/audio.
lines 190
api/routers/podcasts.py:190 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/jobs/{job_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /podcasts/jobs/{job_id}.
lines 72
api/routers/podcasts.py:72 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /notebooks/{notebook_id}/context.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /notebooks/{notebook_id}/context.
lines 12
api/routers/context.py:12 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /podcasts/episodes/{episode_id}/retry.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /podcasts/episodes/{episode_id}/retry.
lines 215
api/routers/podcasts.py:215 (2 hits)
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /episode-profiles/{profile_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /episode-profiles/{profile_id}.
lines 129
api/routers/episode_profiles.py:129 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 4 occurrences [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
2 files, 4 locations
open_notebook/ai/provision.py:25 (2 hits)
open_notebook/utils/embedding.py:248 (2 hits)
high Security checks security Injection conf 0.85 2 occurrences [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
lines 148
open_notebook/database/repository.py:148 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 50 occurrences `self._make_request` used but never assigned in __init__
Method `get_notebooks` of class `APIClient` reads `self._make_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 88, 96, 102, 108, 114, 135, 152, 162, +17 more
api/client.py:88, 96, 102, 108, 114, 135, 152, 162, +17 more (50 hits)
high Security checks cicd CI/CD security conf 0.92 2 occurrences Compose service explicitly runs as root
A root container process increases impact if the service is compromised.
lines 1
docker-compose.yml:1 (2 hits)
CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 12 occurrences Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest
`FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
2 files, 12 locations
Dockerfile.single:2, 26, 29, 54 (8 hits)
Dockerfile:2, 68 (4 hits)
high Security checks cicd CI/CD security conf 0.92 6 occurrences Dockerfile pipes a remote script into a shell
Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.
2 files, 6 locations
Dockerfile:11, 72 (4 hits)
Dockerfile.single:57 (2 hits)
CI/CD securitycontainers
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI DELETE /commands/jobs/{job_id} has no auth
Handler `cancel_command_job` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 109
api/routers/commands.py:109 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI DELETE /episode-profiles/{profile_id} has no auth
Handler `delete_episode_profile` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 166
api/routers/episode_profiles.py:166 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI DELETE /models/{model_id} has no auth
Handler `delete_model` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 253
api/routers/models.py:253 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI DELETE /podcasts/episodes/{episode_id} has no auth
Handler `delete_podcast_episode` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 273
api/routers/podcasts.py:273 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI DELETE /speaker-profiles/{profile_id} has no auth
Handler `delete_speaker_profile` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 136
api/routers/speaker_profiles.py:136 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /commands/jobs has no auth
Handler `execute_command` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 38
api/routers/commands.py:38 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /embed has no auth
Handler `embed_content` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 13
api/routers/embedding.py:13 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /episode-profiles has no auth
Handler `create_episode_profile` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 101
api/routers/episode_profiles.py:101 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /episode-profiles/{profile_id}/duplicate has no auth
Handler `duplicate_episode_profile` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 192
api/routers/episode_profiles.py:192 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /models has no auth
Handler `create_model` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 198
api/routers/models.py:198 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /models/auto-assign has no auth
Handler `auto_assign_defaults` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 689
api/routers/models.py:689 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /models/sync has no auth
Handler `sync_all_models` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 550
api/routers/models.py:550 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /models/sync/{provider} has no auth
Handler `sync_models` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 523
api/routers/models.py:523 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /models/{model_id}/test has no auth
Handler `test_model` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 271
api/routers/models.py:271 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /notebooks/{notebook_id}/context has no auth
Handler `get_notebook_context` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 13
api/routers/context.py:13 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /podcasts/episodes/{episode_id}/retry has no auth
Handler `retry_podcast_episode` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 216
api/routers/podcasts.py:216 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /podcasts/generate has no auth
Handler `generate_podcast` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 42
api/routers/podcasts.py:42 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /search has no auth
Handler `search_knowledge_base` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 18
api/routers/search.py:18 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /search/ask has no auth
Handler `ask_knowledge_base` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 114
api/routers/search.py:114 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /search/ask/simple has no auth
Handler `ask_knowledge_base_simple` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 161
api/routers/search.py:161 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /speaker-profiles has no auth
Handler `create_speaker_profile` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 83
api/routers/speaker_profiles.py:83 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST /speaker-profiles/{profile_id}/duplicate has no auth
Handler `duplicate_speaker_profile` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 162
api/routers/speaker_profiles.py:162 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI PUT /episode-profiles/{profile_id} has no auth
Handler `update_episode_profile` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 130
api/routers/episode_profiles.py:130 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI PUT /models/defaults has no auth
Handler `update_default_models` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 316
api/routers/models.py:316 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI PUT /speaker-profiles/{profile_id} has no auth
Handler `update_speaker_profile` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 106
api/routers/speaker_profiles.py:106 (2 hits)
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 39 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 39 locations
.github/workflows/build-and-release.yml:30, 58, 87, 149, 178 (15 hits)
.github/workflows/build-dev.yml:42, 80, 111, 160, 189 (15 hits)
.github/workflows/test.yml:22, 46, 49 (9 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Lockfile pulls package from off-canonical host `registry.npmmirror.com`
