Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.29s · analysis 33.51s · 22.7 MB · GitHub preflight 494ms

Gitlawb/openclaude

https://github.com/Gitlawb/openclaude · scanned 2026-05-31 01:22 UTC (5 days, 7 hours ago) · 10 languages

1461 findings (76 legacy + 1385 scanner) 10/13 scanners ran 59th percentile · Typescript · huge (>500K LoC) Scanner says 68 (higher by 18)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 776 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
79.3
/100
Repobility
91
76 legacy
9-layer
68
100.0% cov · 700 gaps
Critical
5
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 74.0 0.20 14.80
documentation_score 100.0 0.15 15.00
practices_score 80.0 0.15 12.00
code_quality 69.0 0.10 6.90
Overall 1.00 86.5
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 5 High 18 Medium 21 Low 198 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 76 9-layer 700 Crowd 0 Layer: Quality 603 Software 61 Security 14 Cicd 2 Frontend 93 Hardware 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 68.0/100 with 100.0% coverage. It contains 15819 nodes across 3 cross-layer flows, written primarily in mixed languages. Engine surfaced 700 findings — concentrated in quality (542), frontend (93), software (52). Risk profile is high: 5 critical, 1 high, 11 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 241 of 776 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical 9-layer security secrets conf 1.00 Possible secret in src/services/api/openaiShim.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/services/api/openaiShim.ts:226 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/utils/powershell/parser.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/utils/powershell/parser.ts:1343 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/utils/providerProfile.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
src/utils/providerProfile.ts:1709 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/utils/providerProfile.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
src/utils/providerProfile.ts:1756 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/utils/urlRedaction.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/utils/urlRedaction.ts:36 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
src/services/settingsSync/types.ts:30 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._ping_provider` used but never assigned in __init__: Method `_recheck_provider` of class `SmartRouter` reads `self._ping_provider`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._ping_provider = <default>` in __init__, or add a class-level default.
python/smart_router.py:361 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._ping_provider` used but never assigned in __init__: Method `initialize` of class `SmartRouter` reads `self._ping_provider`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._ping_provider = <default>` in __init__, or add a class-level default.
python/smart_router.py:171 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._recheck_provider` used but never assigned in __init__: Method `record_result` of class `SmartRouter` reads `self._recheck_provider`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._recheck_provider = <default>` in __init__, or add a class-level default.
python/smart_router.py:354 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._update_latency` used but never assigned in __init__: Method `record_result` of class `SmartRouter` reads `self._update_latency`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._update_latency = <default>` in __init__, or add a class-level default.
python/smart_router.py:341 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.api_key` used but never assigned in __init__: Method `is_configured` of class `Provider` reads `self.api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.api_key = <default>` in __init__, or add a class-level default.
python/smart_router.py:62 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.error_rate` used but never assigned in __init__: Method `score` of class `Provider` reads `self.error_rate`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.error_rate = <default>` in __init__, or add a class-level default.
python/smart_router.py:80 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get_model_for_provider` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.get_model_for_provider`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get_model_for_provider = <default>` in __init__, or add a class-level default.
python/smart_router.py:305 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.initialize` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.initialize`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.initialize = <default>` in __init__, or add a class-level default.
python/smart_router.py:288 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_configured` used but never assigned in __init__: Method `score` of class `Provider` reads `self.is_configured`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_configured = <default>` in __init__, or add a class-level default.
python/smart_router.py:75 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_large_request` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.is_large_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_large_request = <default>` in __init__, or add a class-level default.
python/smart_router.py:291 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:22-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:22-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:2 dependencylegacy
high Legacy security credential_exposure conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
src/utils/secureStorage/macOsKeychainStorage.ts:40 credential_exposurelegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
src/components/permissions/hooks.ts:80 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
src/components/LogoPicker.tsx:26 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
scripts/render-coverage-heatmap.ts:197 xsslegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
src/tools/BashTool/sedEditParser.ts:314 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
src/services/teamMemorySync/secretScanner.ts:233 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
scripts/no-telemetry-plugin.ts:130 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
src/components/GlobalSearchDialog.tsx:332 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
src/buddy/useBuddyNotification.tsx:90 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
scripts/pr-intent-scan.ts:123 qualitylegacy
high Legacy security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
src/screens/REPL.tsx:3251 authlegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/utils/auth.ts:678
Found a known-risky pattern (exec_used). Review and replace if possible.
