Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

DanOps-1/Gpt-Agreement-Payment

https://github.com/DanOps-1/Gpt-Agreement-Payment · scanned 2026-05-17 01:36 UTC (15 hours, 47 minutes ago) · 10 languages

249 findings (16 legacy + 233 scanner) 82nd percentile · Python · medium (20-100K LoC) Scanner says 68 (higher by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 15 hours, 46 minutes ago · v2 · 132 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
70.2
/100
Repobility
73
16 legacy
9-layer
68
100.0% cov · 116 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: source: scanner × excluding tests × Reset all
Severity: Critical 0 High 31 Medium 5 Low 94 Source: Legacy 16 9-layer 116 Crowd 0 Layer: Security 28 Quality 32 Software 31 Frontend 2 Cicd 2 Api 37
Scan summary Repository scanned at 67.5/100 with 100.0% coverage. It contains 1435 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 116 findings — concentrated in api (37), software (28), quality (24). Risk profile is high: 0 critical, 22 high, 1 medium. Recommended next step: open the api layer findings first — that's where the highest-impact wins live.

Showing 116 of 132 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high 9-layer security auth conf 1.00 FastAPI POST `auto_setup` without auth dependency — webui/backend/routes/cloudflare_kv.py:60
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/cloudflare_kv.py:60 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `check_accounts` without auth dependency — webui/backend/routes/inventory.py:84
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:84 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cpa_push` without auth dependency — webui/backend/routes/inventory.py:115
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:115 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `delete_accounts` without auth dependency — webui/backend/routes/inventory.py:105
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/inventory.py:105 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `export` without auth dependency — webui/backend/routes/config.py:26
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/config.py:26 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_otp` without auth dependency — webui/backend/routes/whatsapp.py:93
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:93 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `preview` without auth dependency — webui/backend/routes/run.py:111
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:111 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `rotate_ip` without auth dependency — webui/backend/routes/proxy.py:70
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/proxy.py:70 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `run_check` without auth dependency — webui/backend/routes/preflight.py:30
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/preflight.py:30 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `set_state` without auth dependency — webui/backend/routes/wizard.py:36
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/wizard.py:36 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `setup` without auth dependency — webui/backend/routes/setup.py:19
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/setup.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sidecar_state` without auth dependency — webui/backend/routes/whatsapp.py:68
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:68 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/auto_loop.py:24
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/auto_loop.py:24 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/run.py:38
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:38 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `start` without auth dependency — webui/backend/routes/whatsapp.py:42
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:42 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/auto_loop.py:32
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/auto_loop.py:32 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/run.py:59
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:59 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop` without auth dependency — webui/backend/routes/whatsapp.py:58
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:58 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `submit_otp` without auth dependency — webui/backend/routes/run.py:64
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/run.py:64 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `update_settings` without auth dependency — webui/backend/routes/whatsapp.py:50
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
webui/backend/routes/whatsapp.py:50 authowaspauth.fastapi.unauth_mutation
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in CTF-pay/hcaptcha_auto_solver.py:71
Found a known-risky pattern (eval_used). Review and replace if possible.
CTF-pay/hcaptcha_auto_solver.py:71 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in CTF-reg/openai_sentinel_quickjs.js:353
Found a known-risky pattern (eval_used). Review and replace if possible.
CTF-reg/openai_sentinel_quickjs.js:353 owaspeval_used
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in CTF-reg/auth_flow.py:874
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
CTF-reg/auth_flow.py:874 owaspsubprocess_shell_true
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/api/client.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/router.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/src/tests/stores.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: webui/frontend/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:41 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `sentinel_v1_legacy` in CTF-reg/sentinel.py:7
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `wa_otp_legacy` in webui/backend/db.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:list_subdomains, pipeline.py:list_subdomains This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:provision, pipeline.py:provision This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:delete_subdomain, pipeline.py:delete_subdomain This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pipeline.py:pick, pipeline.py:pick This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: webui/server.py:spa_webui, webui/server.py:spa This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: webui/backend/link_state.py:mark_linked, webui/backend/link_state.py:mark_unlinked This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-reg/sentinel.py:fetch_sentinel_challenge, CTF-reg/sentinel.py:build_sentinel_token This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-reg/sentinel.py:get_sentinel_token, CTF-reg/sentinel_v1_legacy.py:get_sentinel_token This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-pay/card.py:create_paypal_payment_method, CTF-pay/card.py:create_gopay_payment_method This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_hop_animals_cutout, CTF-pay/hcaptcha_auto_solver.py:solve_hop_animals This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_hidden_under_reference, CTF-pay/hcaptcha_auto_solver.py:solve_road_completion, CTF-pay/hcaptcha_auto_solver.py:solve_dissolve_melt This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: CTF-pay/hcaptcha_auto_solver.py:solve_float_on_water, CTF-pay/hcaptcha_auto_solver.py:solve_hot_food, CTF-pay/hcaptcha_auto_solver.py:solve_shiny_thing, CTF-pay/hcaptcha_auto_solver.py:solve_kept_outside This is *the* AI-coder failure mode (4× more d…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider, CTF-pay/gopay.py:provider This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cli_otp_provider
