Hello-QM/catgo-LRG

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	100.0	0.25	25.00
`testing_score`	100.0	0.20	20.00
`documentation_score`	94.0	0.15	14.10
`practices_score`	94.0	0.15	14.10
`code_quality`	45.0	0.10	4.50
Overall		1.00	90.5

high Security checks quality Quality conf 1.00 ✓ Repobility 22 occurrences [MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes.

Add `import struct` at the top of the file.

12 files, 16 locations

server/catgo/routers/workflow.py:1246, 2400, 3090 (3 hits)

server/catgo/mcp_tools/workflow_tools.py:869, 1033 (2 hits)

server/catgo/routers/view_capture.py:345, 803 (2 hits)

server/catgo/mcp_tools/helpers.py:91

server/catgo/mcp_tools/server_claude_code.py:1070

server/catgo/routers/forcefield_utils.py:1106

server/catgo/routers/heterostructure.py:313

server/catgo/routers/structure_ops.py:286

critical System graph security Secrets conf 1.00 Possible secret in server/catgo/models/hpc.py

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

server/catgo/models/hpc.py:27

critical System graph security Secrets conf 1.00 Possible secret in src-tauri/src/ssh/auth.rs

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

src-tauri/src/ssh/auth.rs:34

critical System graph security Secrets conf 1.00 Possible secret in src/lib/api/transport/index.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

src/lib/api/transport/index.ts:45

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.

Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.

scripts/setup.mjs:81

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.

Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.

scripts/agent-dev.mjs:42

high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.

Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.

server/plugin_loader.py:17

high Security checks quality Quality conf 1.00 ✓ Repobility [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.

Review and fix per the pattern semantics. See CWE-78 / for context.

server/workflow/engines/sella.py:103

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED108] `self.is_total` used but never assigned in __init__: Method `label` of class `ICOHPEntry` reads `self.is_total`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.is_total = <default>` in __init__, or add a class-level default.

3 files, 3 locations

extensions/cohp-analysis/catgo_cohp/io.py:189

server/main.py:452

server/workflow/engine_runtime.py:165

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI DELETE /{plugin_name} has no auth: Handler `uninstall_plugin` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:550

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI DELETE /{workflow_id} has no auth: Handler `api_delete_workflow` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:388

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST / has no auth: Handler `api_create_workflow` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:191

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /analyzers/{analyzer_id}/run has no auth: Handler `run_analyzer` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:432

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /engine-defs/custom has no auth: Handler `create_custom_engine` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:336

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /from-template/{template_id} has no auth: Handler `api_create_from_template` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:305

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /generate has no auth: Handler `generate_vasp_inputs_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/vasp.py:130

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /import-flow has no auth: Handler `import_flow` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/quacc.py:55

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /import-flow has no auth: Handler `import_flow` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/atomate2.py:24

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /install/upload has no auth: Handler `install_plugin_upload` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:563

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /parse-structure has no auth: Handler `parse_structure` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/vasp.py:67

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /pending-update has no auth: Handler `push_pending_workflow_update` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:165

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /quickbuild has no auth: Handler `api_quickbuild` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:238

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /readers/upload has no auth: Handler `upload_to_reader` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:206

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /refresh has no auth: Handler `refresh_plugins` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:604

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /report/upload has no auth: Handler `upload_report_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/vasp.py:192

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /report/upload-text has no auth: Handler `upload_report_text` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/vasp.py:224

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /upload has no auth: Handler `trajectory_upload` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/trajectory_stream.py:580

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{plugin_name}/disable has no auth: Handler `disable_plugin` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:525

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{plugin_name}/enable has no auth: Handler `enable_plugin` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/plugins.py:500

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{workflow_id}/recheck-jobs has no auth: Handler `api_recheck_jobs` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:469

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{workflow_id}/reset has no auth: Handler `api_reset_workflow` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:435

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{workflow_id}/steps/{step_id}/retry has no auth: Handler `api_retry_step` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:418

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI PUT /{workflow_id} has no auth: Handler `api_update_workflow` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:371

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI PUT /{workflow_id}/steps/{step_id} has no auth: Handler `api_update_step` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.

server/catgo/routers/workflow.py:397

high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences [MINED118] Dockerfile FROM `node:20-bookworm-slim` not pinned by digest: `FROM node:20-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:20-bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

2 files, 4 locations

Dockerfile:14, 70 (2 hits)

deploy/hpc/Dockerfile:12, 43 (2 hits)

high Security checks software dependencies conf 0.90 ✓ Repobility [MINED122] package.json dep `@catgo/ferrox-wasm` pulled from URL/Git: `dependencies.@catgo/ferrox-wasm` = `link:extensions/rust-wasm` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.

Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.

package.json:1

high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.

Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).

lines 6, 33, 42, 57

.pre-commit-config.yaml:6, 33, 42, 57 (4 hits)

high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.

server/workflow/engines/sella.py:215

low Security checks security Injection conf 1.00 3 occurrences [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).

3 files, 3 locations

plugins/cp2k-dos-reader/plugin.py:196

plugins/cp2k-dos-reader/tool.py:200

scripts/parse_gaussian.py:46

high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

Dockerfile:29 CI/CD securitycontainers

high Security checks security auth conf 0.83 4 occurrences Secret-like setting is echoed into a password input value

Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.

