Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
93 of your 201 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 32.77s for a 83.1 MB repo slow.
  • Repobility's analysis ran in 48.97s after the clone landed.

vellum-ai/vellum-assistant

https://github.com/vellum-ai/vellum-assistant · scanned 2026-06-05 19:05 UTC (4 days, 17 hours ago) · 10 languages

3754 raw signals (178 security + 3576 graph) 11/13 scanners ran 46th percentile · Typescript · huge (>500K LoC) System graph score 52 (higher by 32)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 17 hours ago · v2 · 1835 actionable findings from 2 signal sources. 106 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.1
/100
Security checks
74
56 findings
System graph
52
100.0% cov · 1779 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 98.0 0.15 14.70
practices_score 78.0 0.15 11.70
code_quality 69.0 0.10 6.90
Overall 1.00 83.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 155 Medium 150 Low 436 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 56 System graph 1779 Crowd 0 Layer: Quality 1367 Security 30 Cicd 13 Software 62 Frontend 220 Network 3 Hardware 9 Api 131
Scan summary Quality grade A- (83/100). Dimensions: security 100, maintainability 40. 178 findings (53 security). 1,971,766 lines analyzed.

Showing 738 of 1835 actionable findings. 1941 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 8 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
3 files, 8 locations
.github/workflows/pr-macos.yaml:139, 140, 258, 259 (4 hits)
.github/workflows/cherry-pick-to-release.yml:25, 26 (2 hits)
.github/workflows/pr-assistant.yaml:179, 180 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
assistant/src/runtime/assistant-stream-state.ts:156
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
assistant/src/memory/context-search/search.ts:260
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `mitmproxy/mitmproxy:11.0.2` not pinned by digest: `FROM mitmproxy/mitmproxy:11.0.2` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM mitmproxy/mitmproxy:11.0.2@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
evals/src/lib/egress/recording/Dockerfile:17
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `python:3.12-alpine` not pinned by digest: `FROM python:3.12-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM python:3.12-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
evals/src/lib/egress/connection-telemetry/Dockerfile:16
high Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../../packages/local-mode` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
6 files, 25 locations
assistant/package.json:1 (10 hits)
gateway/package.json:1 (6 hits)
credential-executor/package.json:1 (3 hits)
apps/macos/package.json:1 (2 hits)
apps/web/package.json:1 (2 hits)
cli/package.json:1 (2 hits)
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
assistant/src/config/bundled-skills/document-editor/tools/document-open.ts:11
high Security checks software Xss conf 1.00 [SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS.
Use `django.utils.html.format_html("<p>{}</p>", user_input)` — Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals.
assistant/src/notifications/preference-summary.ts:71
high Security checks cicd CI/CD security conf 0.95 Docker final stage runs as root
Create an application user after package installation and switch to it with USER appuser or USER 10001.
evals/src/lib/egress/recording/Dockerfile:19 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.95 Docker final stage runs as root
Create an application user after package installation and switch to it with USER appuser or USER 10001.
assistant/Dockerfile:234 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
credential-executor/Dockerfile:13 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
assistant/Dockerfile:16 CI/CD securitycontainers
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
apps/web/src/domains/onboarding/pages/api-key-screen.tsx:96
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /v1/assistants/${client.platformAssistantId}/email-addresses/${target.id}/ (assistant/src/runtime/routes/email-routes.ts:102)
`assistant/src/runtime/routes/email-routes.ts:102` calls `DELETE /v1/assistants/${client.platformAssistantId}/email-addresses/${target.id}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistants/<p>/email-addres…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE http://127.0.0.1:${port}/play_audio/nonexistent (skills/meet-join/bot/__tests__/audio-playback.test.ts:416)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:416` calls `DELETE http://127.0.0.1:${port}/play_audio/nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio/nonexistent` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE http://127.0.0.1:${port}/v1/channels/conversation (assistant/src/__tests__/gateway-only-enforcement.test.ts:634)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:634` calls `DELETE http://127.0.0.1:${port}/v1/channels/conversation` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/convers…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /__gateway/80/v1 (apps/macos/src/main/gateway-forward.test.ts:29)
`apps/macos/src/main/gateway-forward.test.ts:29` calls `GET /__gateway/80/v1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/__gateway/<p>/v1` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /__gateway/8080/v1/foo (apps/macos/src/main/platform-forward.test.ts:28)
`apps/macos/src/main/platform-forward.test.ts:28` calls `GET /__gateway/8080/v1/foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/__gateway/<p>/v1/foo` If this points at an external API, prefix it with `h…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /__gateway/8080/v1/stream (apps/macos/src/main/gateway-forward.test.ts:75)
`apps/macos/src/main/gateway-forward.test.ts:75` calls `GET /__gateway/8080/v1/stream` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/__gateway/<p>/v1/stream` If this points at an external API, prefix it wi…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /__gateway/9999/v1 (apps/macos/src/main/gateway-forward.test.ts:38)
`apps/macos/src/main/gateway-forward.test.ts:38` calls `GET /__gateway/9999/v1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/__gateway/<p>/v1` If this points at an external API, prefix it with `https://` …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /_allauth/browser/v1/auth/session (apps/macos/src/main/platform-forward.test.ts:46)
`apps/macos/src/main/platform-forward.test.ts:46` calls `GET /_allauth/browser/v1/auth/session` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/_allauth/browser/v1/auth/session` If this points at an external…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /accounts/login (apps/macos/src/main/platform-forward.test.ts:57)