src/utils/auth.ts:678 owaspexec_used
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
src/components/Onboarding.tsx:167 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
src/commands/rename/rename.ts:71 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
src/bridge/replBridgeHandle.ts:22 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
python/atomic_chat_provider.py:35 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
python/ollama_provider.py:30 qualitylegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
src/tools/shared/gitOperationTracking.ts:23 redoslegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
src/utils/mcp/elicitationValidation.ts:24 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/utils/storage/SQLiteProvider.ts:257 qualitylegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium Legacy quality quality conf 0.78 React interval is created without an explicit cleanup
Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant.
src/cli/print.ts:549 qualitylegacy
medium Legacy quality quality conf 0.78 React interval is created without an explicit cleanup
Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant.
src/components/Spinner/useShimmerAnimation.ts:13 qualitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/commands/security-review.ts:169
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/hooks/useTasksV2.ts:69
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/api/claude.ts:1890
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/api/fetchWithProxyRetry.test.ts:48
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/services/mcp/client.ts:488
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/utils/genericProcessUtils.ts:33
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/utils/providerDiscovery.ts:279
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/commands/security-review.ts:169
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/commands/security-review.ts:169 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in src/services/settingsSync/types.ts:30
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/services/settingsSync/types.ts:30 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in src/tools/BashTool/pathValidation.ts:549
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/tools/BashTool/pathValidation.ts:549 owaspweak_hash
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
src/cli/handlers/autoMode.ts:125 qualitylegacy
low Legacy quality quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt qualitylegacy
low Legacy quality quality conf 0.74 Public web app has no robots.txt
Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths.
robots.txt qualitylegacy
low Legacy quality quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml qualitylegacy
low 9-layer quality maintenance conf 1.00 129 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer quality integrity conf 1.00 548 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ALACRITTY_LOG`, `ALLOW_ANT_COMPUTER_USE_MCP`, `ALL_PROXY`, `ANTHROPIC_AUTH_TOKEN`, `ANTHROPIC_BASE_URL`, `ANTHROPIC_BEDROCK_BASE_URL`, `ANTHROPIC_BETAS`, `ANTHROPIC_CUSTOM_HEADERS` + 540 more. Add them (with a placeholder/comment) to .env.example …
integrityconfig-drift
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:31 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: python/tests/conftest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/externals.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/feature-flags-source-guard.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/generate-integrations-artifacts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/missing-module-stub.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/no-telemetry-growthbook-stub.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/openclaude-bin-heap.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/provider-discovery.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/system-check.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/verify-no-phone-home.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/claude.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/deepseek.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/gemini.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/glm.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/kimi.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/llama.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/minimax.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/mistral.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/nemotron.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/qwen.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/brands/xiaomi-mimo.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/compatibility.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/descriptors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/generated/integrationArtifacts.generated.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/index.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/claude.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/deepseek.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/llama.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/minimax.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/nemotron.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/opencode.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/xai.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/models/xiaomi-mimo.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/integrations/routeMetadata.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/projectOnboardingState.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/QueryEngine.autoCompactCooldown.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/tools.lsp.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/casing.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/generated-types.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/sdk-context-isolation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/sdk-v2-lifecycle.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/session-functions.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/shared-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/sdk/tool-schema-cache.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vscode-extension/openclaude-vscode/src/state.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/content.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `acct_old` in src/utils/codexCredentials.test.ts:227
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `actualOld` in src/components/FileEditToolDiff.tsx:173
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `actualOld` in src/tools/FileEditTool/UI.tsx:263
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `compactedOld` in src/services/compact/microCompact.test.ts:167
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `disabledLegacy` in src/utils/plugins/pluginLoader.test.ts:58
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `has_backup` in src/utils/config.ts:1596
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `hint_v2` in src/screens/REPL.tsx:4128
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `installed_plugins_v2` in src/services/plugins/pluginOperations.ts:518
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `installed_plugins_v2` in src/utils/plugins/installedPluginsManager.ts:83
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `isDeprecated` in src/utils/model/deprecation.ts:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_backup` in src/utils/appleTerminalBackup.ts:75
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `no_backup` in src/utils/iTermBackup.ts:36
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `profile_old` in src/commands/onboard-github/onboard-github.test.ts:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `provider_old` in src/commands/provider/provider.test.tsx:501