`package-lock.json` resolved URL for `node_modules/@adobe/css-tools` is `https://registry.npmmirror.com/@adobe/css-tools/-/css-tools-4.4.4.tgz...` — host `registry.npmmirror.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registr…
lines 1
frontend/package-lock.json:1 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences Phantom test coverage: test_credential
Test function `test_credential` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
lines 365
api/credentials_service.py:365 (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pyjwt: PYSEC-2026-176
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature ver…
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
2 occurrences
uv.lock (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
2 occurrences
uv.lock (2 hits)
high Security checks security auth conf 0.83 2 occurrences Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
lines 152
frontend/src/components/auth/LoginForm.tsx:152 (2 hits)
high Security checks software dependencies conf 0.88 2 occurrences starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
2 occurrences
uv.lock (2 hits)
high System graph security auth conf 1.00 FastAPI DELETE `cancel_command_job` without auth dependency — api/routers/commands.py:108
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/commands.py:108 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_credential` without auth dependency — api/routers/credentials.py:259
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:259 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_episode_profile` without auth dependency — api/routers/episode_profiles.py:165
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/episode_profiles.py:165 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_insight` without auth dependency — api/routers/insights.py:37
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/insights.py:37 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_model` without auth dependency — api/routers/models.py:252
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:252 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_note` without auth dependency — api/routers/notes.py:174
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notes.py:174 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_notebook` without auth dependency — api/routers/notebooks.py:320
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notebooks.py:320 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_podcast_episode` without auth dependency — api/routers/podcasts.py:272
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/podcasts.py:272 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_session` without auth dependency — api/routers/chat.py:306
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/chat.py:306 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_source_chat_session` without auth dependency — api/routers/source_chat.py:362
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/source_chat.py:362 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_source` without auth dependency — api/routers/sources.py:946
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:946 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_speaker_profile` without auth dependency — api/routers/speaker_profiles.py:135
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/speaker_profiles.py:135 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_transformation` without auth dependency — api/routers/transformations.py:235
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/transformations.py:235 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `remove_source_from_notebook` without auth dependency — api/routers/notebooks.py:290
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notebooks.py:290 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `add_source_to_notebook` without auth dependency — api/routers/notebooks.py:245
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notebooks.py:245 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `ask_knowledge_base_simple` without auth dependency — api/routers/search.py:160
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/search.py:160 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `ask_knowledge_base` without auth dependency — api/routers/search.py:113
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/search.py:113 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `auto_assign_defaults` without auth dependency — api/routers/models.py:688
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:688 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `build_context` without auth dependency — api/routers/chat.py:421
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/chat.py:421 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_credential` without auth dependency — api/routers/credentials.py:139
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:139 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_episode_profile` without auth dependency — api/routers/episode_profiles.py:100
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/episode_profiles.py:100 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_model` without auth dependency — api/routers/models.py:197
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:197 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_note` without auth dependency — api/routers/notes.py:49
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notes.py:49 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_notebook` without auth dependency — api/routers/notebooks.py:89
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notebooks.py:89 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_session` without auth dependency — api/routers/chat.py:137
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/chat.py:137 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_source_chat_session` without auth dependency — api/routers/source_chat.py:87
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/source_chat.py:87 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_source_insight` without auth dependency — api/routers/sources.py:993
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:993 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_source_json` without auth dependency — api/routers/sources.py:580
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:580 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_source` without auth dependency — api/routers/sources.py:289
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:289 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_speaker_profile` without auth dependency — api/routers/speaker_profiles.py:82
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/speaker_profiles.py:82 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_transformation` without auth dependency — api/routers/transformations.py:49
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/transformations.py:49 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `discover_models_for_credential` without auth dependency — api/routers/credentials.py:363
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:363 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `duplicate_episode_profile` without auth dependency — api/routers/episode_profiles.py:189
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/episode_profiles.py:189 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `duplicate_speaker_profile` without auth dependency — api/routers/speaker_profiles.py:159
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/speaker_profiles.py:159 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `embed_content` without auth dependency — api/routers/embedding.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/embedding.py:12 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_chat` without auth dependency — api/routers/chat.py:330