`apps/macos/src/main/platform-forward.test.ts:57` calls `GET /accounts/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/accounts/login` If this points at an external API, prefix it with `https://` so t…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /accountsettings (apps/macos/src/main/platform-forward.test.ts:164)
`apps/macos/src/main/platform-forward.test.ts:164` calls `GET /accountsettings` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/accountsettings` If this points at an external API, prefix it with `https://` s…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /assistant/__gateway/8080/v1/assistants (apps/macos/src/main/gateway-forward.test.ts:48)
`apps/macos/src/main/gateway-forward.test.ts:48` calls `GET /assistant/__gateway/8080/v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistant/__gateway/<p>/v1/assistants` If this points at a…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /assistant/__gateway/{port}/* (apps/macos/src/main/index.ts:177)
`apps/macos/src/main/index.ts:177` calls `GET /assistant/__gateway/{port}/*` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistant/__gateway/<p>/*` If this points at an external API, prefix it with `http…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /assistant/__local/lockfile (apps/web/src/runtime/local-mode-host.ts:127)
`apps/web/src/runtime/local-mode-host.ts:127` calls `GET /assistant/__local/lockfile` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/lockfile` If this points at an external API, prefix it with `htt…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /assistant/assets/app.js (apps/macos/src/main/gateway-forward.test.ts:24)
`apps/macos/src/main/gateway-forward.test.ts:24` calls `GET /assistant/assets/app.js` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistant/assets/app.js` If this points at an external API, prefix it wit…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /assistant/assets/app.js (apps/macos/src/main/platform-forward.test.ts:22)
`apps/macos/src/main/platform-forward.test.ts:22` calls `GET /assistant/assets/app.js` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistant/assets/app.js` If this points at an external API, prefix it wi…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1 (apps/macos/src/main/platform-forward.test.ts:65)
`apps/macos/src/main/platform-forward.test.ts:65` calls `GET /v1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:118)
`apps/macos/src/main/platform-forward.test.ts:118` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:126)
`apps/macos/src/main/platform-forward.test.ts:126` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:136)
`apps/macos/src/main/platform-forward.test.ts:136` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:150)
`apps/macos/src/main/platform-forward.test.ts:150` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:34)
`apps/macos/src/main/platform-forward.test.ts:34` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:83)
`apps/macos/src/main/platform-forward.test.ts:83` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants (apps/macos/src/main/platform-forward.test.ts:91)
`apps/macos/src/main/platform-forward.test.ts:91` calls `GET /v1/assistants` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/assistants?page=2&limit=10 (apps/macos/src/main/platform-forward.test.ts:72)
`apps/macos/src/main/platform-forward.test.ts:72` calls `GET /v1/assistants?page=2&limit=10` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistants` If this points at an external API, prefix it with `htt…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/some/endpoint/ (assistant/src/platform/client.test.ts:132)
`assistant/src/platform/client.test.ts:132` calls `GET /v1/some/endpoint/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/some/endpoint` If this points at an external API, prefix it with `https://` so the matcher sk…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1/test/ (assistant/src/platform/client.test.ts:145)
`assistant/src/platform/client.test.ts:145` calls `GET /v1/test/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/test` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /v1something/else (apps/macos/src/main/platform-forward.test.ts:160)
`apps/macos/src/main/platform-forward.test.ts:160` calls `GET /v1something/else` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/v1something/else` If this points at an external API, prefix it with `https://`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://${host}:${port}/healthz (assistant/src/daemon/daemon-control.ts:155)
`assistant/src/daemon/daemon-control.ts:155` calls `GET http://${host}:${port}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/<p>:/<p>/healthz` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${healthPort}/healthz (credential-executor/src/__tests__/managed-reconnect.test.ts:219)
`credential-executor/src/__tests__/managed-reconnect.test.ts:219` calls `GET http://127.0.0.1:${healthPort}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/healthz` If this points at an …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/healthz (credential-executor/src/__tests__/managed-reconnect.test.ts:54)
`credential-executor/src/__tests__/managed-reconnect.test.ts:54` calls `GET http://127.0.0.1:${port}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/healthz` If this points at an externa…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/readyz (credential-executor/src/__tests__/managed-reconnect.test.ts:66)
`credential-executor/src/__tests__/managed-reconnect.test.ts:66` calls `GET http://127.0.0.1:${port}/readyz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/readyz` If this points at an external …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/attachments/${stored.id} (assistant/src/__tests__/runtime-attachment-metadata.test.ts:181)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:181` calls `GET http://127.0.0.1:${port}/v1/attachments/${stored.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/attachments/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/attachments/${stored.id} (assistant/src/__tests__/runtime-attachment-metadata.test.ts:206)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:206` calls `GET http://127.0.0.1:${port}/v1/attachments/${stored.id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/attachments/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/attachments/nonexistent-id (assistant/src/__tests__/runtime-attachment-metadata.test.ts:218)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:218` calls `GET http://127.0.0.1:${port}/v1/attachments/nonexistent-id` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/attachments…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/media-stream (assistant/src/__tests__/gateway-only-enforcement.test.ts:525)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:525` calls `GET http://127.0.0.1:${port}/v1/calls/media-stream` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/media-stream` If…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:466)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:466` calls `GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:491)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:491` calls `GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:508)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:508` calls `GET http://127.0.0.1:${port}/v1/calls/media-stream?