Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.89s · analysis 16.71s · 12.3 MB · GitHub API rate-limit (preflight)

agentforce314/clawcodex

https://github.com/agentforce314/clawcodex · scanned 2026-05-31 01:23 UTC (5 days, 7 hours ago) · 10 languages

597 findings (163 legacy + 434 scanner) 60th percentile · Python · large (100-500K LoC) Scanner says 93 (lower by 18)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · last Δ +1.1 (diff) · 415 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
85.1
/100
Repobility
77
163 legacy
9-layer
93
100.0% cov · 252 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 70.0 0.25 17.50
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 44.0 0.15 6.60
code_quality 38.1 0.10 3.81
Overall 1.00 75.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 113 Medium 19 Low 109 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 163 9-layer 252 Crowd 0 Layer: Security 14 Software 42 Quality 357 Api 1 Cicd 1
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 93.2/100 with 100.0% coverage. It contains 14972 nodes across 24 cross-layer flows, written primarily in mixed languages. Engine surfaced 252 findings — concentrated in quality (210), software (37), security (3). Risk profile is high: 0 critical, 3 high, 4 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 191 of 415 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `glob` used but not imported
The file uses `glob.something(...)` but never imports `glob`. This raises NameError at runtime the first time the line executes.
src/tool_system/tools/grep.py:59 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
src/plugins/dependency.py:74 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
src/tool_system/tools/read.py:327 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
src/memdir/memory_scan.py:148 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
src/tool_system/context.py:237 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
src/services/mcp/doctor.py:122 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
src/permissions/setup.py:154 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
src/services/session_resume.py:77 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/auth/auth.py:85 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/agent/foreground_promotion.py:194 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/agent/agent_tool_utils.py:292 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
src/tool_system/registry.py:169 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
src/entrypoints/tui.py:149 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
scripts/diagnose_keys.py:96 qualitylegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
src/tool_system/tools/notebook_edit.py:99 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
src/utils/git.py:200 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
src/services/api/errors.py:97 injectionlegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.all` used but never assigned in __init__
Method `__iter__` of class `RuntimeTaskRegistry` reads `self.all`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/task_registry.py:114 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_merged` used but never assigned in __init__
Method `get` of class `ConfigManager` reads `self.get_merged`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:216 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.load_global` used but never assigned in __init__
Method `set_global` of class `ConfigManager` reads `self.load_global`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:219 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.load_global` used but never assigned in __init__
Method `get_merged` of class `ConfigManager` reads `self.load_global`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:188 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.load_local` used but never assigned in __init__
Method `get_merged` of class `ConfigManager` reads `self.load_local`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:190 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.load_project` used but never assigned in __init__
Method `set_project` of class `ConfigManager` reads `self.load_project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:224 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.load_project` used but never assigned in __init__
Method `get_merged` of class `ConfigManager` reads `self.load_project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:189 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.save_global` used but never assigned in __init__
Method `set_global` of class `ConfigManager` reads `self.save_global`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:221 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.save_project` used but never assigned in __init__
Method `set_project` of class `ConfigManager` reads `self.save_project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/config.py:226 qualitylegacy
high Legacy security llm_injection conf 0.82 LLM memory extraction can be prompt-injected into storing fake facts
Strict-JSON memory extraction from raw user and assistant text can be manipulated by a user message unless extracted facts are schema-validated and filtered before persistence.
src/services/mcp/xaa_idp_login.py:1 llm_injectionlegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in src/providers/deepseek_provider.py:56
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
src/providers/deepseek_provider.py:56 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in src/providers/openai_provider.py:43
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
src/providers/openai_provider.py:43 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in src/providers/openrouter_provider.py:65
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
src/providers/openrouter_provider.py:65 owasptls_verify_false
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
src/auth/gemini.py:28 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
src/auth/aws.py:55 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
src/auth/auth.py:85 error_handlinglegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
src/providers/openrouter_provider.py:65 cryptolegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
src/providers/openai_provider.py:43 cryptolegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
src/providers/deepseek_provider.py:56 cryptolegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
src/tool_system/tools/worktree.py:12 redoslegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
demos/minecraft-app/src/utils/terrain.js:86 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
demos/adopt-me-app/src/pages/Trade.jsx:31 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
demos/crm-app/src/context/CRMContext.jsx:7 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/services/mcp/xaa_idp_login.py:142 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/services/compact/post_compact_attachments.py:252 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/config.py:246 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
src/entrypoints/headless.py:18 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
src/permissions/modes.py:93 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
src/entrypoints/tui.py:38 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/tool_system/renderers.py:95 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/tool_system/renderers.py:71 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/tool_system/registry.py:169 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/loader.py:1174 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/loader.py:563 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/loader.py:1168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/loader.py:273 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/loader.py:168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/skills/argument_substitution.py:13 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/bridge/session_runner.py:810 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/bridge/session_runner.py:739 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/bridge/session_runner.py:795 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/bridge/debug_utils.py:109 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/plugins/loader.py:46 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
eval/run_compare.py:324 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
eval/run_compare.py:254 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/cli.py:537 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/token_estimation.py:252 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/token_estimation.py:394 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/token_estimation.py:36 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/config.py:255 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/config.py:137 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/__init__.py:10 qualitylegacy
medium Legacy quality quality conf 0.73 Codex session log reader may expose prompts or tool-call content
Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.
