Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
68 of your 211 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 7.18s · analysis 78.79s · 20.3 MB · GitHub API rate-limit (preflight)

smith-horn/skillsmith

https://github.com/smith-horn/skillsmith · scanned 2026-06-06 00:04 UTC (4 days, 2 hours ago) · 10 languages

1245 raw signals (183 security + 1062 graph) 40th percentile · Typescript · large (100-500K LoC) System graph score 65 (higher by 8)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 2 hours ago · v2 · 617 actionable findings from 2 signal sources. 96 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
61.7
/100
Security checks
58
94 findings
System graph
65
100.0% cov · 523 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 42.7 0.25 10.68
testing_score 100.0 0.20 20.00
documentation_score 98.1 0.15 14.71
practices_score 83.0 0.15 12.45
code_quality 58.8 0.10 5.88
Overall 1.00 72.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 78 Medium 54 Low 293 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 94 System graph 523 Crowd 0 Layer: Quality 228 Security 13 Software 101 Cicd 5 Frontend 210 Network 3 Hardware 2 Api 55
Scan summary Quality grade B (73/100). Dimensions: security 43, maintainability 60. 183 findings (67 security). 372,505 lines analyzed.

Showing 430 of 617 actionable findings. 713 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
scripts/apply-075-audit-logs-index.sh:83
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/core/src/telemetry/tracer-imports.ts:14
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/core/src/telemetry/metric-helpers.ts:16
critical Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Hardcoded Slack webhook URL in source
File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T123/B456/SECRETKEY...`. Webhook URLs are unauthenticated POST endpoints — anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collec…
2 files, 3 locations
packages/enterprise/tests/audit/scheduled-scan.test.ts:233, 430 (2 hits)
packages/enterprise/src/audit/scheduled-scan.ts:24
critical Security checks software dependencies conf 0.88 sandbox: GHSA-gc25-3vc5-2jf9
Sandbox Breakout / Arbitrary Code Execution in sandbox
package-lock.json
critical Security checks security secrets conf 0.95 13 occurrences Vercel Token
Gitleaks detected a committed secret or credential pattern.
6 files, 13 locations
packages/core/CHANGELOG.md:10, 53, 98, 101, 118, 122 (6 hits)
packages/mcp-server/src/tools/get-skill.ts:204, 287 (2 hits)
packages/website/src/middleware.ts:27, 53 (2 hits)
.claude/development/deployment-guide.md:493
.github/workflows/ci.yml:1343
CLAUDE.md:279
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 25 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
3 files, 25 locations
.github/workflows/e2e-tests.yml:63, 66, 190, 193, 271, 274, 350, 353, +4 more (12 hits)
.github/workflows/ci.yml:488, 491, 590, 734, 737, 1006, 1009, 1058, +3 more (11 hits)
.github/workflows/concurrency-audit-pr.yml:80, 101 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks software dependencies conf 0.88 @opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3
Prometheus exporter process crash via malformed HTTP request
package-lock.json
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
scripts/phase4-orchestrator/orchestrator.ts:223
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/mcp-server/src/suggestions/suggestion-engine.ts:327
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/mcp-server/src/suggestions/suggestion-engine.ts:309
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/core/src/sync/BackgroundSyncService.ts:98
high Security checks security Secret conf 1.00 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT).
If the JWT is live, invalidate by rotating the signing key. Move tokens out of source.
packages/core/src/api/utils.ts:115
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
package-lock.json
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence.