4 files, 4 locations

src/lib/ConnectDialog.svelte:466

src/lib/chat/ChatPane.svelte:1207

src/lib/mobile/MobileConnect.svelte:445

src/lib/structure/ServerPane.svelte:1492

high System graph api Wiring conf 1.00 Dangling fetch: GET /__db/read?path=${encodeURIComponent(db_path)} (src/lib/api/db-wasm.ts:27)

`src/lib/api/db-wasm.ts:27` calls `GET /__db/read?path=${encodeURIComponent(db_path)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__db/read` If this points at an external API, prefix it with `https://` so the ma…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /__files/raw?path=${encodeURIComponent(path)} (desktop/sidebar/fs-browser.svelte.ts:102)

`desktop/sidebar/fs-browser.svelte.ts:102` calls `GET /__files/raw?path=${encodeURIComponent(path)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__files/raw` If this points at an external API, prefix it with `htt…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /__files/read?path=${encodeURIComponent(path)} (src/lib/api/db-wasm.ts:468)

`src/lib/api/db-wasm.ts:468` calls `GET /__files/read?path=${encodeURIComponent(path)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__files/read` If this points at an external API, prefix it with `https://` so th…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET /api/pty/shells (src/lib/api/pty.ts:55)

`src/lib/api/pty.ts:55` calls `GET /api/pty/shells` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/pty/shells` If this points at an external API, prefix it with `https://` so the matcher skips it.

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: GET https://providers.optimade.org/v1/links (extensions/vscode/src/optimade-backend.ts:90)

`extensions/vscode/src/optimade-backend.ts:90` calls `GET https://providers.optimade.org/v1/links` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/providers.optimade.org/v1/links` If this points at an external…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST /__db/copy?src=${encodeURIComponent(db_path)}&dst=${encodeURIComponent(path)} (src/lib/api/db-wasm.ts:444)

`src/lib/api/db-wasm.ts:444` calls `POST /__db/copy?src=${encodeURIComponent(db_path)}&dst=${encodeURIComponent(path)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__db/copy` If this points at an external API, pr…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST /__db/write?path=${encodeURIComponent(db_path)} (src/lib/api/db-wasm.ts:205)

`src/lib/api/db-wasm.ts:205` calls `POST /__db/write?path=${encodeURIComponent(db_path)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__db/write` If this points at an external API, prefix it with `https://` so th…

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST /__files/write (src/lib/api/db-wasm.ts:477)

`src/lib/api/db-wasm.ts:477` calls `POST /__files/write` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/__files/write` If this points at an external API, prefix it with `https://` so the matcher skips it.

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.openai.com/v1/audio/transcriptions (src/lib/gesture/whisper-voice-engine.ts:110)

`src/lib/gesture/whisper-voice-engine.ts:110` calls `POST https://api.openai.com/v1/audio/transcriptions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.openai.com/v1/audio/transcriptions` If this points …

Dangling fetchFetch

high System graph security auth conf 1.00 FastAPI DELETE `api_delete_project` without auth dependency — server/catgo/routers/workflow.py:2805

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/workflow.py:2805 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `api_delete_result` without auth dependency — server/catgo/routers/workflow.py:1420

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/workflow.py:1420 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `api_delete_workflow` without auth dependency — server/catgo/routers/workflow.py:387

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/workflow.py:387 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `api_unassign_workflow_from_project` without auth dependency — server/catgo/routers/workflow.py:2824

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/workflow.py:2824 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cancel_job` without auth dependency — server/catgo/routers/hpc.py:427

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/hpc.py:427 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cancel_lammps_job` without auth dependency — server/catgo/routers/lammps/simulation.py:585

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/lammps/simulation.py:585 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `catgo_tunnel_teardown` without auth dependency — server/catgo/routers/hpc.py:1449

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/hpc.py:1449 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cleanup_band_session` without auth dependency — server/catgo/routers/bands.py:463

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/bands.py:463 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cleanup_session` without auth dependency — server/catgo/routers/cohp.py:322

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/cohp.py:322 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cleanup_session` without auth dependency — server/catgo/routers/dos.py:524

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/dos.py:524 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `cleanup_session` without auth dependency — server/catgo/routers/paper.py:260

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/paper.py:260 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `delete_tool_endpoint` without auth dependency — server/catgo/routers/tools.py:175

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/tools.py:175 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `disconnect` without auth dependency — server/catgo/routers/hpc.py:306

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/hpc.py:306 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `remove_profile` without auth dependency — server/catgo/routers/hpc.py:331

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/hpc.py:331 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `unassign_project` without auth dependency — server/catgo/routers/workflow_engine.py:177

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/workflow_engine.py:177 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `uninstall_plugin` without auth dependency — server/catgo/routers/hub.py:251

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/hub.py:251 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `uninstall_plugin` without auth dependency — server/catgo/routers/plugins.py:549

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

server/catgo/routers/plugins.py:549 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `add_atom` without auth dependency — server/catgo/routers/structure_ops.py:221