Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

DanOps-1/Gpt-Agreement-Payment

https://github.com/DanOps-1/Gpt-Agreement-Payment · scanned 2026-05-17 01:36 UTC (13 hours, 46 minutes ago) · 10 languages

249 findings (16 legacy + 233 scanner) 84th percentile · Python · medium (20-100K LoC) Scanner says 68 (higher by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 13 hours, 45 minutes ago · v2 · 132 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
70.2
/100
Repobility
73
16 legacy
9-layer
68
100.0% cov · 116 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 31 Medium 5 Low 94 Source: Legacy 16 9-layer 116 Crowd 0 Layer: Security 28 Quality 32 Software 31 Frontend 2 Cicd 2 Api 37
Scan summary Repository scanned at 67.5/100 with 100.0% coverage. It contains 1435 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 116 findings — concentrated in api (37), software (28), quality (24). Risk profile is high: 0 critical, 22 high, 1 medium. Recommended next step: open the api layer findings first — that's where the highest-impact wins live.

Showing 132 of 132 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: c.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
webui/backend/db.py:200 injectionlegacy
high Legacy security credential_exposure conf 0.85 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
CTF-reg/sentinel_v1_legacy.py:123 credential_exposurelegacy
high Legacy security credential_exposure conf 0.92 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
CTF-reg/browser_register.py:152 credential_exposurelegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
CTF-reg/auth_flow.py:472 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
CTF-pay/hcaptcha_auto_solver.py:101 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
CTF-pay/card.py:3351 ssrflegacy
high 9-layer security auth conf 1.00 FastAPI POST `auto_setup` without auth dependency — webui/backend/routes/cloudflare_kv.py:60
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/cloudflare_kv.py:60 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `check_accounts` without auth dependency — webui/backend/routes/inventory.py:84
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:84 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cpa_push` without auth dependency — webui/backend/routes/inventory.py:115
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:115 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `delete_accounts` without auth dependency — webui/backend/routes/inventory.py:105
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:105 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `export` without auth dependency — webui/backend/routes/config.py:26
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/config.py:26 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_otp` without auth dependency — webui/backend/routes/whatsapp.py:93
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:93 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `preview` without auth dependency — webui/backend/routes/run.py:111
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:111 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `rotate_ip` without auth dependency — webui/backend/routes/proxy.py:70
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/proxy.py:70 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `run_check` without auth dependency — webui/backend/routes/preflight.py:30
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/preflight.py:30 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `set_state` without auth dependency — webui/backend/routes/wizard.py:36
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/wizard.py:36 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `setup` without auth dependency — webui/backend/routes/setup.py:19
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/setup.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sidecar_state` without auth dependency — webui/backend/routes/whatsapp.py:68
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:68 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/auto_loop.py:24
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/auto_loop.py:24 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/run.py:38
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:38 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/whatsapp.py:42
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:42 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/auto_loop.py:32
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/auto_loop.py:32 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/run.py:59
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:59 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/whatsapp.py:58
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:58 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `submit_otp` without auth dependency — webui/backend/routes/run.py:64
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:64 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `update_settings` without auth dependency — webui/backend/routes/whatsapp.py:50
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:50 authowaspauth.fastapi.unauth_mutation
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in CTF-pay/hcaptcha_auto_solver.py:71
Found a known-risky pattern (eval_used). Review and replace if possible.
CTF-pay/hcaptcha_auto_solver.py:71 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in CTF-reg/openai_sentinel_quickjs.js:353
Found a known-risky pattern (eval_used). Review and replace if possible.
CTF-reg/openai_sentinel_quickjs.js:353 owaspeval_used
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
CTF-pay/hcaptcha_auto_solver.py:3042 error_handlinglegacy
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
CTF-pay/gopay.py:162 error_handlinglegacy
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
CTF-pay/card.py:158 error_handlinglegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
CTF-reg/auth_flow.py:874 injectionlegacy
medium Legacy security path_traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
webui/backend/wa_relay.py:81 path_traversallegacy
medium Legacy quality quality conf 0.73 Codex session log reader may expose prompts or tool-call content
Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.
CTF-reg/auth_flow.py:174 qualitylegacy
medium Legacy quality quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
webui/frontend/src/views/Run.vue:575 qualitylegacy
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in CTF-reg/auth_flow.py:874
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
CTF-reg/auth_flow.py:874 owaspsubprocess_shell_true
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
webui/frontend/src/views/Setup.vue:28 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
webui/frontend/src/components/steps/Step09_VLM.vue:13 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
webui/frontend/src/components/steps/Step08_Captcha.vue:12 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/api/client.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/router.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/tests/stores.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:41 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `sentinel_v1_legacy` in CTF-reg/sentinel.py:7
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `wa_otp_legacy` in webui/backend/db.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:list_subdomains, pipeline.py:list_subdomains This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:provision, pipeline.py:provision This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:delete_subdomain, pipeline.py:delete_subdomain This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:pick, pipeline.py:pick This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: webui/server.py:spa_webui, webui/server.py:spa This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: webui/backend/link_state.py:mark_linked, webui/backend/link_state.py:mark_unlinked This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-reg/sentinel.py:fetch_sentinel_challenge, CTF-reg/sentinel.py:build_sentinel_token This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-reg/sentinel.py:get_sentinel_token, CTF-reg/sentinel_v1_legacy.py:get_sentinel_token This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-pay/card.py:create_paypal_payment_method, CTF-pay/card.py:create_gopay_payment_method This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_hop_animals_cutout, CTF-pay/hcaptcha_auto_solver.py:solve_hop_animals This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_hidden_under_reference, CTF-pay/hcaptcha_auto_solver.py:solve_road_completion, CTF-pay/hcaptcha_auto_solver.py:solve_dissolve_melt This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_float_on_water, CTF-pay/hcaptcha_auto_solver.py:solve_hot_food, CTF-pay/hcaptcha_auto_solver.py:solve_shiny_thing, CTF-pay/hcaptcha_auto_solver.py:solve_kept_outside This is *the* AI-coder failure mode (4× more d…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cli_otp_provider