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:403)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:403` calls `GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:426)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:426` calls `GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123 (assistant/src/__tests__/gateway-only-enforcement.test.ts:443)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:443` calls `GET http://127.0.0.1:${port}/v1/calls/relay?callSessionId=sess-123` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/messages?conversationKey=${conversationKey} (assistant/src/__tests__/runtime-attachment-metadata.test.ts:113)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:113` calls `GET http://127.0.0.1:${port}/v1/messages?conversationKey=${conversationKey}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/messages?conversationKey=${conversationKey} (assistant/src/__tests__/runtime-attachment-metadata.test.ts:160)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:160` calls `GET http://127.0.0.1:${port}/v1/messages?conversationKey=${conversationKey}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?provider=deepgram&mimeType=audio/webm (assistant/src/__tests__/gateway-only-enforcement.test.ts:775)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:775` calls `GET http://127.0.0.1:${port}/v1/stt/stream?provider=deepgram&mimeType=audio/webm` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?provider=deepgram&mimeType=audio/webm (assistant/src/__tests__/gateway-only-enforcement.test.ts:796)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:796` calls `GET http://127.0.0.1:${port}/v1/stt/stream?provider=deepgram&mimeType=audio/webm` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT} (assistant/src/__tests__/gateway-only-enforcement.test.ts:876)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:876` calls `GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/stt/strea…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&mimeType=audio/webm (assistant/src/__tests__/gateway-only-enforcement.test.ts:845)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:845` calls `GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&mimeType=audio/webm` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&provider=deepgram (assistant/src/__tests__/gateway-only-enforcement.test.ts:861)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:861` calls `GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&provider=deepgram` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&provider=deepgram&mimeType=audio/webm (assistant/src/__tests__/gateway-only-enforcement.test.ts:827)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:827` calls `GET http://127.0.0.1:${port}/v1/stt/stream?token=${GATEWAY_JWT}&provider=deepgram&mimeType=audio/webm` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matchin…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/v1/stt/stream?token=${TEST_JWT}&provider=deepgram&mimeType=audio/webm (assistant/src/__tests__/gateway-only-enforcement.test.ts:811)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:811` calls `GET http://127.0.0.1:${port}/v1/stt/stream?token=${TEST_JWT}&provider=deepgram&mimeType=audio/webm` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${port}/webhooks/telegram (assistant/src/__tests__/gateway-only-enforcement.test.ts:193)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:193` calls `GET http://127.0.0.1:${port}/webhooks/telegram` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/telegram` If this po…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://169.254.169.254/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip (cli/src/lib/local.ts:712)
`cli/src/lib/local.ts:712` calls `GET http://169.254.169.254/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/169.254.169.254/comput…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://169.254.169.254/latest/meta-data/public-ipv4 (cli/src/lib/local.ts:735)
`cli/src/lib/local.ts:735` calls `GET http://169.254.169.254/latest/meta-data/public-ipv4` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/169.254.169.254/latest/meta-data/public-ipv4` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${gatewayPort}/healthz (gateway/src/__tests__/credential-watcher-managed-bootstrap.test.ts:140)
`gateway/src/__tests__/credential-watcher-managed-bootstrap.test.ts:140` calls `GET http://localhost:${gatewayPort}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/healthz` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${healthPort}/healthz (credential-executor/src/__tests__/managed-integration.test.ts:503)
`credential-executor/src/__tests__/managed-integration.test.ts:503` calls `GET http://localhost:${healthPort}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/healthz` If this points at a…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${healthPort}/readyz (credential-executor/src/__tests__/managed-integration.test.ts:508)
`credential-executor/src/__tests__/managed-integration.test.ts:508` calls `GET http://localhost:${healthPort}/readyz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/readyz` If this points at an …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port}/healthz (gateway/src/__tests__/credential-watcher.test.ts:245)
`gateway/src/__tests__/credential-watcher.test.ts:245` calls `GET http://localhost:${port}/healthz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/healthz` If this points at an external API, pre…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${server.port} (assistant/src/__tests__/provider-streaming.benchmark.test.ts:266)
`assistant/src/__tests__/provider-streaming.benchmark.test.ts:266` calls `GET http://localhost:${server.port}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.resend.com/domains (gateway/src/http/routes/resend-identity.ts:24)
`gateway/src/http/routes/resend-identity.ts:24` calls `GET https://api.resend.com/domains` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.resend.com/domains` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.resend.com/emails/receiving/${emailId} (gateway/src/http/routes/resend-webhook.ts:130)