packages/core/src/services/quarantine/QuarantineService.ts:15
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `node:22-slim` not pinned by digest
`FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:20
high Security checks software dependencies conf 0.88 supabase: MAL-2026-5187
Malicious code in supabase (npm)
package-lock.json
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/data (packages/core/src/analysis/adapters/__tests__/typescript.test.ts:364)
`packages/core/src/analysis/adapters/__tests__/typescript.test.ts:364` calls `GET /api/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/data` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/data (packages/core/tests/language-detector.test.ts:470)
`packages/core/tests/language-detector.test.ts:470` calls `GET /api/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/data` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/data/${i} (packages/core/src/analysis/__tests__/performance.test.ts:57)
`packages/core/src/analysis/__tests__/performance.test.ts:57` calls `GET /api/data/${i}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/data/<p>` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/admin/skills (packages/core/tests/ApiPartialResponses.test.ts:156)
`packages/core/tests/ApiPartialResponses.test.ts:156` calls `GET /api/v1/admin/skills` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/admin/skills` If this points at an external API, prefix it with `https://` so …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/nonexistent/skill (packages/core/tests/ApiPartialResponses.test.ts:119)
`packages/core/tests/ApiPartialResponses.test.ts:119` calls `GET /api/v1/skills/nonexistent/skill` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/nonexistent/skill` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/recommend (packages/core/tests/ApiPartialResponses.test.ts:71)
`packages/core/tests/ApiPartialResponses.test.ts:71` calls `GET /api/v1/skills/recommend` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/recommend` If this points at an external API, prefix it with `https:…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:144)
`packages/core/tests/ApiPartialResponses.test.ts:144` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:169)
`packages/core/tests/ApiPartialResponses.test.ts:169` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:181)
`packages/core/tests/ApiPartialResponses.test.ts:181` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:196)
`packages/core/tests/ApiPartialResponses.test.ts:196` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:207)
`packages/core/tests/ApiPartialResponses.test.ts:207` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:225)
`packages/core/tests/ApiPartialResponses.test.ts:225` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:229)
`packages/core/tests/ApiPartialResponses.test.ts:229` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:234)
`packages/core/tests/ApiPartialResponses.test.ts:234` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:249)
`packages/core/tests/ApiPartialResponses.test.ts:249` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:261)
`packages/core/tests/ApiPartialResponses.test.ts:261` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:273)
`packages/core/tests/ApiPartialResponses.test.ts:273` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:289)
`packages/core/tests/ApiPartialResponses.test.ts:289` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:295)
`packages/core/tests/ApiPartialResponses.test.ts:295` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search (packages/core/tests/ApiPartialResponses.test.ts:301)
`packages/core/tests/ApiPartialResponses.test.ts:301` calls `GET /api/v1/skills/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https://` s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search?q=development&offset=20 (packages/core/tests/ApiPartialResponses.test.ts:100)
`packages/core/tests/ApiPartialResponses.test.ts:100` calls `GET /api/v1/skills/search?q=development&offset=20` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search?q=minimal (packages/core/tests/ApiPartialResponses.test.ts:84)
`packages/core/tests/ApiPartialResponses.test.ts:84` calls `GET /api/v1/skills/search?q=minimal` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search?q=nonexistent (packages/core/tests/ApiPartialResponses.test.ts:60)
`packages/core/tests/ApiPartialResponses.test.ts:60` calls `GET /api/v1/skills/search?q=nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/v1/skills/search?q=x (packages/core/tests/ApiPartialResponses.test.ts:131)
`packages/core/tests/ApiPartialResponses.test.ts:131` calls `GET /api/v1/skills/search?q=x` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/skills/search` If this points at an external API, prefix it with `https:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:680)
`scripts/tests/trigger-indexer.test.ts:680` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:706)
`scripts/tests/trigger-indexer.test.ts:706` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:721)
`scripts/tests/trigger-indexer.test.ts:721` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:735)
`scripts/tests/trigger-indexer.test.ts:735` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:749)
`scripts/tests/trigger-indexer.test.ts:749` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:763)
`scripts/tests/trigger-indexer.test.ts:763` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:777)
`scripts/tests/trigger-indexer.test.ts:777` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:791)
`scripts/tests/trigger-indexer.test.ts:791` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:803)
`scripts/tests/trigger-indexer.test.ts:803` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://test.com (scripts/tests/trigger-indexer.test.ts:811)
`scripts/tests/trigger-indexer.test.ts:811` calls `GET http://test.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/test.com` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.example.com/data (packages/core/src/utils/retry.ts:167)
`packages/core/src/utils/retry.ts:167` calls `GET https://api.example.com/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.example.com/data` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/... (scripts/indexer/high-trust-indexer.ts:10)
