Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
94 of your 333 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.39s · analysis 56.28s · 2.6 MB · GitHub API rate-limit (preflight)

virattt/ai-hedge-fund

https://github.com/virattt/ai-hedge-fund · scanned 2026-06-05 09:47 UTC (5 days, 16 hours ago) · 10 languages

625 raw signals (315 security + 310 graph) 37th percentile · Python · medium (20-100K LoC) System graph score 69 (lower by 22)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 16 hours ago · v2 · 331 actionable findings from 2 signal sources. 139 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
59.8
/100
Security checks
51
200 findings
System graph
69
100.0% cov · 131 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 19.2 0.25 4.80
testing_score 55.0 0.20 11.00
documentation_score 57.0 0.15 8.55
practices_score 42.0 0.15 6.30
code_quality 40.6 0.10 4.06
Overall 1.00 47.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 92 Medium 70 Low 116 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 200 System graph 131 Crowd 0 Layer: Quality 56 Security 33 Software 171 Cicd 9 Frontend 18 Hardware 3 Api 41
Scan summary Quality grade D+ (48/100). Dimensions: security 19, maintainability 85. 315 findings (119 security). 37,487 lines analyzed.

Showing 275 of 331 actionable findings. 470 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 langchain-core: GHSA-c67j-w6g6-q2cm
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
poetry.lock
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `signal` used but not imported
The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes.
src/utils/display.py:47
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.create_or_update_api_key` used but never assigned in __init__
Method `bulk_create_or_update` of class `ApiKeyRepository` reads `self.create_or_update_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
6 files, 25 locations
v2/data/client.py:54, 73, 94, 117, 135, 144, 156, 173, +3 more (11 hits)
app/backend/repositories/flow_repository.py:51, 78, 88, 94 (4 hits)
v2/backtesting/engine.py:70, 88, 97, 98 (4 hits)
app/backend/repositories/flow_run_repository.py:18, 74, 100 (3 hits)
app/backend/services/backtest_service.py:291, 505 (2 hits)
app/backend/repositories/api_key_repository.py:124
high Security checks software dependencies conf 0.88 aiohttp: GHSA-6mq8-rvhq-8wgg
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
poetry.lock
high Security checks software dependencies conf 0.88 black: GHSA-3936-cmfr-pm3m
Black: Arbitrary file writes from unsanitized user input in cache file name
poetry.lock
high Security checks software dependencies conf 0.88 black: PYSEC-2024-48
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploitin…
poetry.lock
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.11-slim` not pinned by digest
`FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
docker/Dockerfile:1
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /models/download/{model_name} has no auth
Handler `cancel_download` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:303
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /models/{model_name} has no auth
Handler `delete_model` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:250
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST (unknown path) has no auth
Handler `save_json_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/storage.py:22
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /models/download has no auth
Handler `download_model` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:129
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /models/download/progress has no auth
Handler `download_model_with_progress` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:165
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /start has no auth
Handler `start_ollama_server` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:65
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /stop has no auth
Handler `stop_ollama_server` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
app/backend/routes/ollama.py:97
high Security checks software dependencies conf 0.88 fastapi: PYSEC-2024-38
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very d…
poetry.lock
high Security checks software dependencies conf 0.88 2 occurrences flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 langchain-core: GHSA-6qv9-48xg-fc7f
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
poetry.lock
high Security checks software dependencies conf 0.88 langchain-core: GHSA-pjwx-r37v-7724
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
poetry.lock
high Security checks software dependencies conf 0.88 langchain-core: GHSA-qh6h-p6c9-ff54
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
poetry.lock
high Security checks software dependencies conf 0.88 langchain-openai: PYSEC-2026-76
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independ…
poetry.lock
high Security checks software dependencies conf 0.88 langchain-text-splitters: PYSEC-2026-77
LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default)…
poetry.lock
high Security checks software dependencies conf 0.88 langchain: GHSA-3644-q5cj-c5c7
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
poetry.lock
high Security checks software dependencies conf 0.88 langgraph-checkpoint: GHSA-wwqv-p2pp-99h5
LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer
poetry.lock
high Security checks software dependencies conf 0.88 langgraph: PYSEC-2026-83
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can…
poetry.lock
high Security checks software dependencies conf 0.88 langsmith: GHSA-3644-q5cj-c5c7