`gateway/src/http/routes/resend-webhook.ts:130` calls `GET https://api.resend.com/emails/receiving/${emailId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.resend.com/emails/receiving/<p>` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.sanity.io/v2021-06-07/projects (assistant/src/runtime/routes/sanity-routes.ts:55)
`assistant/src/runtime/routes/sanity-routes.ts:55` calls `GET https://api.sanity.io/v2021-06-07/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.sanity.io/v2021-06-07/projects` If this points at a…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.sanity.io/v2021-06-07/projects/${projectId}/datasets (assistant/src/runtime/routes/sanity-routes.ts:79)
`assistant/src/runtime/routes/sanity-routes.ts:79` calls `GET https://api.sanity.io/v2021-06-07/projects/${projectId}/datasets` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.sanity.io/v2021-06-07/project…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.telegram.org/bot${botToken}/deleteWebhook (assistant/src/daemon/handlers/config-telegram.ts:276)
`assistant/src/daemon/handlers/config-telegram.ts:276` calls `GET https://api.telegram.org/bot${botToken}/deleteWebhook` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.telegram.org/bot/<p>/deletewebhook` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.telegram.org/bot${token}/getMe (assistant/src/runtime/channel-invite-transports/telegram.ts:55)
`assistant/src/runtime/channel-invite-transports/telegram.ts:55` calls `GET https://api.telegram.org/bot${token}/getMe` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.telegram.org/bot/<p>/getme` If this p…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.twilio.com/2010-04-01/Accounts/${accountSid}.json (assistant/src/runtime/routes/integrations/twilio.ts:138)
`assistant/src/runtime/routes/integrations/twilio.ts:138` calls `GET https://api.twilio.com/2010-04-01/Accounts/${accountSid}.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.twilio.com/2010-04-01/acc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH /v1/assistants/${encodeURIComponent(assistantId)}/ (assistant/src/platform/sync-identity.ts:81)
`assistant/src/platform/sync-identity.ts:81` calls `PATCH /v1/assistants/${encodeURIComponent(assistantId)}/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistants/<p>` If this points at an external API, prefix …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /_allauth/browser/v1/auth/session (apps/macos/src/main/platform-forward.test.ts:98)
`apps/macos/src/main/platform-forward.test.ts:98` calls `POST /_allauth/browser/v1/auth/session` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/_allauth/browser/v1/auth/session` If this points at an externa…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__gateway/8080/auth/token (apps/macos/src/main/gateway-forward.test.ts:62)
`apps/macos/src/main/gateway-forward.test.ts:62` calls `POST /assistant/__gateway/8080/auth/token` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/assistant/__gateway/<p>/auth/token` If this points at an ext…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__local/hatch (apps/web/src/runtime/local-mode-host.ts:108)
`apps/web/src/runtime/local-mode-host.ts:108` calls `POST /assistant/__local/hatch` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/hatch` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__local/lockfile (apps/web/src/runtime/local-mode-host.ts:148)
`apps/web/src/runtime/local-mode-host.ts:148` calls `POST /assistant/__local/lockfile` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/lockfile` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__local/lockfile (apps/web/src/runtime/local-mode-host.ts:170)
`apps/web/src/runtime/local-mode-host.ts:170` calls `POST /assistant/__local/lockfile` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/lockfile` If this points at an external API, prefix it with `ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__local/retire (apps/web/src/runtime/local-mode-host.ts:189)
`apps/web/src/runtime/local-mode-host.ts:189` calls `POST /assistant/__local/retire` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/retire` If this points at an external API, prefix it with `https:…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /assistant/__local/wake (apps/web/src/runtime/local-mode-host.ts:220)
`apps/web/src/runtime/local-mode-host.ts:220` calls `POST /assistant/__local/wake` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistant/__local/wake` If this points at an external API, prefix it with `https://` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/assistants/${client.platformAssistantId}/domains/ (assistant/src/runtime/routes/domain-routes.ts:107)
`assistant/src/runtime/routes/domain-routes.ts:107` calls `POST /v1/assistants/${client.platformAssistantId}/domains/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistants/<p>/domains` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/assistants/${client.platformAssistantId}/email-addresses/ (assistant/src/runtime/routes/email-routes.ts:44)
`assistant/src/runtime/routes/email-routes.ts:44` calls `POST /v1/assistants/${client.platformAssistantId}/email-addresses/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assistants/<p>/email-addresses` If this poi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/runtime-proxy/email/send/ (assistant/src/runtime/routes/email-routes.ts:298)
`assistant/src/runtime/routes/email-routes.ts:298` calls `POST /v1/runtime-proxy/email/send/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/runtime-proxy/email/send` If this points at an external API, prefix it wit…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/telemetry/ingest/ (apps/web/src/domains/onboarding/funnel-events.ts:155)
`apps/web/src/domains/onboarding/funnel-events.ts:155` calls `POST /v1/telemetry/ingest/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/telemetry/ingest` If this points at an external API, prefix it with `https://`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/test/ (assistant/src/platform/client.test.ts:159)
`assistant/src/platform/client.test.ts:159` calls `POST /v1/test/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/test` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /v1/test/ (assistant/src/platform/client.test.ts:175)