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/gopay.py:736 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: current_user
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/auth.py:5 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: current_user_optional
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/auth.py:14 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decode_canvas_data_url
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/hcaptcha_auto_solver.py:1057 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:214 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:133 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:248 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:187 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3859 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: from_existing_credentials
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2524 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: is_cf_kv_backend_active
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/cf_kv_otp_provider.py:277 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/whatsapp_otp_relay.py:211 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/local_mock_gateway.py:130 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3848 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: mark_fail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pipeline.py:2744 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_protocol_login
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2346 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_register
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:2102 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: runtime_counts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/db.py:205 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: submit_apata_fingerprint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-pay/card.py:3222 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: to_dict
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/config.py:126 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: to_dict
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
CTF-reg/auth_flow.py:47 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: validate_account_by_id
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
webui/backend/account_validator.py:223 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/otp_email_worker.js:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — webui/whatsapp_relay/index.js:147
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `log_message` (body is just `pass`/`return`) — CTF-pay/card.py:3848
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `log_message` (body is just `pass`/`return`) — CTF-pay/local_mock_gateway.py:130
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`webui/backend/routes/link_state.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /accounts
`webui/backend/routes/inventory.py` declares `GET /accounts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/healthz
`webui/server.py` declares `GET /api/healthz` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /current
`webui/backend/routes/proxy.py` declares `GET /current` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /ingest-info
`webui/backend/routes/whatsapp.py` declares `GET /ingest-info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /latest-otp
`webui/backend/routes/whatsapp.py` declares `GET /latest-otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /latest-otp-session
`webui/backend/routes/whatsapp.py` declares `GET /latest-otp-session` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /logs
`webui/backend/routes/run.py` declares `GET /logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /me
`webui/backend/routes/auth.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /state
`webui/backend/routes/wizard.py` declares `GET /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /stream
`webui/backend/routes/run.py` declares `GET /stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /stripe
`webui/backend/routes/sniff.py` declares `GET /stripe` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /webui/{full_path:path}
`webui/server.py` declares `GET /webui/{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /wizard/state
`webui/frontend/src/stores/wizard.ts` declares `GET /wizard/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{full_path:path}
`webui/server.py` declares `GET /{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{phone}
`webui/backend/routes/link_state.py` declares `GET /{phone}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /
`webui/backend/routes/setup.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/check
`webui/backend/routes/inventory.py` declares `POST /accounts/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/cpa-push
`webui/backend/routes/inventory.py` declares `POST /accounts/cpa-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /accounts/delete
`webui/backend/routes/inventory.py` declares `POST /accounts/delete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /auto-setup
`webui/backend/routes/cloudflare_kv.py` declares `POST /auto-setup` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /export
`webui/backend/routes/config.py` declares `POST /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /ingest
`webui/backend/routes/whatsapp.py` declares `POST /ingest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /login
`webui/backend/routes/auth.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /logout
`webui/backend/routes/auth.py` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /otp
`webui/backend/routes/run.py` declares `POST /otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /preview
`webui/backend/routes/run.py` declares `POST /preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /rotate-ip
`webui/backend/routes/proxy.py` declares `POST /rotate-ip` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /set
`webui/backend/routes/link_state.py` declares `POST /set` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /settings
`webui/backend/routes/whatsapp.py` declares `POST /settings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /sidecar/state
`webui/backend/routes/whatsapp.py` declares `POST /sidecar/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /start
`webui/backend/routes/whatsapp.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /state
`webui/backend/routes/wizard.py` declares `POST /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /stop
`webui/backend/routes/whatsapp.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /unlink
`webui/backend/routes/link_state.py` declares `POST /unlink` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /wizard/state
`webui/frontend/src/stores/wizard.ts` declares `POST /wizard/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /{name}
`webui/backend/routes/preflight.py` declares `POST /{name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/card.py (8865 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/gopay.py (1310 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-pay/hcaptcha_auto_solver.py (4228 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: CTF-reg/auth_flow.py (2608 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: pipeline.py (3720 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in CTF-reg/browser_register.py:271
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (6 lines) in CTF-pay/card.py:2546
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.