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
poetry.lock
high Security checks software dependencies conf 0.88 mako: GHSA-2h4p-vjrc-8xpq
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup
poetry.lock
high Security checks software dependencies conf 0.88 mako: PYSEC-2026-88
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can …
poetry.lock
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 orjson: PYSEC-2026-107
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
poetry.lock
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
poetry.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
poetry.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
poetry.lock
high Security checks software dependencies conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
poetry.lock
high Security checks software dependencies conf 0.88 protobuf: GHSA-7gcm-g887-7qv7
protobuf affected by a JSON recursion depth bypass
poetry.lock
high Security checks software dependencies conf 0.88 pyasn1: GHSA-63vm-454h-vhhq
pyasn1 has a DoS vulnerability in decoder
poetry.lock
high Security checks software dependencies conf 0.88 pyasn1: GHSA-jr27-m4p2-rc6r
Denial of Service in pyasn1 via Unbounded Recursion
poetry.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
app/frontend/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 starlette: GHSA-f96h-pmfr-66vw
Starlette Denial of service (DoS) via multipart/form-data
poetry.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
poetry.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
poetry.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
poetry.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
poetry.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
poetry.lock
high Security checks software dependencies conf 0.88 vite: GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
app/frontend/package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: DELETE http://localhost:8000/ollama/models/${encodeURIComponent(modelName)} (app/frontend/src/components/settings/models/ollama.tsx:326)
`app/frontend/src/components/settings/models/ollama.tsx:326` calls `DELETE http://localhost:8000/ollama/models/${encodeURIComponent(modelName)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ol…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE http://localhost:8000/ollama/models/download/${encodeURIComponent(modelName)} (app/frontend/src/components/settings/models/ollama.tsx:277)
`app/frontend/src/components/settings/models/ollama.tsx:277` calls `DELETE http://localhost:8000/ollama/models/download/${encodeURIComponent(modelName)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhos…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/language-models/providers (app/frontend/src/components/settings/models/cloud.tsx:33)
`app/frontend/src/components/settings/models/cloud.tsx:33` calls `GET http://localhost:8000/language-models/providers` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/language-models/providers` I…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/models/downloads/active (app/frontend/src/components/settings/models/ollama.tsx:375)
`app/frontend/src/components/settings/models/ollama.tsx:375` calls `GET http://localhost:8000/ollama/models/downloads/active` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/models/downloa…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/models/downloads/active (app/frontend/src/components/settings/models/ollama.tsx:415)
`app/frontend/src/components/settings/models/ollama.tsx:415` calls `GET http://localhost:8000/ollama/models/downloads/active` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/models/downloa…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/models/recommended (app/frontend/src/components/settings/models/ollama.tsx:84)
`app/frontend/src/components/settings/models/ollama.tsx:84` calls `GET http://localhost:8000/ollama/models/recommended` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/models/recommended` …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/status (app/frontend/src/components/settings/models/ollama.tsx:206)
`app/frontend/src/components/settings/models/ollama.tsx:206` calls `GET http://localhost:8000/ollama/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/status` If this points at an ex…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/status (app/frontend/src/components/settings/models/ollama.tsx:442)
`app/frontend/src/components/settings/models/ollama.tsx:442` calls `GET http://localhost:8000/ollama/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/status` If this points at an ex…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8000/ollama/status (app/frontend/src/components/settings/models/ollama.tsx:67)
`app/frontend/src/components/settings/models/ollama.tsx:67` calls `GET http://localhost:8000/ollama/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/status` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:8000/ollama/models/download/progress (app/frontend/src/components/settings/models/ollama.tsx:146)
`app/frontend/src/components/settings/models/ollama.tsx:146` calls `POST http://localhost:8000/ollama/models/download/progress` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/models/downl…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:8000/ollama/start (app/frontend/src/components/settings/models/ollama.tsx:100)
`app/frontend/src/components/settings/models/ollama.tsx:100` calls `POST http://localhost:8000/ollama/start` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/start` If this points at an ext…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:8000/ollama/stop (app/frontend/src/components/settings/models/ollama.tsx:120)