`scripts/indexer/high-trust-indexer.ts:10` calls `GET https://api.github.com/...` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/...` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/rate_limit (packages/mcp-server/tests/integration/github-api.integration.test.ts:91)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:91` calls `GET https://api.github.com/rate_limit` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/rate_limit` If this points…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/anthropics/anthropic-cookbook (packages/mcp-server/tests/integration/github-api.integration.test.ts:76)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:76` calls `GET https://api.github.com/repos/anthropics/anthropic-cookbook` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/r…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/anthropics/anthropic-cookbook/contents/NONEXISTENT_FILE.md (packages/mcp-server/tests/integration/github-api.integration.test.ts:129)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:129` calls `GET https://api.github.com/repos/anthropics/anthropic-cookbook/contents/NONEXISTENT_FILE.md` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for match…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/anthropics/anthropic-cookbook/readme (packages/mcp-server/tests/integration/github-api.integration.test.ts:110)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:110` calls `GET https://api.github.com/repos/anthropics/anthropic-cookbook/readme` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.gith…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/unknown/unknown (packages/core/tests/import-github-skills.test.ts:77)
`packages/core/tests/import-github-skills.test.ts:77` calls `GET https://api.github.com/repos/unknown/unknown` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/unknown/unknown` If this poin…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/search/repositories?q=topic:${topic}&per_page=3 (packages/mcp-server/tests/integration/github-api.integration.test.ts:148)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:148` calls `GET https://api.github.com/search/repositories?q=topic:${topic}&per_page=3` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/search/repositories?q=topic:claude-skill (packages/core/tests/import-github-skills.test.ts:226)
`packages/core/tests/import-github-skills.test.ts:226` calls `GET https://api.github.com/search/repositories?q=topic:claude-skill` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/search/reposito…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/search/repositories?q=topic:claude-skill&per_page=5 (packages/mcp-server/tests/integration/github-api.integration.test.ts:57)
`packages/mcp-server/tests/integration/github-api.integration.test.ts:57` calls `GET https://api.github.com/search/repositories?q=topic:claude-skill&per_page=5` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/search/repositories?q=topic:nonexistent (packages/core/tests/import-github-skills.test.ts:113)
`packages/core/tests/import-github-skills.test.ts:113` calls `GET https://api.github.com/search/repositories?q=topic:nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/search/repositor…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/user/orgs?per_page=100 (packages/website/src/lib/auth-callback-handler.ts:198)
`packages/website/src/lib/auth-callback-handler.ts:198` calls `GET https://api.github.com/user/orgs?per_page=100` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/user/orgs` If this points at an …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://registry.npmjs.org/${packageName}/latest (packages/core/src/utils/version-check.ts:43)
`packages/core/src/utils/version-check.ts:43` calls `GET https://registry.npmjs.org/${packageName}/latest` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/registry.npmjs.org/<p>/latest` If this points at an ex…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /skills-recommend (packages/core/src/api/client.ts:390)
`packages/core/src/api/client.ts:390` calls `POST /skills-recommend` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/skills-recommend` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens (packages/core/src/scripts/github-import/github-auth.ts:197)
`packages/core/src/scripts/github-import/github-auth.ts:197` calls `POST https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/ap…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.github.com/app/installations/${installationId}/access_tokens (scripts/indexer/_shared/github-auth.ts:139)
`scripts/indexer/_shared/github-auth.ts:139` calls `POST https://api.github.com/app/installations/${installationId}/access_tokens` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/app/installatio…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.linear.app/graphql (packages/cli/tests/e2e/utils/linear-reporter.ts:212)
`packages/cli/tests/e2e/utils/linear-reporter.ts:212` calls `POST https://api.linear.app/graphql` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.linear.app/graphql` If this points at an external API, pref…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.linear.app/graphql (packages/mcp-server/tests/e2e/utils/linear-reporter.ts:222)
`packages/mcp-server/tests/e2e/utils/linear-reporter.ts:222` calls `POST https://api.linear.app/graphql` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.linear.app/graphql` If this points at an external AP…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.linear.app/graphql (scripts/e2e/create-linear-issues.ts:79)
`scripts/e2e/create-linear-issues.ts:79` calls `POST https://api.linear.app/graphql` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.linear.app/graphql` If this points at an external API, prefix it with `h…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.linear.app/graphql (scripts/session-priming-query.ts:145)
`scripts/session-priming-query.ts:145` calls `POST https://api.linear.app/graphql` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.linear.app/graphql` If this points at an external API, prefix it with `htt…
Dangling fetchFetch
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/phase4-orchestrator/code-reviewer.ts:43
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/phase4-orchestrator/code-reviewer.ts:43 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/core/src/db/database-interface.ts:86
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/core/src/db/database-interface.ts:86 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/core/src/db/drivers/betterSqlite3Driver.ts:62
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/core/src/db/drivers/betterSqlite3Driver.ts:62 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/core/src/db/drivers/sqljsDriver.ts:240
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/core/src/db/drivers/sqljsDriver.ts:240 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/mcp-server/src/index.ts:233
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/mcp-server/src/index.ts:233 Exec used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
packages/core/src/services/skill-installation.feedback.ts:31
packages/core/src/services/skill-installation.io.ts:129
packages/core/src/services/skill-manifest.ts:53
medium Security checks quality Quality conf 1.00 3 occurrences [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
3 files, 3 locations
packages/core/src/api/utils.ts:87
packages/core/src/benchmarks/cacheBenchmark.ts:280
packages/enterprise/src/quota/QuotaEnforcementService.ts:357
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
packages/mcp-server/src/middleware/errorFormatter.builders.ts:218