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/chat.py:330 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_command` without auth dependency — api/routers/commands.py:37
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/commands.py:37 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_transformation` without auth dependency — api/routers/transformations.py:81
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/transformations.py:81 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `generate_podcast` without auth dependency — api/routers/podcasts.py:41
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/podcasts.py:41 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `get_notebook_context` without auth dependency — api/routers/context.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/context.py:12 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `migrate_from_env` without auth dependency — api/routers/credentials.py:421
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:421 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `migrate_from_provider_config` without auth dependency — api/routers/credentials.py:409
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:409 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `retry_podcast_episode` without auth dependency — api/routers/podcasts.py:215
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/podcasts.py:215 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `retry_source_processing` without auth dependency — api/routers/sources.py:821
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:821 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `save_insight_as_note` without auth dependency — api/routers/insights.py:55
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/insights.py:55 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `search_knowledge_base` without auth dependency — api/routers/search.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/search.py:17 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `send_message_to_source_chat` without auth dependency — api/routers/source_chat.py:483
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/source_chat.py:483 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `start_rebuild` without auth dependency — api/routers/embedding_rebuild.py:18
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/embedding_rebuild.py:18 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sync_all_models` without auth dependency — api/routers/models.py:549
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:549 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sync_models` without auth dependency — api/routers/models.py:522
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:522 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `test_credential` without auth dependency — api/routers/credentials.py:357
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:357 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `test_model` without auth dependency — api/routers/models.py:270
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:270 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_credential` without auth dependency — api/routers/credentials.py:196
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/credentials.py:196 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_default_models` without auth dependency — api/routers/models.py:315
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/models.py:315 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_default_prompt` without auth dependency — api/routers/transformations.py:138
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/transformations.py:138 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_episode_profile` without auth dependency — api/routers/episode_profiles.py:129
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/episode_profiles.py:129 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_note` without auth dependency — api/routers/notes.py:133
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notes.py:133 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_notebook` without auth dependency — api/routers/notebooks.py:183
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/notebooks.py:183 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_session` without auth dependency — api/routers/chat.py:250
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/chat.py:250 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_settings` without auth dependency — api/routers/settings.py:31
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/settings.py:31 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_source_chat_session` without auth dependency — api/routers/source_chat.py:290
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/source_chat.py:290 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_source` without auth dependency — api/routers/sources.py:779
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/sources.py:779 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_speaker_profile` without auth dependency — api/routers/speaker_profiles.py:105
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/speaker_profiles.py:105 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_transformation` without auth dependency — api/routers/transformations.py:188
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/transformations.py:188 securityAuth fastapi unauth mutation
medium Security checks security auth conf 0.92 2 occurrences [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
2 occurrences
repo-level (2 hits)
high Security checks security auth conf 0.74 2 occurrences [AUC002] Low visible authorization coverage in route inventory: Only 14.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 14.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
2 occurrences
repo-level (2 hits)
high Security checks security auth conf 0.66 2 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings.
lines 11
api/routers/settings.py:11 (2 hits)
high Security checks security auth conf 0.66 2 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /embed.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /embed.
lines 12
api/routers/embedding.py:12 (2 hits)
high Security checks security auth conf 0.66 2 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /search.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /search.
lines 17
api/routers/search.py:17 (2 hits)
high Security checks security auth conf 0.66 2 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings.
lines 31
api/routers/settings.py:31 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /commands/jobs/{job_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /commands/jobs/{job_id}.
lines 108
api/routers/commands.py:108 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /episode-profiles/{profile_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /episode-profiles/{profile_id}.
lines 165
api/routers/episode_profiles.py:165 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /insights/{insight_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /insights/{insight_id}.
lines 37
api/routers/insights.py:37 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /models/{model_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /models/{model_id}.
lines 252
api/routers/models.py:252 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /podcasts/episodes/{episode_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /podcasts/episodes/{episode_id}.
lines 272
api/routers/podcasts.py:272 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /sources/{source_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /sources/{source_id}.
lines 946
api/routers/sources.py:946 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /speaker-profiles/{profile_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /speaker-profiles/{profile_id}.