`app/frontend/src/components/settings/models/ollama.tsx:120` calls `POST http://localhost:8000/ollama/stop` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8000/ollama/stop` If this points at an exter…
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI DELETE `cancel_download` without auth dependency — app/backend/routes/ollama.py:295
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:295 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_all_flow_runs` without auth dependency — app/backend/routes/flow_runs.py:250
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flow_runs.py:250 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_api_key` without auth dependency — app/backend/routes/api_keys.py:108
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:108 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_flow_run` without auth dependency — app/backend/routes/flow_runs.py:216
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flow_runs.py:216 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_flow` without auth dependency — app/backend/routes/flows.py:116
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flows.py:116 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_model` without auth dependency — app/backend/routes/ollama.py:242
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:242 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `deactivate_api_key` without auth dependency — app/backend/routes/api_keys.py:130
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:130 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `update_last_used` without auth dependency — app/backend/routes/api_keys.py:182
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:182 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `backtest` without auth dependency — app/backend/routes/hedge_fund.py:162
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/hedge_fund.py:162 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `bulk_update_api_keys` without auth dependency — app/backend/routes/api_keys.py:155
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:155 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_flow_run` without auth dependency — app/backend/routes/flow_runs.py:20
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flow_runs.py:20 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_flow` without auth dependency — app/backend/routes/flows.py:18
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flows.py:18 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_or_update_api_key` without auth dependency — app/backend/routes/api_keys.py:19
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:19 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `download_model_with_progress` without auth dependency — app/backend/routes/ollama.py:158
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:158 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `download_model` without auth dependency — app/backend/routes/ollama.py:121
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:121 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `duplicate_flow` without auth dependency — app/backend/routes/flows.py:138
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flows.py:138 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run` without auth dependency — app/backend/routes/hedge_fund.py:18
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/hedge_fund.py:18 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `save_json_file` without auth dependency — app/backend/routes/storage.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/storage.py:14 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `start_ollama_server` without auth dependency — app/backend/routes/ollama.py:57
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:57 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `stop_ollama_server` without auth dependency — app/backend/routes/ollama.py:89
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/ollama.py:89 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_api_key` without auth dependency — app/backend/routes/api_keys.py:81
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/api_keys.py:81 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_flow_run` without auth dependency — app/backend/routes/flow_runs.py:170
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flow_runs.py:170 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_flow` without auth dependency — app/backend/routes/flows.py:84
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
app/backend/routes/flows.py:84 securityAuth fastapi unauth mutation
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
app/frontend/package-lock.json
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
app/frontend/src/data/node-mappings.ts:18
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-6jhg-hg63-jvvf
AIOHTTP vulnerable to denial of service through large payloads
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-g84x-mcqj-x9qq
AIOHTTP vulnerable to DoS through chunked messages
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jj3x-wxrx-4x23
AIOHTTP vulnerable to DoS when bypassing asserts
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
poetry.lock
medium Security checks software dependencies conf 0.88 2 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 24 locations
src/utils/ollama.py:45, 51, 109, 144, 306, 387 (6 hits)
app/backend/services/backtest_service.py:344, 351, 386 (3 hits)
app/backend/services/ollama_service.py:204, 354, 371 (3 hits)