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
package-lock.json
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (9.39.4 -> 10.0.1)
`@eslint/js` is pinned/resolved at 9.39.4 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@linear/sdk` is 58 major version(s) behind (28.0.0 -> 86.0.0)
`@linear/sdk` is pinned/resolved at 28.0.0 but the latest stable release on the npm registry is 86.0.0 (58 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
scripts/phase4-orchestrator/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `@opentelemetry/sdk-trace-base` is 1 major version(s) behind (1.25.1 -> 2.7.1)
`@opentelemetry/sdk-trace-base` is pinned/resolved at 1.25.1 but the latest stable release on the npm registry is 2.7.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-updat…
2 occurrences
packages/core/package.json (2 hits)
medium Security checks software dependencies conf 0.90 npm package `@vscode/vsce` is 1 major version(s) behind (2.32.0 -> 3.9.2)
`@vscode/vsce` is pinned/resolved at 2.32.0 but the latest stable release on the npm registry is 3.9.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/vscode-extension/package.json
medium Security checks software dependencies conf 0.90 npm package `chalk` is 1 major version(s) behind (4.1.2 -> 5.6.2)
`chalk` is pinned/resolved at 4.1.2 but the latest stable release on the npm registry is 5.6.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `commander` is 3 major version(s) behind (12.1.0 -> 15.0.0)
`commander` is pinned/resolved at 12.1.0 but the latest stable release on the npm registry is 15.0.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)
`globals` is pinned/resolved at 14.0.0 but the latest stable release on the npm registry is 17.6.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7)
`lint-staged` is pinned/resolved at 16.4.0 but the latest stable release on the npm registry is 17.0.7 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `marked` is 3 major version(s) behind (15.0.7 -> 18.0.5)
`marked` is pinned/resolved at 15.0.7 but the latest stable release on the npm registry is 18.0.5 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/vscode-extension/package.json
medium Security checks software dependencies conf 0.90 npm package `protobufjs` is 1 major version(s) behind (7.5.8 -> 8.6.0)
`protobufjs` is pinned/resolved at 7.5.8 but the latest stable release on the npm registry is 8.6.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `varlock` is 1 major version(s) behind (0.1.4 -> 1.5.1)
`varlock` is pinned/resolved at 0.1.4 but the latest stable release on the npm registry is 1.5.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
package-lock.json
medium Security checks software dependencies conf 0.88 sandbox: GHSA-fm4j-4xhm-xpwx
Sandbox Breakout / Arbitrary Code Execution in sandbox
package-lock.json
medium Security checks software dependencies conf 0.88 smol-toml: GHSA-v3rj-xjv7-4jmq
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
package-lock.json
medium Security checks software dependencies conf 0.88 turbo: GHSA-hcf7-66rw-9f5r
Trubo: Login callback CSRF/session fixation
package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — scripts/phase4-orchestrator/code-reviewer.ts:46
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/api-proxy/api/proxy.ts:96
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/commands/login.ts:97
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/analysis/__tests__/incremental.test.ts:530
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/analysis/__tests__/performance.test.ts:57
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/analysis/adapters/__tests__/typescript.test.ts:364
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/indexer/GitHubIndexer.ts:165
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/services/skill-installation.io.ts:33
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/sources/BaseSourceAdapter.ts:286
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/sources/LocalFilesystemAdapter.helpers.ts:156
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/utils/retry.ts:167
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp-server/src/tools/install.helpers.ts:290
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/website/src/lib/auth-callback-handler.ts:198
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/website/src/worker.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/batch-transform-skills.pipeline.ts:91
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/_shared/notification.ts:78
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/_shared/rate-limit.ts:258
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/categorization.ts:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/high-trust-indexer.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/org-verification.ts:128
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/indexer/skill-processor.ts:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — supabase/functions/_shared/email.test.ts:69
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 9 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
9 files, 9 locations
.github/workflows/analytics-report.yml
.github/workflows/ci.yml
.github/workflows/detect-release-drift.yml
.github/workflows/e2e-tests.yml
.github/workflows/ghcr-cache-prune.yml
.github/workflows/publish.yml
.github/workflows/release-cadence-pr-staleness.yml
.github/workflows/release-cadence.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in scripts/phase4-orchestrator/code-reviewer.ts:46
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
scripts/phase4-orchestrator/code-reviewer.ts:46 Dangerous innerhtml
medium System graph network Security conf 1.00 Privileged port 14 in use
Port 14 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/chronic-red-monitor.yml Ports
medium System graph network Security conf 1.00 Privileged port 90 in use
Port 90 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
scripts/phases/phase-7-enterprise.sh Ports
medium System graph network Security conf 1.00 Privileged port 961 in use
Port 961 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
scripts/phases/phase-7-enterprise.sh Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks software dependencies conf 0.88 axios: GHSA-654m-c8p4-x5fp
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
package-lock.json
high Security checks cicd CI/CD security conf 0.62 3 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 1, 41, 64
docker-compose.yml:1, 41, 64 (3 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 16 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
packages/core/src/services/SearchService.types.ts:3, 5 (2 hits)
packages/core/src/db/migration.ts:93
packages/core/src/embeddings/index.ts:214
packages/core/src/repositories/SkillRepository.ts:5
packages/core/src/scripts/import-github-skills.ts:33
packages/core/src/scripts/sync-to-supabase.ts:5
packages/core/src/scripts/validation/index.ts:9
packages/core/src/security/AuditLogger.ts:89