lines 135
api/routers/speaker_profiles.py:135 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /transformations/{transformation_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /transformations/{transformation_id}.
lines 235
api/routers/transformations.py:235 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{credential_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{credential_id}.
lines 259
api/routers/credentials.py:259 (2 hits)
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /notebooks/{notebook_id}/context.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /notebooks/{notebook_id}/context.
lines 12
api/routers/context.py:12 (2 hits)
medium Security checks security auth conf 0.72 2 occurrences [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
2 occurrences
repo-level (2 hits)
low Security checks quality Error handling conf 1.00 2 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
lines 62
api/routers/languages.py:62 (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
2 occurrences
uv.lock (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
2 occurrences
uv.lock (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
2 occurrences
frontend/package-lock.json (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 occurrences
frontend/package-lock.json (2 hits)
low Security checks quality Error handling conf 0.55 ✓ Repobility 32 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
11 files, 32 locations
open_notebook/ai/connection_tester.py:93, 128, 167 (6 hits)
api/routers/podcasts.py:106, 158 (4 hits)
open_notebook/database/async_migrate.py:205, 215 (4 hits)
open_notebook/podcasts/models.py:241, 259 (4 hits)
api/credentials_service.py:338 (2 hits)
api/routers/chat.py:450 (2 hits)
api/routers/commands.py:150 (2 hits)
api/routers/context.py:41 (2 hits)
Error handlingquality
high Security checks cicd CI/CD security conf 0.82 4 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
2 files, 4 locations
Dockerfile:68 (2 hits)
Dockerfile.single:54 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 6 occurrences Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
2 files, 6 locations
Dockerfile:44, 90 (4 hits)
Dockerfile.single:75 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 2 occurrences Dockerfile installs dependencies after copying the full source tree
When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly.
lines 56
Dockerfile:56 (2 hits)
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 2 occurrences langgraph: GHSA-g48c-2wqr-h844
LangGraph checkpoint loading has unsafe msgpack deserialization
2 occurrences
uv.lock (2 hits)
medium Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences Mutable default argument in `relate` (dict)
`def relate(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
lines 217
open_notebook/domain/base.py:217 (2 hits)
medium Security checks software dependencies conf 0.90 2 occurrences npm package `react-markdown` is 1 major version(s) behind (9.0.3 -> 10.1.0)
`react-markdown` is pinned/resolved at 9.0.3 but the latest stable release on the npm registry is 10.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences pillow: GHSA-5xmw-vc9v-4wf2
Pillow has a heap buffer overflow with nested list coordinates
2 occurrences
uv.lock (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
2 occurrences
uv.lock (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 occurrences
frontend/package-lock.json (2 hits)
medium Security checks quality Quality conf 0.78 2 occurrences Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
2 occurrences
.well-known/security.txt (2 hits)
high Security checks software dependencies conf 0.70 2 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
lines 11
docs/1-INSTALLATION/from-source.md:11 (2 hits)
medium Security checks software dependencies conf 0.88 2 occurrences ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
2 occurrences
frontend/package-lock.json (2 hits)
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — frontend/src/app/layout.tsx:27
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/src/components/podcasts/EpisodeCard.tsx:183
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/src/lib/api/source-chat.ts:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 19 locations
.github/workflows/build-and-release.yml:70, 73, 81, 129, 161, 164, 172, 220 (8 hits)
.github/workflows/build-dev.yml:93, 97, 105, 138, 172, 175, 183, 206 (8 hits)
.github/workflows/test.yml:25 (3 hits)
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/build-and-release.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/build-dev.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in api/main.py:63
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
api/main.py:63 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in frontend/src/app/layout.tsx:27
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
frontend/src/app/layout.tsx:27 Dangerous innerhtml
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
25 test file(s) for 275 source file(s) (ratio 0.09). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 2 occurrences .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
2 occurrences
.dockerignore (2 hits)
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 2 occurrences @eslint/plugin-kit: GHSA-xffm-g5w8-qvg7
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
2 occurrences
frontend/package-lock.json (2 hits)
high Security checks cicd CI/CD security conf 0.56 2 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
lines 14
docker-compose.yml:14 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 4 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 1, 14
docker-compose.yml:1, 14 (4 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 2 occurrences Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
lines 57
Dockerfile.single:57 (2 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 34 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 26 locations
frontend/src/components/podcasts/SpeakerProfilesPanel.tsx:11, 13 (4 hits)
api/notes_service.py:30 (2 hits)
api/podcast_service.py:88 (2 hits)
api/routers/context.py:19 (2 hits)
frontend/src/components/podcasts/EpisodeProfilesPanel.tsx:11 (2 hits)
frontend/src/components/podcasts/forms/SpeakerProfileFormDialog.tsx:121 (2 hits)
frontend/src/components/search/StreamingResponse.tsx:161 (2 hits)
frontend/src/components/source/ChatPanel.tsx:325 (2 hits)
duplicationquality
low Security checks software dependencies conf 0.90 2 occurrences npm package `@hookform/resolvers` is minor version(s) behind (5.1.1 -> 5.4.0)