app/backend/routes/hedge_fund.py:59, 216 (2 hits)
src/utils/llm.py:72, 157 (2 hits)
tests/backtesting/integration/conftest.py:25, 58 (2 hits)
app/backend/services/graph.py:190
src/agents/charlie_munger.py:724
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 Compose service `ollama` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
docker/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/Dockerfile:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
docker/Dockerfile:19 CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 2 occurrences esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 fonttools: GHSA-768j-98cg-p3fv
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
poetry.lock
medium Security checks software dependencies conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
poetry.lock
medium Security checks software dependencies conf 0.88 2 occurrences js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 langchain-core: GHSA-926x-3r5x-gfhw
LangChain has incomplete f-string validation in prompt templates
poetry.lock
medium Security checks software dependencies conf 0.88 langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
poetry.lock
medium Security checks software dependencies conf 0.88 langsmith: GHSA-rr7j-v2q5-chgv
LangSmith SDK: Streaming token events bypass output redaction
poetry.lock
medium Security checks software dependencies conf 0.88 langsmith: GHSA-v34v-rq6j-cj6p
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
poetry.lock
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `run_hedge_fund` (list)
`def run_hedge_fund(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
src/main.py:46
medium Security checks software dependencies conf 0.90 npm package `@types/react-dom` is 1 major version(s) behind (18.2.18 -> 19.2.3)
`@types/react-dom` is pinned/resolved at 18.2.18 but the latest stable release on the npm registry is 19.2.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
app/frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.2.1 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.2.1 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
app/frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `react-resizable-panels` is 1 major version(s) behind (3.0.2 -> 4.11.2)
`react-resizable-panels` is pinned/resolved at 3.0.2 but the latest stable release on the npm registry is 4.11.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…
app/frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `react-syntax-highlighter` is 1 major version(s) behind (15.6.1 -> 16.1.1)
`react-syntax-highlighter` is pinned/resolved at 15.6.1 but the latest stable release on the npm registry is 16.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
app/frontend/package.json
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 pillow: GHSA-5xmw-vc9v-4wf2
Pillow has a heap buffer overflow with nested list coordinates
poetry.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
poetry.lock
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences prismjs: GHSA-x7hr-w5r2-h6wg
PrismJS DOM Clobbering vulnerability
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 pytest: GHSA-6w46-j5rx-g56g
pytest has vulnerable tmpdir handling
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `anyio` is 1 major version(s) behind (3.7.1 -> 4.13.0)
poetry.lock pins `anyio` at 3.7.1 but the latest stable release on PyPI is 4.13.0 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `attrs` is 1 major version(s) behind (25.4.0 -> 26.1.0)
poetry.lock pins `attrs` at 25.4.0 but the latest stable release on PyPI is 26.1.0 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `black` is 3 major version(s) behind (23.12.1 -> 26.5.1)
poetry.lock pins `black` at 23.12.1 but the latest stable release on PyPI is 26.5.1 (3 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `cachetools` is 1 major version(s) behind (6.2.1 -> 7.1.4)
poetry.lock pins `cachetools` at 6.2.1 but the latest stable release on PyPI is 7.1.4 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `certifi` is 1 major version(s) behind (2025.10.5 -> 2026.5.20)
poetry.lock pins `certifi` at 2025.10.5 but the latest stable release on PyPI is 2026.5.20 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `flake8` is 1 major version(s) behind (6.1.0 -> 7.3.0)
poetry.lock pins `flake8` at 6.1.0 but the latest stable release on PyPI is 7.3.0 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.90 Python package `groq` is 1 major version(s) behind (0.32.0 -> 1.4.0)
poetry.lock pins `groq` at 0.32.0 but the latest stable release on PyPI is 1.4.0 (1 major version(s) behind).
poetry.lock
medium Security checks software dependencies conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
poetry.lock
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
src/utils/ollama.py:34
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
poetry.lock
medium Security checks software dependencies conf 0.88 starlette: GHSA-2c2j-9gv5-cj73
Starlette has possible denial-of-service vector when parsing large files in multipart forms
poetry.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-356w-63v5-8wf4
Vite has an `server.fs.deny` bypass with an invalid `request-target`
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-4r4m-qw57-chr8
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-64vr-g452-qvp3
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-859w-5945-r5v3
Vite's server.fs.deny bypassed with /. for files under project root
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-8jhw-289h-jh2g
Vite's `server.fs.deny` did not deny requests for patterns with directories.