`assistant/src/platform/client.test.ts:175` calls `POST /v1/test/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/test` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${ingressPort}/v1/channels/inbound (assistant/src/__tests__/runtime-attachment-metadata.test.ts:321)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:321` calls `POST http://127.0.0.1:${ingressPort}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbo…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${ingressPort}/v1/channels/inbound (assistant/src/__tests__/runtime-attachment-metadata.test.ts:342)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:342` calls `POST http://127.0.0.1:${ingressPort}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbo…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${ingressPort}/v1/channels/inbound (assistant/src/__tests__/runtime-attachment-metadata.test.ts:368)
`assistant/src/__tests__/runtime-attachment-metadata.test.ts:368` calls `POST http://127.0.0.1:${ingressPort}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbo…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio (skills/meet-join/bot/__tests__/audio-playback.test.ts:394)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:394` calls `POST http://127.0.0.1:${port}/play_audio` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If this points at an exter…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=a (skills/meet-join/bot/__tests__/audio-playback.test.ts:460)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:460` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=a` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If this points…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=b (skills/meet-join/bot/__tests__/audio-playback.test.ts:479)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:479` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=b` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If this points…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=cancel-me (skills/meet-join/bot/__tests__/audio-playback.test.ts:337)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:337` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=cancel-me` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If thi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=loopback-1 (skills/meet-join/bot/__tests__/voice-loopback.test.ts:194)
`skills/meet-join/bot/__tests__/voice-loopback.test.ts:194` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=loopback-1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=loopback-cancel (skills/meet-join/bot/__tests__/voice-loopback.test.ts:265)
`skills/meet-join/bot/__tests__/voice-loopback.test.ts:265` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=loopback-cancel` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/play_audio?stream_id=s-1 (skills/meet-join/bot/__tests__/audio-playback.test.ts:275)
`skills/meet-join/bot/__tests__/audio-playback.test.ts:275` calls `POST http://127.0.0.1:${port}/play_audio?stream_id=s-1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/play_audio` If this poin…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/calls/twilio/status (assistant/src/__tests__/gateway-only-enforcement.test.ts:304)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:304` calls `POST http://127.0.0.1:${port}/v1/calls/twilio/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/twilio/status`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/calls/twilio/voice-webhook (assistant/src/__tests__/gateway-only-enforcement.test.ts:288)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:288` calls `POST http://127.0.0.1:${port}/v1/calls/twilio/voice-webhook` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/calls/twilio/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/delivery-ack (assistant/src/__tests__/gateway-only-enforcement.test.ts:649)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:649` calls `POST http://127.0.0.1:${port}/v1/channels/delivery-ack` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/delivery-…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:620)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:620` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:672)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:672` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:693)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:693` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:713)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:713` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:731)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:731` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/channels/inbound (assistant/src/__tests__/gateway-only-enforcement.test.ts:753)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:753` calls `POST http://127.0.0.1:${port}/v1/channels/inbound` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/channels/inbound` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/internal/oauth/callback (assistant/src/__tests__/gateway-only-enforcement.test.ts:378)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:378` calls `POST http://127.0.0.1:${port}/v1/internal/oauth/callback` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/internal/oauth/c…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/internal/twilio/connect-action (assistant/src/__tests__/gateway-only-enforcement.test.ts:361)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:361` calls `POST http://127.0.0.1:${port}/v1/internal/twilio/connect-action` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/internal/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/internal/twilio/status (assistant/src/__tests__/gateway-only-enforcement.test.ts:344)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:344` calls `POST http://127.0.0.1:${port}/v1/internal/twilio/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/internal/twilio/s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/v1/internal/twilio/voice-webhook (assistant/src/__tests__/gateway-only-enforcement.test.ts:324)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:324` calls `POST http://127.0.0.1:${port}/v1/internal/twilio/voice-webhook` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/internal/t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/telegram (assistant/src/__tests__/gateway-only-enforcement.test.ts:181)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:181` calls `POST http://127.0.0.1:${port}/webhooks/telegram` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/telegram` If this p…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/telegram (assistant/src/__tests__/gateway-only-enforcement.test.ts:210)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:210` calls `POST http://127.0.0.1:${port}/webhooks/telegram` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/telegram` If this p…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/telegram/test (assistant/src/__tests__/gateway-only-enforcement.test.ts:198)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:198` calls `POST