`@hookform/resolvers` is pinned/resolved at 5.1.1 but the latest stable release on the npm registry is 5.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `@tanstack/react-query` is minor version(s) behind (5.83.0 -> 5.101.0)
`@tanstack/react-query` is pinned/resolved at 5.83.0 but the latest stable release on the npm registry is 5.101.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `@types/react-dom` is minor version(s) behind (19.1.6 -> 19.2.3)
`@types/react-dom` is pinned/resolved at 19.1.6 but the latest stable release on the npm registry is 19.2.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `@uiw/react-md-editor` is minor version(s) behind (4.0.8 -> 4.1.1)
`@uiw/react-md-editor` is pinned/resolved at 4.0.8 but the latest stable release on the npm registry is 4.1.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `axios` is minor version(s) behind (1.16.0 -> 1.17.0)
`axios` is pinned/resolved at 1.16.0 but the latest stable release on the npm registry is 1.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `tailwind-merge` is minor version(s) behind (3.3.1 -> 3.6.0)
`tailwind-merge` is pinned/resolved at 3.3.1 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low Security checks software dependencies conf 0.90 2 occurrences npm package `use-debounce` is minor version(s) behind (10.0.6 -> 10.1.1)
`use-debounce` is pinned/resolved at 10.0.6 but the latest stable release on the npm registry is 10.1.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
frontend/package.json (2 hits)
low System graph quality Integrity conf 1.00 47 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ANTHROPIC_API_KEY`, `API_BASE_URL`, `API_CLIENT_TIMEOUT`, `API_HOST`, `API_PORT`, `API_RELOAD`, `API_URL`, `AZURE_OPENAI_API_KEY` + 39 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: python:3.12-slim-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 2, 68
Dockerfile:2, 68 (2 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/next.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/common/ConfirmDialog.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/layout/AppSidebar.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/accordion.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/alert.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/markdown-editor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/chat.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/client.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/credentials.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/embedding.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/insights.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/models.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/notebooks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/notes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/query-client.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/search.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/settings.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/source-chat.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/sources.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/api/transformations.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/config.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/hooks/use-modal-manager.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/i18n.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/stores/auth-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/stores/navigation-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/stores/notebook-columns-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/stores/sidebar-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/theme-script.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/auth.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/common.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/models.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/search.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/types/transformations.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/test/jest-dom.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/start-server.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/tailwind.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: open_notebook/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: run_api.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/conftest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 19 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: api/chat_service.py:get_sessions, api/chat_service.py:get_session This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
19 occurrences
repo-level (19 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: api/client.py:get_notebooks, api/client.py:get_notebook, api/client.py:get_note This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `convertSourceReferencesLegacy` in frontend/src/lib/utils/source-references.tsx:482
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_multilingual_v2` in api/credentials_service.py:509
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_multilingual_v2` in open_notebook/ai/connection_tester.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_multilingual_v2` in open_notebook/ai/model_discovery.py:533
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in open_notebook/graphs/chat.py:78
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in open_notebook/graphs/source_chat.py:178
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `scribe_v1` in tests/test_credentials_api.py:269
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: ask_knowledge_base
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/search_service.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: check_api_password
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/auth.py:82
low System graph software Dead code conf 1.00 Possibly dead Python function: create_session
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/chat_service.py:39
low System graph software Dead code conf 1.00 Possibly dead Python function: create_source_async
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/sources_service.py:224
low System graph software Dead code conf 1.00 Possibly dead Python function: create_speaker_profile
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:83
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_episode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:25
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_session
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/chat_service.py:110
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_speaker_profile
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:103
low System graph software Dead code conf 1.00 Possibly dead Python function: duplicate_episode_profile