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-9cwx-2883-4wfx
Vite's `server.fs.deny` is bypassed when using `?import&raw`
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-vg6x-rcgg-rjx6
Websites were able to send any requests to the development server and read the response in vite
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-x574-m823-4x7w
Vite bypasses server.fs.deny when using ?raw??
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-xcj6-pq6g-qj4x
Vite allows server.fs.deny to be bypassed with .svg or relative paths
app/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/frontend/src/services/api-keys-api.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/frontend/src/services/api.ts:109
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/frontend/src/services/backtest-api.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/frontend/src/services/flow-service.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in src/utils/ollama.py:49
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
src/utils/ollama.py:49 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/tools/api.py:48
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/utils/ollama.py:95
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-54jq-c3m8-4m76
AIOHTTP vulnerable to brute-force leak of internal static file path components
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-69f9-5gxw-wvc2
AIOHTTP's unicode processing of header values could cause parsing discrepancies
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-fh55-r93g-j68g
AIOHTTP Vulnerable to Cookie Parser Warning Storm
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mqqc-3gqh-h2x8
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
poetry.lock
low Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
high Security checks cicd CI/CD security conf 0.56 6 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
lines 1, 17, 32, 47, 62, 77
docker/docker-compose.yml:1, 17, 32, 47, 62, 77 (6 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 6 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 1, 17, 32, 47, 62, 77
docker/docker-compose.yml:1, 17, 32, 47, 62, 77 (6 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
docker/Dockerfile:9 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 19 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 16 locations
src/agents/stanley_druckenmiller.py:42, 58, 449 (3 hits)
app/frontend/src/hooks/use-flow-management.ts:14, 45 (2 hits)
src/agents/phil_fisher.py:56, 459 (2 hits)
app/frontend/src/components/panels/left/flow-edit-dialog.tsx:100
app/frontend/src/components/settings/models/ollama.tsx:683
app/frontend/src/hooks/use-flow-management-tabs.ts:47
app/frontend/src/nodes/components/json-output-dialog.tsx:94
app/frontend/src/nodes/components/json-output-node.tsx:61
duplicationquality
low Security checks software dependencies conf 0.88 langchain-core: GHSA-2g6r-c272-w58r
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
poetry.lock
low Security checks quality Documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
low Security checks software dependencies conf 0.90 npm package `@xyflow/react` is minor version(s) behind (12.5.1 -> 12.11.0)
`@xyflow/react` is pinned/resolved at 12.5.1 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
app/frontend/package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.21 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.21 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
app/frontend/package.json
low Security checks software dependencies conf 0.90 npm package `eslint-plugin-react-refresh` is minor version(s) behind (0.4.5 -> 0.5.2)
`eslint-plugin-react-refresh` is pinned/resolved at 0.4.5 but the latest stable release on the npm registry is 0.5.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
app/frontend/package.json
low Security checks software dependencies conf 0.90 npm package `tailwind-merge` is minor version(s) behind (3.2.0 -> 3.6.0)
`tailwind-merge` is pinned/resolved at 3.2.0 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
app/frontend/package.json
low Security checks software dependencies conf 0.88 pygments: GHSA-5239-wwwm-4pmq
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
poetry.lock
low Security checks software dependencies conf 0.90 Python package `alembic` is minor version(s) behind (1.17.0 -> 1.18.4)
poetry.lock pins `alembic` at 1.17.0 but the latest stable release on PyPI is 1.18.4 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `anthropic` is minor version(s) behind (0.70.0 -> 0.105.2)
poetry.lock pins `anthropic` at 0.70.0 but the latest stable release on PyPI is 0.105.2 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `click` is minor version(s) behind (8.3.0 -> 8.4.1)