src/services/session_storage.py:1 qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
claude-code-wiki/raw/claude-code-sourcemap-learning-notebook/en/03_permission_security.md:21 dependencylegacy
medium 9-layer quality integrity conf 1.00 Frontend route `/profile/:userId` has no Link/navigate to it — demos/linkedin-app/src/App.jsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — eval/run_compare.py:388
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/tool_system/tools/bash/background.py:79
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
coverage
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/tool_system/tools/grep.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/providers/minimax_provider.py:46 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/providers/base.py:43 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/providers/anthropic_provider.py:305 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/providers/openrouter_provider.py:60 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/providers/openai_provider.py:41 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/memdir/team_mem_prompts.py:109 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/hooks/registry.py:125 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/entrypoints/tui.py:49 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/adopt-me-app/src/__tests__/App.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/adopt-me-app/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/adopt-me-app/src/setupTests.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/adopt-me-app/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/crm-app/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/crm-app/src/setupTests.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/crm-app/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/linkedin-app/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/linkedin-app/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/minecraft-app/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/minecraft-app/src/utils/blocks.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: demos/minecraft-app/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eval/_describe_dataset.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/agent/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/bridge/close_codes.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/constants/xml.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/context_system/cache_boundary.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/repl/at_file_completer.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/settings/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_get_hooks_from_options_legacy` in src/hooks/hook_executor.py:64
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_safe_copy` in src/tui/agent_bridge.py:187
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_shallow_copy` in src/agent/run_agent.py:311
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `active_use_ccr_v2` in src/bridge/repl_bridge.py:530
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `actual_old` in src/tool_system/tools/edit.py:285
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `alpha_v2` in tests/test_at_file_completer.py:479
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `fake_v1` in tests/bridge/test_init_repl_bridge.py:304
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_deprecated` in src/models/configs.py:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_deprecated` in src/models/model.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `is_deprecated` in tests/test_model_system.py:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `minecraft_v2` in src/command_system/input_processing.py:133
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in src/tool_system/context.py:85
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in src/tool_system/tools/__init__.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in src/tool_system/tools/tasks_v2.py:589
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in tests/tasks/test_local_agent_migration.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in tests/test_task_output_polling.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in tests/test_tool_classifier_input.py:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tasks_v2` in tests/test_tool_system_tools.py:662
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_bridge_repl_v2` in src/bridge/init_repl_bridge.py:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_canonical_takes_precedence_over_legacy` in tests/test_tool_orchestration.py:121
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_coalesce_none_base_returns_overlay_copy` in tests/transports/test_worker_state_uploader.py:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_get_prompt_cache_1h_allowlist_returns_copy` in tests/test_cache_state.py:393
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_get_returns_copy` in tests/test_skills_bundled.py:72
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_set_then_get_returns_copy` in tests/test_bootstrap_state.py:813
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in src/bridge/bridge_main.py:481
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in src/bridge/session_runner.py:95
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in src/bridge/types.py:309
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in tests/bridge/test_bridge_main.py:307
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in tests/bridge/test_repl_bridge.py:173
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `use_ccr_v2` in tests/bridge/test_session_runner.py:81
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: src/tui/vim_state.py:go, src/tui/vim_state.py:go, src/tui/vim_state.py:go, src/tui/vim_state.py:go This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/audit/query_engine.py:submit_message, scripts/audit/query_engine.py:stream_submit_message This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're s…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/audit/execution_registry.py:execute, scripts/audit/execution_registry.py:execute This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/audit/commands.py:load_command_snapshot, scripts/audit/tools.py:load_tool_snapshot This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/config.py:get_global_config_path, src/config.