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@opentelemetry/sdk-node` is minor version(s) behind (0.52.1 -> 0.218.0)
`@opentelemetry/sdk-node` is pinned/resolved at 0.52.1 but the latest stable release on the npm registry is 0.218.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
packages/core/package.json
low Security checks software dependencies conf 0.90 npm package `@opentelemetry/semantic-conventions` is minor version(s) behind (1.25.1 -> 1.41.1)
`@opentelemetry/semantic-conventions` is pinned/resolved at 1.25.1 but the latest stable release on the npm registry is 1.41.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-…
packages/core/package.json
low Security checks software dependencies conf 0.90 npm package `@types/vscode` is minor version(s) behind (1.110.0 -> 1.120.0)
`@types/vscode` is pinned/resolved at 1.110.0 but the latest stable release on the npm registry is 1.120.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/vscode-extension/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `esbuild` is minor version(s) behind (0.27.7 -> 0.28.0)
`esbuild` is pinned/resolved at 0.27.7 but the latest stable release on the npm registry is 0.28.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
package.json
packages/vscode-extension/package.json
low Security checks software dependencies conf 0.90 npm package `posthog-node` is minor version(s) behind (5.29.2 -> 5.36.3)
`posthog-node` is pinned/resolved at 5.29.2 but the latest stable release on the npm registry is 5.36.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `ruflo` is minor version(s) behind (3.5.42 -> 3.10.37)
`ruflo` is pinned/resolved at 3.5.42 but the latest stable release on the npm registry is 3.10.37 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)
`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
package.json
scripts/phase4-orchestrator/package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
supabase/functions/stripe-webhook/handlers/subscription-updated.ts:1
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
packages/website/src/lib/complete-profile-copy.ts:1
low Security checks software dependencies conf 0.88 turbo: GHSA-3qcw-2rhx-2726
Turbo: Unexpected local code execution during Yarn Berry detection
package-lock.json
low System graph quality Integrity conf 1.00 109 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AB_HOME_WEIGHTS`, `AUDIT_LOG`, `CHECKPOINT_PATH`, `CI`, `CRON_SLOT`, `CUSTOM_LICENSE_KEY`, `DATABASE_URL`, `DB_PATH` + 101 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:20 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: lint-staged.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/enterprise/tests/audit/AuditEventTypes.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/enterprise/tests/audit/scheduled-scan.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/enterprise/tests/billing/webhook-handlers.invoices.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/enterprise/tests/integration/LicenseValidator.integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/enterprise/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/batch-transform-skills.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/generate-optimization-report.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/indexer/_shared/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/indexer/high-trust-authors.leaderboard.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/indexer/high-trust-authors.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/indexer/indexer-types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/lib/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/audit-standards-gitcommondir.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/backfill-migration-headers.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/batch-transform-sanitizer.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/check-supply-chain-pins.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/check-unreleased-threshold.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/check-version-drift.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/classify-changes.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/collision-rules.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/detect-affected.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/extract-changelog-section.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/fixtures/esm-sh-staleness-sweep/stale-pin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/forbid-local-publish.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/code-search-gate.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/compatibility-slug-parity.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/dequarantine-false-positives.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/format-roundtrip.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/leaderboard-coverage.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/phase0-cross-ecosystem.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/recheck.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/indexer/security-scanner-edge.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/pre-push-coverage-check.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/prepare-release.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/release-git.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/reserved-ranges.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/smoke-test-published.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/verify-implementation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/tests/version-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/e2e/cli/usage-counter.e2e.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/e2e/fixtures/usage-counter-fixture.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest-e2e.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.colocated.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.e2e.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.preset.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `001_old` in packages/doc-retrieval-mcp/src/adapters/supabase-migrations.test.ts:136
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `085_new_legacy` in scripts/tests/audit-standards-migration-ordering.test.ts:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_skill_categories_backup` in packages/core/src/db/migrations/v17-curated-trust-tier.ts:84
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_skill_categories_backup` in packages/core/tests/unit/migrations/migration-v17.test.ts:315
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_skill_categories_backup` in scripts/tests/audit-standards-skills-recreate.test.ts:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `Bar_v2` in packages/core/tests/github-import/blocklist.test.ts:148
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `deleteOld` in packages/core/src/repositories/SyncHistoryRepository.ts:80