poetry.lock pins `click` at 8.3.0 but the latest stable release on PyPI is 8.4.1 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `docstring-parser` is minor version(s) behind (0.17.0 -> 0.18.0)
poetry.lock pins `docstring-parser` at 0.17.0 but the latest stable release on PyPI is 0.18.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `fastapi` is minor version(s) behind (0.104.1 -> 0.136.3)
poetry.lock pins `fastapi` at 0.104.1 but the latest stable release on PyPI is 0.136.3 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `gigachat` is minor version(s) behind (0.1.42.post2 -> 0.2.1)
poetry.lock pins `gigachat` at 0.1.42.post2 but the latest stable release on PyPI is 0.2.1 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `google-ai-generativelanguage` is minor version(s) behind (0.7.0 -> 0.12.0)
poetry.lock pins `google-ai-generativelanguage` at 0.7.0 but the latest stable release on PyPI is 0.12.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `google-api-core` is minor version(s) behind (2.26.0 -> 2.31.0)
poetry.lock pins `google-api-core` at 2.26.0 but the latest stable release on PyPI is 2.31.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `google-auth` is minor version(s) behind (2.41.1 -> 2.53.0)
poetry.lock pins `google-auth` at 2.41.1 but the latest stable release on PyPI is 2.53.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `googleapis-common-protos` is minor version(s) behind (1.70.0 -> 1.75.0)
poetry.lock pins `googleapis-common-protos` at 1.70.0 but the latest stable release on PyPI is 1.75.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `grpcio-status` is minor version(s) behind (1.75.1 -> 1.81.0)
poetry.lock pins `grpcio-status` at 1.75.1 but the latest stable release on PyPI is 1.81.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `httptools` is minor version(s) behind (0.7.1 -> 0.8.0)
poetry.lock pins `httptools` at 0.7.1 but the latest stable release on PyPI is 0.8.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `httpx` is minor version(s) behind (0.27.2 -> 0.28.1)
poetry.lock pins `httpx` at 0.27.2 but the latest stable release on PyPI is 0.28.1 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `idna` is minor version(s) behind (3.11 -> 3.18)
poetry.lock pins `idna` at 3.11 but the latest stable release on PyPI is 3.18 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.90 Python package `iniconfig` is minor version(s) behind (2.1.0 -> 2.3.0)
poetry.lock pins `iniconfig` at 2.1.0 but the latest stable release on PyPI is 2.3.0 (minor version(s) behind).
poetry.lock
low Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-g4jq-h2w9-997c
Vite middleware may serve files starting with the same name with the public directory
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
low Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-jqfw-vq24-v9c3
Vite's `server.fs` settings were not applied to HTML files
2 files, 2 locations
app/frontend/package-lock.json
app/frontend/pnpm-lock.yaml
low System graph quality Integrity conf 1.00 12 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `GIGACHAT_CREDENTIALS`, `GIGACHAT_PASSWORD`, `GIGACHAT_USER`, `KIMI_API_KEY`, `KIMI_BASE_URL`, `MOONSHOT_BASE_URL`, `OLLAMA_BASE_URL`, `OLLAMA_HOST` + 4 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.11-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:1 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/accordion.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/button.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/card.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/checkbox.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/input.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/popover.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/separator.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/table.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/tabs.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/components/ui/tooltip.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/nodes/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/services/flow-service.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/services/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/types/flow.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/tailwind.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: v2/conftest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: v2/pipeline/execution.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: v2/portfolio/optimizer.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: v2/risk/manager.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
39 tests / 195 src (ratio 0.20).