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/token_estimation.py:rough_token_count_estimation_for_messages, src/token_estimation.py:rough_token_count_estimation_for_message This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Con…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/context_system/prompt_assembly.py:build_full_system_prompt, src/context_system/prompt_assembly.py:build_full_system_prompt_blocks This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). C…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/repl/core.py:get_completions, src/repl/core.py:get_completions This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/declared_cursor.py:flush_pending, src/tui/declared_cursor.py:flush_pending This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/a11y.py:announce, src/tui/a11y.py:announce This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/vim_buffer.py:is_empty, src/tui/vim_buffer.py:is_empty This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/vim_buffer.py:lines, src/tui/vim_buffer.py:line This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/screens/resume_conversation.py:compose, src/tui/screens/doctor.py:compose This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/screens/idle_return.py:on_select_list_option_selected, src/tui/screens/exit_flow.py:on_select_list_option_selected This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/widgets/transcript_view.py:append_assistant_chunk, src/tui/widgets/transcript_view.py:append_assistant This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/tui/widgets/transcript_view.py:append_thinking_chunk, src/tui/widgets/transcript_view.py:append_thinking This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document wh…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/agent/transcript.py:path, src/agent/transcript.py:path This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/tui/screens/mcp_dialogs.py:build_body, src/tui/screens/mcp_dialogs.py:build_body, src/tui/screens/mcp_dialogs.py:build_body This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consoli…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/tui/screens/mcp_dialogs.py:on_select_list_option_selected, src/tui/screens/mcp_dialogs.py:on_select_list_option_selected, src/tui/screens/mcp_dialogs.py:on_select_list_option_selected This is *the* AI-coder failure mode (4× more duplication in vi…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: src/tui/screens/model_picker.py:on_select_list_selection_cancelled, src/tui/screens/mcp_dialogs.py:on_select_list_selection_cancelled, src/tui/screens/mcp_dialogs.py:on_select_list_selection_cancelled, src/tui/screens/mcp_dialogs.py:on_select_list_sel…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: apply_cost_hook
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/costHook.py:6 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: build_repl_banner
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/replLauncher.py:44 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cmd_compare
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eval/run_compare.py:775 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cmd_prepare
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eval/run_compare.py:344 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cmd_run
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eval/run_compare.py:648 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: command_names
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/audit/commands.py:51 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: count_message_breakdown_tokens
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/context_system/context_analyzer.py:104 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: count_tokens_with_api
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/token_estimation.py:335 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/auth/oauth.py:87 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: flattened
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/audit/command_graph.py:15 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: go
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/tui/vim_state.py:922 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: launch_repl
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/replLauncher.py:53 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/auth/oauth.py:103 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: refresh_tokens
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/auth/oauth.py:149 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replay_user_messages
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/audit/query_engine.py:134 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_local
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/config.py:206 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_project
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/config.py:223 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tool_names
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/audit/tools.py:45 dead-code
low 9-layer quality integrity conf 1.00 Stub function `cleanup` (body is just `pass`/`return`) — src/services/mcp/types.py:103
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `emit` (body is just `pass`/`return`) — src/services/analytics/sink.py:37
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `from_dict` (body is just `pass`/`return`) — src/repl/core.py:59
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `redirect_request` (body is just `pass`/`return`) — src/tool_system/tools/web_fetch.py:127
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `report_state` (body is just `pass`/`return`) — src/bridge/repl_bridge_transport.py:387
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: src/bridge/repl_bridge.py (1394 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/query/query.py (1671 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/repl/core.py (3239 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/bridge/test_bridge_main.py (1480 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/bridge/test_repl_bridge.py (2130 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/services/mcp/oauth_callback_server.py:73 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/services/mcp/doctor.py:148 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/bridge/work_secret.py:109 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/agent/agent_definitions.py:16 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
scripts/audit/architecture_stats.py:56 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
eval/compare_results.py:29 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
src/tool_system/tools/mcp.py:48 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
src/command_system/engine.py:109 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
scripts/audit/legacy_cli_repl.py:246 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a323da9b-bb32-4324-b9e5-662ea243eca9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a323da9b-bb32-4324-b9e5-662ea243eca9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.