http://127.0.0.1:${port}/webhooks/telegram/test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/telegram/test`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/telegram/test (assistant/src/__tests__/gateway-only-enforcement.test.ts:221)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:221` calls `POST http://127.0.0.1:${port}/webhooks/telegram/test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/telegram/test`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/twilio/connect-action (assistant/src/__tests__/gateway-only-enforcement.test.ts:272)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:272` calls `POST http://127.0.0.1:${port}/webhooks/twilio/connect-action` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/twilio…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/twilio/status (assistant/src/__tests__/gateway-only-enforcement.test.ts:256)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:256` calls `POST http://127.0.0.1:${port}/webhooks/twilio/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/twilio/status`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${port}/webhooks/twilio/voice (assistant/src/__tests__/gateway-only-enforcement.test.ts:239)
`assistant/src/__tests__/gateway-only-enforcement.test.ts:239` calls `POST http://127.0.0.1:${port}/webhooks/twilio/voice` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/webhooks/twilio/voice` I…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.anthropic.com/v1/messages (evals/src/lib/simulator/user-simulator.ts:239)
`evals/src/lib/simulator/user-simulator.ts:239` calls `POST https://api.anthropic.com/v1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.anthropic.com/v1/messages` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.deepgram.com/v1/speak?model=aura-2-thalia-en (apps/web/src/lib/tts-synthesize.ts:115)
`apps/web/src/lib/tts-synthesize.ts:115` calls `POST https://api.deepgram.com/v1/speak?model=aura-2-thalia-en` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.deepgram.com/v1/speak` If this points at an ex…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.elevenlabs.io/v1/text-to-speech/${encodeURIComponent( trimmedVoiceId, )}?output_format=mp3_44100_128 (apps/web/src/lib/tts-synthesize.ts:82)
`apps/web/src/lib/tts-synthesize.ts:82` calls `POST https://api.elevenlabs.io/v1/text-to-speech/${encodeURIComponent( trimmedVoiceId, )}?output_format=mp3_44100_128` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.fish.audio/v1/tts (assistant/src/calls/fish-audio-client.ts:67)
`assistant/src/calls/fish-audio-client.ts:67` calls `POST https://api.fish.audio/v1/tts` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.fish.audio/v1/tts` If this points at an external API, prefix it with…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.mailgun.net/v3/${mailgunDomain}/messages (gateway/src/http/routes/mailgun-webhook.ts:414)
`gateway/src/http/routes/mailgun-webhook.ts:414` calls `POST https://api.mailgun.net/v3/${mailgunDomain}/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.mailgun.net/v3/<p>/messages` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.perplexity.ai/chat/completions (assistant/src/__tests__/web-search.test.ts:866)
`assistant/src/__tests__/web-search.test.ts:866` calls `POST https://api.perplexity.ai/chat/completions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.perplexity.ai/chat/completions` If this points at an…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.resend.com/emails (gateway/src/http/routes/resend-webhook.ts:489)
`gateway/src/http/routes/resend-webhook.ts:489` calls `POST https://api.resend.com/emails` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.resend.com/emails` If this points at an external API, prefix it wi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.tavily.com/search (assistant/src/__tests__/web-search.test.ts:988)
`assistant/src/__tests__/web-search.test.ts:988` calls `POST https://api.tavily.com/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.tavily.com/search` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.telegram.org/bot${storedToken}/setMyCommands (assistant/src/daemon/handlers/config-telegram.ts:351)
`assistant/src/daemon/handlers/config-telegram.ts:351` calls `POST https://api.telegram.org/bot${storedToken}/setMyCommands` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.telegram.org/bot/<p>/setmycomman…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.vercel.com/v13/deployments (assistant/src/services/vercel-deploy.ts:31)
`assistant/src/services/vercel-deploy.ts:31` calls `POST https://api.vercel.com/v13/deployments` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.vercel.com/v13/deployments` If this points at an external AP…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://slack.com/api/auth.test (assistant/src/daemon/handlers/config-slack-channel.ts:191)
`assistant/src/daemon/handlers/config-slack-channel.ts:191` calls `POST https://slack.com/api/auth.test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/slack.com/api/auth.test` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://slack.com/api/auth.test (assistant/src/daemon/handlers/config-slack-channel.ts:264)
`assistant/src/daemon/handlers/config-slack-channel.ts:264` calls `POST https://slack.com/api/auth.test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/slack.com/api/auth.test` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://slack.com/api/auth.test (assistant/src/daemon/handlers/config-slack-channel.ts:350)
`assistant/src/daemon/handlers/config-slack-channel.ts:350` calls `POST https://slack.com/api/auth.test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/slack.com/api/auth.test` If this points at an external A…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://slack.com/api/auth.test (assistant/src/runtime/channel-readiness-service.ts:299)
`assistant/src/runtime/channel-readiness-service.ts:299` calls `POST https://slack.com/api/auth.test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/slack.com/api/auth.test` If this points at an external API,…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT http://169.254.169.254/latest/api/token (cli/src/lib/local.ts:728)
`cli/src/lib/local.ts:728` calls `PUT http://169.254.169.254/latest/api/token` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/169.254.169.254/latest/api/token` If this points at an external API, prefix it with…
Dangling fetchFetch
high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
credential-executor/Dockerfile:13 containersRemote installer
high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
assistant/Dockerfile:16 containersRemote installer
high System graph security security conf 1.00 Insecure pattern 'eval_used' in assistant/src/bundler/bundle-scanner.ts:376
Found a known-risky pattern (eval_used). Review and replace if possible.