low System graph quality Integrity conf 1.00 17 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: v2/backtesting/strategy.py:name, v2/backtesting/strategy.py:name This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
17 occurrences
repo-level (17 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `positions_copy` in src/backtesting/portfolio.py:45
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: create_default_portfolio_output
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/agents/portfolio_manager.py:242
low System graph software Dead code conf 1.00 5 occurrences Possibly dead Python function: downgrade
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
5 files, 5 locations
app/backend/alembic/versions/1b1feba3d897_add_data_column_to_hedge_fund_flows.py:28
app/backend/alembic/versions/2f8c5d9e4b1a_add_hedgefundflowrun_table.py:43
app/backend/alembic/versions/3f9a6b7c8d2e_add_hedgefundflowruncycle_table.py:70
app/backend/alembic/versions/5274886e5bee_add_hedgefundflow_table.py:41
app/backend/alembic/versions/add_api_keys_table.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: portfolio_management_agent
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/agents/portfolio_manager.py:25
low System graph software Dead code conf 1.00 Possibly dead Python function: save_graph_as_png
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/utils/visualize.py:5
low System graph software Dead code conf 1.00 Possibly dead Python function: sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/utils/progress.py:80
low System graph software Dead code conf 1.00 5 occurrences Possibly dead Python function: upgrade
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
5 files, 5 locations
app/backend/alembic/versions/1b1feba3d897_add_data_column_to_hedge_fund_flows.py:21
app/backend/alembic/versions/2f8c5d9e4b1a_add_hedgefundflowrun_table.py:21
app/backend/alembic/versions/3f9a6b7c8d2e_add_hedgefundflowruncycle_table.py:18
app/backend/alembic/versions/5274886e5bee_add_hedgefundflow_table.py:21
app/backend/alembic/versions/add_api_keys_table.py:21
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — app/frontend/src/components/custom-controls.tsx:10
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/components/panels/bottom/tabs/backtest-output.tsx:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/components/settings/api-keys.tsx:143
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/components/settings/models/ollama.tsx:282
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/components/tabs/flow-tab-content.tsx:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/contexts/flow-context.tsx:182
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/hooks/use-enhanced-flow-actions.ts:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/hooks/use-flow-connection.ts:190
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/hooks/use-flow-management.ts:120
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/nodes/components/json-output-node.tsx:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/services/api.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/services/backtest-api.ts:85
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/frontend/src/services/sidebar-storage.ts:194
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /
`app/backend/routes/flow_runs.py` declares `DELETE /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /models/download/{model_name}
`app/backend/routes/ollama.py` declares `DELETE /models/download/{model_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /models/{model_name}
`app/backend/routes/ollama.py` declares `DELETE /models/{model_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{flow_id}
`app/backend/routes/flows.py` declares `DELETE /{flow_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{provider}
`app/backend/routes/api_keys.py` declares `DELETE /{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{run_id}
`app/backend/routes/flow_runs.py` declares `DELETE /{run_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`app/backend/routes/health.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /active
`app/backend/routes/flow_runs.py` declares `GET /active` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /count
`app/backend/routes/flow_runs.py` declares `GET /count` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /latest
`app/backend/routes/flow_runs.py` declares `GET /latest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/download/progress/{model_name}
`app/backend/routes/ollama.py` declares `GET /models/download/progress/{model_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/downloads/active
`app/backend/routes/ollama.py` declares `GET /models/downloads/active` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models/recommended
`app/backend/routes/ollama.py` declares `GET /models/recommended` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /search/{name}
`app/backend/routes/flows.py` declares `GET /search/{name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{flow_id}
`app/backend/routes/flows.py` declares `GET /{flow_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{provider}
`app/backend/routes/api_keys.py` declares `GET /{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{run_id}
`app/backend/routes/flow_runs.py` declares `GET /{run_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /{provider}/deactivate
`app/backend/routes/api_keys.py` declares `PATCH /{provider}/deactivate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /{provider}/last-used
`app/backend/routes/api_keys.py` declares `PATCH /{provider}/last-used` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`app/backend/routes/api_keys.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /bulk
`app/backend/routes/api_keys.py` declares `POST /bulk` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /models/download
`app/backend/routes/ollama.py` declares `POST /models/download` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /models/download/progress
`app/backend/routes/ollama.py` declares `POST /models/download/progress` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /start
`app/backend/routes/ollama.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /stop
`app/backend/routes/ollama.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /{flow_id}/duplicate
`app/backend/routes/flows.py` declares `POST /{flow_id}/duplicate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /{flow_id}
`app/backend/routes/flows.py` declares `PUT /{flow_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /{provider}
`app/backend/routes/api_keys.py` declares `PUT /{provider}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /{run_id}
`app/backend/routes/flow_runs.py` declares `PUT /{run_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/969af918-800c-4c7e-85b0-b124b88cdd8c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/969af918-800c-4c7e-85b0-b124b88cdd8c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.