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/gopay.py:736 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: current_user
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/auth.py:5 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: current_user_optional
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/auth.py:14 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decode_canvas_data_url
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/hcaptcha_auto_solver.py:1057 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:214 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:133 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:248 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:187 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3859 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: from_existing_credentials
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2524 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_cf_kv_backend_active
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/cf_kv_otp_provider.py:277 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:211 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:130 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3848 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: mark_fail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pipeline.py:2744 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_protocol_login
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2346 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_register
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2102 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: runtime_counts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/db.py:205 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: submit_apata_fingerprint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3222 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: to_dict
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/config.py:126 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: to_dict
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:47 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: validate_account_by_id
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/account_validator.py:223 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/otp_email_worker.js:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — webui/whatsapp_relay/index.js:147
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `log_message` (body is just `pass`/`return`) — CTF-pay/card.py:3848
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `log_message` (body is just `pass`/`return`) — CTF-pay/local_mock_gateway.py:130
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`webui/backend/routes/link_state.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /accounts
`webui/backend/routes/inventory.py` declares `GET /accounts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/healthz
`webui/server.py` declares `GET /api/healthz` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /current
`webui/backend/routes/proxy.py` declares `GET /current` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /ingest-info
`webui/backend/routes/whatsapp.py` declares `GET /ingest-info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /latest-otp
`webui/backend/routes/whatsapp.py` declares `GET /latest-otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /latest-otp-session
`webui/backend/routes/whatsapp.py` declares `GET /latest-otp-session` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /logs
`webui/backend/routes/run.py` declares `GET /logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /me
`webui/backend/routes/auth.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /state
`webui/backend/routes/wizard.py` declares `GET /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /stream
`webui/backend/routes/run.py` declares `GET /stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /stripe
`webui/backend/routes/sniff.py` declares `GET /stripe` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /webui/{full_path:path}
`webui/server.py` declares `GET /webui/{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /wizard/state
`webui/frontend/src/stores/wizard.ts` declares `GET /wizard/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{full_path:path}
`webui/server.py` declares `GET /{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{phone}
`webui/backend/routes/link_state.py` declares `GET /{phone}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /
`webui/backend/routes/setup.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/check
`webui/backend/routes/inventory.py` declares `POST /accounts/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/cpa-push
`webui/backend/routes/inventory.py` declares `POST /accounts/cpa-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/delete
`webui/backend/routes/inventory.py` declares `POST /accounts/delete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /auto-setup
`webui/backend/routes/cloudflare_kv.py` declares `POST /auto-setup` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /export
`webui/backend/routes/config.py` declares `POST /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /ingest
`webui/backend/routes/whatsapp.py` declares `POST /ingest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /login
`webui/backend/routes/auth.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /logout
`webui/backend/routes/auth.py` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /otp
`webui/backend/routes/run.py` declares `POST /otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /preview
`webui/backend/routes/run.py` declares `POST /preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /rotate-ip
`webui/backend/routes/proxy.py` declares `POST /rotate-ip` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /set
`webui/backend/routes/link_state.py` declares `POST /set` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /settings
`webui/backend/routes/whatsapp.py` declares `POST /settings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /sidecar/state
`webui/backend/routes/whatsapp.py` declares `POST /sidecar/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /start
`webui/backend/routes/whatsapp.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /state
`webui/backend/routes/wizard.py` declares `POST /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /stop
`webui/backend/routes/whatsapp.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /unlink
`webui/backend/routes/link_state.py` declares `POST /unlink` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /wizard/state
`webui/frontend/src/stores/wizard.ts` declares `POST /wizard/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /{name}
`webui/backend/routes/preflight.py` declares `POST /{name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/card.py (8865 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/gopay.py (1310 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/hcaptcha_auto_solver.py (4228 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-reg/auth_flow.py (2608 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: pipeline.py (3720 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in CTF-reg/browser_register.py:271
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (6 lines) in CTF-pay/card.py:2546
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.