assistant/src/bundler/bundle-scanner.ts:376 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in skills/watch-together/scripts/process-chunk.sh:13
Found a known-risky pattern (eval_used). Review and replace if possible.
skills/watch-together/scripts/process-chunk.sh:13 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in assistant/src/memory/app-git-service.ts:326
Found a known-risky pattern (exec_used). Review and replace if possible.
assistant/src/memory/app-git-service.ts:326 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/commands/recover.ts:102
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/commands/recover.ts:102 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/commands/retire.ts:62
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/commands/retire.ts:62 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/commands/upgrade.ts:337
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/commands/upgrade.ts:337 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/lib/aws.ts:97
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/lib/aws.ts:97 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/lib/docker.ts:124
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/lib/docker.ts:124 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/lib/gcp.ts:127
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/lib/gcp.ts:127 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in cli/src/lib/upgrade-lifecycle.ts:653
Found a known-risky pattern (exec_used). Review and replace if possible.
cli/src/lib/upgrade-lifecycle.ts:653 Exec used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
apps/web/src/domains/chat/components/surfaces/table-surface.tsx:163
apps/web/src/domains/chat/streaming/sse-event-consumer.ts:154
apps/web/src/domains/chat/voice/live-voice/pcm-capture.ts:245
low Security checks security Injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
assistant/src/cli/utils/parse-duration.ts:25
medium Security checks software Open redirect conf 1.00 3 occurrences [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
3 files, 3 locations
apps/web/src/domains/chat/api/managed-oauth.ts:377
apps/web/src/domains/chat/components/preferences-menu.tsx:240
apps/web/src/domains/settings/ai/chatgpt-oauth-section.tsx:62
medium Security checks quality Quality conf 1.00 3 occurrences [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
3 files, 3 locations
apps/web/src/domains/chat/components/activity-run-card/activity-run-card.stories.tsx:18
apps/web/src/domains/chat/components/inline-activity-link/inline-tool-link.stories.tsx:18
apps/web/src/domains/chat/components/tool-progress-card/phase-grouped-step-list.stories.tsx:20
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
assistant/src/security/secret-scanner.ts:115
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
assistant/src/security/secret-ingress.ts:29
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
evals/src/lib/egress/recording/usage_parser.py:124 Error handlingquality
high Security checks security auth conf 0.82 6 occurrences Browser storage is used for session token material
Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.
lines 39, 40, 73, 75, 89, 90
apps/web/src/lib/auth/gateway-session.ts:39, 40, 73, 75, 89, 90 (6 hits)
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
skills/meet-join/bot/Dockerfile:35 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
evals/src/lib/egress/connection-telemetry/Dockerfile:17 CI/CD securitycontainers
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx:247
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/components/avatar-renderer.tsx:40
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/domains/account/pages/oauth-complete-page.tsx:257
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx:261
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/web/src/domains/chat/components/chat-attachments/text-preview.tsx:195
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — evals/src/lib/report-html.tsx:1280
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/macos/src/main/index.ts:197
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/assistant/queries.ts:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/components/profile-quick-add-provider.tsx:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/hooks/use-conversation-history.ts:115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/hooks/use-event-stream-resume-reconcile.test.tsx:128
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/hooks/use-message-reconciliation.test.tsx:353
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/hooks/use-message-reconciliation.ts:470
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/hooks/use-refresh-latest-messages.test.ts:377
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/chat/transcript/use-history-pagination.ts:76
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/settings/ai/email-managed-content.tsx:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/domains/settings/components/panels/doctor-panel.tsx:106
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/lib/auth/request-headers.ts:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/lib/backwards-compat/utils.ts:88
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/lib/sentry/sentry-init.ts:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/lib/tts-synthesize.ts:82
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/runtime/local-mode-host.ts:108
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/utils/is-transient-network-error.test.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/utils/is-transient-network-error.ts:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/src/utils/sandbox-bridge.ts:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/scripts/capture-x-graphql.ts:228
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/approval-routes-http.test.ts:371
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/call-routes-http.test.ts:184
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/conversation-error.test.ts:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/conversation-fork-route.test.ts:126
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/conversation-inference-profile-list.test.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/conversation-list-source.test.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/conversation-unread-route.test.ts:86
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/gateway-only-enforcement.test.ts:181
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/http-conversation-lineage.test.ts:76
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/migration-import-from-url.test.ts:559
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/mock-signup-server.test.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/oauth2-gateway-transport.test.ts:246
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/provider-error-scenarios.test.ts:500
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/provider-streaming.benchmark.test.ts:232
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/runtime-attachment-metadata.test.ts:113
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/runtime-events-sse.test.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/script-proxy-http-forwarder.test.ts:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/send-endpoint-busy.test.ts:386
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/__tests__/web-fetch.test.ts:40
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/background-wake/platform-client.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/bundler/bundle-scanner.ts:346
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/bundler/compiler-tools.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/calls/fish-audio-client.ts:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/calls/twilio-provider.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/calls/twilio-rest.ts:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/config/assistant-feature-flags.ts:279
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/config/feature-flag-cache.ts:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/credential-health/credential-health-service.ts:389
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/live-voice/__tests__/live-voice-tts.test.ts:291
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/live-voice/__tests__/runtime-websocket-shell.test.ts:279
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/media/gemini-image-service.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/memory/embedding-gemini.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/memory/embedding-ollama.ts:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/memory/qdrant-manager.ts:201