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `feedback_old` in packages/doc-retrieval-mcp/src/adapters/memory-topic-files.test.ts:195
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `getLicenseStatusLegacy` in packages/cli/src/utils/license-validation.ts:109
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `getLicenseStatusLegacy` in packages/cli/src/utils/license.test.ts:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `getLicenseStatusLegacy` in packages/cli/src/utils/license.ts:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `getLicenseStatusLegacy` in packages/cli/tests/license-validation.test.ts:4
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `hasPasteLegacy` in packages/cli/src/commands/login.test.ts:146
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `iOld` in supabase/functions/indexer/skill-processor.ts:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pasteLegacy` in packages/cli/src/commands/login.ts:341
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sk_live_legacy` in packages/core/src/config/token-credentials.test.ts:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `veryOld` in packages/mcp-server/tests/unit/install.backup-gc.test.ts:163
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/ab-test.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/analyze.ts:175
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/audit-collisions.ts:139
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/audit.ts:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/init.helpers.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/init.ts:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/mcp-init.ts:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/subagent.ts:117
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/transform.ts:68
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/author/utils.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/config.ts:159
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/create.ts:273
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/diff.ts:148
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/import-local.ts:173
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/import.ts:106
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/info.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/install-skill.ts:96
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/install.ts:119
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/login.ts:202
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/logout.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/manage.ts:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/merge.ts:100
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/pin.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/recommend.ts:164
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/search-formatters.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/search.action.ts:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/search.test.ts:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/sync.action.ts:87
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/telemetry.action.ts:102
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/whoami.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/utils/license.ts:91
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/tests/e2e/import.e2e.test.ts:269
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/__tests__/incremental.test.ts:506
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/__tests__/performance.test.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/__tests__/typescript.test.ts:373
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/factory.ts:103
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/go.ts:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/java-parsers.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/java.ts:147
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/python.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/rust-parsers.ts:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/rust.ts:116
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/adapters/typescript.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/cache.ts:103
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/CodebaseAnalyzer.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/file-streamer.ts:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/incremental-parser.ts:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/memory-monitor.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/metrics.ts:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/analysis/worker-pool.ts:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/api/client.ts:122
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/benchmarks/cli.ts:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/benchmarks/incrementalParseBenchmark.ts:69
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/benchmarks/index.ts:128
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/benchmarks/memory/MemoryProfiler.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/db/migration.ts:113
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/embeddings/hnsw-store.ts:347
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/learning/interfaces.ts:232
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/matching/OverlapDetector.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scoring/QualityScorer.ts:183
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/github-import/index.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/github-import/utils.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/import-github-skills.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/import-to-database.ts:212
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/ingest-lenny-skills.ts:279
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/merge-skills.ts:79
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/merge-utils.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/review-lenny-skills.ts:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/skill-scanner/index.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/skill-scanner/logger.ts:91
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/skill-scanner/reporter.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/skill-scanner/scanner.ts:206
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/sync-to-supabase.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/validate-skills.ts:30
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/validation/index.ts:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/scripts/validation/pipeline.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak

Showing first 300 of 430. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/72a3ffa5-cbcd-4a9e-8c7c-015f5f1e3595/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/72a3ffa5-cbcd-4a9e-8c7c-015f5f1e3595/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.