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:66
low System graph software Dead code conf 1.00 Possibly dead Python function: duplicate_speaker_profile
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:112
low System graph software Dead code conf 1.00 Possibly dead Python function: execute_chat
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/chat_service.py:124
low System graph software Dead code conf 1.00 Possibly dead Python function: is_source_processing_complete
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/sources_service.py:267
low System graph software Dead code conf 1.00 Possibly dead Python function: migrate_from_env
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/credentials_service.py:826
low System graph software Dead code conf 1.00 Possibly dead Python function: migrate_from_provider_config
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/credentials_service.py:718
low System graph software Dead code conf 1.00 Possibly dead Python function: test_credential
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/credentials_service.py:365
low System graph software Dead code conf 1.00 Possibly dead Python function: update_session
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/chat_service.py:79
low System graph software Dead code conf 1.00 Possibly dead Python function: update_speaker_profile
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/podcast_api_service.py:92
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/next.config.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/app/config/route.ts:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/lib/config.ts:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/commands/jobs/{job_id}
`api/routers/commands.py` declares `DELETE /api/commands/jobs/{job_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/episode-profiles/{profile_id}
`api/routers/episode_profiles.py` declares `DELETE /api/episode-profiles/{profile_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/insights/{insight_id}
`api/routers/insights.py` declares `DELETE /api/insights/{insight_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/podcasts/episodes/{episode_id}
`api/routers/podcasts.py` declares `DELETE /api/podcasts/episodes/{episode_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/speaker-profiles/{profile_id}
`api/routers/speaker_profiles.py` declares `DELETE /api/speaker-profiles/{profile_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /models/{model_id}
`api/routers/models.py` declares `DELETE /models/{model_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`api/main.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/commands/jobs
`api/routers/commands.py` declares `GET /api/commands/jobs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/commands/jobs/{job_id}
`api/routers/commands.py` declares `GET /api/commands/jobs/{job_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/commands/registry/debug
`api/routers/commands.py` declares `GET /api/commands/registry/debug` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/episode-profiles
`api/routers/episode_profiles.py` declares `GET /api/episode-profiles` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/episode-profiles/{profile_name}
`api/routers/episode_profiles.py` declares `GET /api/episode-profiles/{profile_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/insights/{insight_id}
`api/routers/insights.py` declares `GET /api/insights/{insight_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/podcasts/episodes
`api/routers/podcasts.py` declares `GET /api/podcasts/episodes` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/podcasts/episodes/{episode_id}
`api/routers/podcasts.py` declares `GET /api/podcasts/episodes/{episode_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/podcasts/episodes/{episode_id}/audio
`api/routers/podcasts.py` declares `GET /api/podcasts/episodes/{episode_id}/audio` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/podcasts/jobs/{job_id}
`api/routers/podcasts.py` declares `GET /api/podcasts/jobs/{job_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/speaker-profiles
`api/routers/speaker_profiles.py` declares `GET /api/speaker-profiles` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/speaker-profiles/{profile_name}
`api/routers/speaker_profiles.py` declares `GET /api/speaker-profiles/{profile_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/transformations
`api/routers/transformations.py` declares `GET /api/transformations` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/transformations/default-prompt
`api/routers/transformations.py` declares `GET /api/transformations/default-prompt` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models
`api/routers/models.py` declares `GET /models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/by-provider/{provider}
`api/routers/models.py` declares `GET /models/by-provider/{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/count/{provider}
`api/routers/models.py` declares `GET /models/count/{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/defaults
`api/routers/models.py` declares `GET /models/defaults` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/discover/{provider}
`api/routers/models.py` declares `GET /models/discover/{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/providers
`api/routers/models.py` declares `GET /models/providers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/commands/jobs
`api/routers/commands.py` declares `POST /api/commands/jobs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/embeddings/embed
`api/routers/embedding.py` declares `POST /api/embeddings/embed` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/episode-profiles
`api/routers/episode_profiles.py` declares `POST /api/episode-profiles` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/episode-profiles/{profile_id}/duplicate
`api/routers/episode_profiles.py` declares `POST /api/episode-profiles/{profile_id}/duplicate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/insights/{insight_id}/save-as-note
`api/routers/insights.py` declares `POST /api/insights/{insight_id}/save-as-note` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/notebooks/{notebook_id}/context
`api/routers/context.py` declares `POST /api/notebooks/{notebook_id}/context` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint

Showing first 300 of 325. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6acf376e-b59e-454e-a3e7-70f3dcebe5a4/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6acf376e-b59e-454e-a3e7-70f3dcebe5a4/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.