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/messaging/providers/slack/api.ts:128
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/messaging/providers/slack/client.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/messaging/providers/whatsapp/api.ts:204
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/oauth/connection-resolver.ts:216
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/oauth/identity-verifier.ts:97
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/oauth/platform-connection.ts:99
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/permissions/checker.test.ts:330
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/platform/client.test.ts:122
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/platform/client.ts:106
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/providers/openai/responses-provider.ts:137
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/migrations/gcs-signed-url.ts:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/routes/email-routes.ts:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/routes/migration-routes.ts:1205
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/routes/oauth-commands-routes.ts:100
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/routes/sanity-routes.ts:55
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/runtime/routes/skills-routes.ts:423
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/schedule/integration-status.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/services/vercel-deploy.ts:31
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/telemetry/usage-telemetry-reporter.ts:403
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/browser/cdp-client/cdp-inspect/__tests__/discovery.test.ts:40
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/browser/cdp-client/cdp-inspect/__tests__/ws-transport.test.ts:103
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/browser/cdp-client/cdp-inspect/discovery.ts:230
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/browser/network-recorder.ts:147
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/network/__tests__/web-fetch-metadata.test.ts:27
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/network/managed-search-proxy.ts:88
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assistant/src/tools/network/web-fetch.ts:221
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/__tests__/devices.test.ts:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/commands/retire.ts:99
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/components/DefaultMainScreen.tsx:273
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/assistant-client.ts:202
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/guardian-token.ts:291
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/health-check.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/local-runtime-client.ts:214
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/platform-client.ts:232
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/src/lib/terminal-client.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — clients/chrome-extension/background/cloud-api.ts:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — clients/chrome-extension/background/sse-connection.ts:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — clients/chrome-extension/background/worker.ts:448
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — credential-executor/src/__tests__/managed-integration.test.ts:388
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — credential-executor/src/__tests__/managed-reconnect.test.ts:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — evals/src/lib/simulator/user-simulator.ts:239
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/__tests__/credential-cache.test.ts:332
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/__tests__/credential-watcher-managed-bootstrap.test.ts:164
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/__tests__/credential-watcher.test.ts:298
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/__tests__/remote-feature-flag-sync.test.ts:818
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/__tests__/route-schema-guard.test.ts:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/credential-cache.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/fetch.ts:12
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/http/routes/mailgun-webhook.ts:414
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/index.ts:1614
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/risk/web-risk-classifier.test.ts:44
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — gateway/src/risk/web-risk-classifier.ts:78
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/generate-emoji-catalog.ts:320
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/doordash/scripts/lib/client.ts:108
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/doordash/scripts/lib/shared/network-recorder.ts:127
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/audio-playback.test.ts:275
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/avatar-http-server.test.ts:113
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/http-server.test.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/play-audio-teardown.test.ts:224
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/send-chat-endpoint.test.ts:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/bot/__tests__/voice-loopback.test.ts:194
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/daemon/__tests__/avatar-e2e.test.ts:248
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/daemon/__tests__/chat-send-e2e.test.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/daemon/__tests__/proactive-chat-e2e.test.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/meet-join/daemon/tts-bridge.ts:497
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/outlook/scripts/outlook-manage.ts:744
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: assistant/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: evals/src/lib/egress/connection-telemetry/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: evals/src/lib/egress/recording/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: skills/meet-join/bot/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 7 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
7 files, 7 locations
.github/workflows/ci-main-storybook.yaml
.github/workflows/ci-main-web.yaml
.github/workflows/deploy-web-spa.yaml
.github/workflows/dev-release.yaml
.github/workflows/release.yml
.github/workflows/socket-autofix.yml
.github/workflows/upload-skill-assets.yaml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/components/avatar-renderer.tsx:40
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/components/avatar-renderer.tsx:40 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/domains/account/pages/oauth-complete-page.tsx:257
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/domains/account/pages/oauth-complete-page.tsx:257 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx:261
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx:261 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/web/src/domains/chat/components/chat-attachments/text-preview.tsx:195
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/web/src/domains/chat/components/chat-attachments/text-preview.tsx:195 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in evals/src/lib/report-html.tsx:1280
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
evals/src/lib/report-html.tsx:1280 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in clients/macos/build.sh:365
Found a known-risky pattern (weak_hash). Review and replace if possible.
clients/macos/build.sh:365 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in gateway/src/schema.ts:4657
Found a known-risky pattern (weak_hash). Review and replace if possible.
gateway/src/schema.ts:4657 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — evals/src/lib/egress/connection-telemetry/connection_tailer.py:169
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — skills/vellum-github-app-setup/scripts/create-github-app.py:432
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness

Showing first 300 of 738. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/87dd9975-69d1-4959-b9b8-94465869ab20/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/87dd9975-69d1-4959-b9b8-94465869ab20/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.