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `resolvedOld` in src/utils/plugins/marketplaceManager.ts:1892
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_bridge_repl_v2` in src/bridge/bridgeEnabled.ts:120
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_bridge_repl_v2` in src/bridge/initReplBridge.ts:412
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_bridge_repl_v2` in src/bridge/remoteBridgeCore.ts:27
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_copy` in src/commands/copy/copy.tsx:194
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_otk_slot_v1` in src/query.ts:1335
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_otk_slot_v1` in src/services/api/claude.ts:3409
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tengu_otk_slot_v1` in src/services/compact/autoCompact.test.ts:174
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `unlinkIfOld` in src/utils/cleanup.ts:134
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `work_v1` in src/bridge/pollConfig.ts:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
322 tests / 2216 src (ratio 0.15).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: python/ollama_provider.py:ollama_chat, python/ollama_provider.py:ollama_chat_stream, python/atomic_chat_provider.py:atomic_chat, python/atomic_chat_provider.py:atomic_chat_stream This is *the* AI-coder failure mode (4× more duplication in vibe-coded …
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: atomic_chat_stream
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
python/atomic_chat_provider.py:94 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: ollama_chat_stream
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
python/ollama_provider.py:130 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/build.ts:459
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/generate-integrations-artifacts.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/generate-sdk-types.ts:428
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/grpc-cli.ts:49
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/no-telemetry-plugin.ts:138
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/provider-bootstrap.ts:186
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/provider-launch.ts:124
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/provider-recommend.ts:98
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/render-coverage-heatmap.ts:389
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/start-grpc.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/system-check.ts:605
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/validate-externals.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/verify-no-phone-home.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/bridge/bridgeMain.ts:1949
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/cli/handlers/agents.ts:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/cli/handlers/mcp.tsx:253
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/cli/handlers/plugins.ts:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/components/ThemePicker.tsx:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/entrypoints/cli.tsx:86
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/entrypoints/sdk/query.ts:1001
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/entrypoints/sdk/v2.ts:126
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/grpc/server.ts:47
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/services/plugins/pluginCliCommands.ts:109
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/setup.ts:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/utils/worktree.ts:1336
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/sdk/package-consumer-types.test.ts:174
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: src/bootstrap/state.ts (1672 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/bridge/bridgeMain.ts (2991 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/bridge/replBridge.ts (2426 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/cli/print.ts (5614 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/commands/insights.ts (2932 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/commands/plugin/ManagePlugins.tsx (2214 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/commands/provider/provider.tsx (1818 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/components/LogSelector.tsx (1574 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/components/PromptInput/PromptInput.tsx (2411 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/components/ProviderManager.test.tsx (2194 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/components/ProviderManager.tsx (2646 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/components/Settings/Config.tsx (1874 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/constants/prompts.ts (909 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/entrypoints/sdk/coreSchemas.ts (1910 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/entrypoints/sdk/coreTypes.generated.ts (2355 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/hooks/useTypeahead.tsx (1392 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/ink/ink.tsx (1752 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/ink/render-node-to-output.ts (1495 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/main.tsx (4704 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/native-ts/yoga-layout/index.ts (2578 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/query.ts (1990 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/QueryEngine.ts (1443 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/screens/REPL.tsx (5177 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/api/claude.ts (3432 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/api/openaiShim.test.ts (5985 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/api/openaiShim.ts (3102 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/compact/compact.ts (1712 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/mcp/auth.ts (2507 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/mcp/client.ts (3410 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/mcp/config.ts (1578 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/services/tools/toolExecution.ts (1712 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/AgentTool/AgentTool.tsx (1422 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/BashTool/bashPermissions.ts (2643 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/BashTool/bashSecurity.ts (2612 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/BashTool/readOnlyValidation.ts (1924 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/PowerShellTool/pathValidation.ts (2049 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/PowerShellTool/powershellPermissions.ts (1684 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/tools/PowerShellTool/readOnlyValidation.ts (1823 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/attachments.ts (4017 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/auth.ts (2027 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/bash/ast.ts (2679 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/bash/bashParser.ts (4436 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/bash/commands.ts (1339 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/config.ts (1918 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/hooks.ts (5265 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/messages.ts (5530 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/nativeInstaller/installer.ts (1712 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/permissions/filesystem.ts (1837 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/permissions/permissions.ts (1525 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/permissions/permissionSetup.ts (1813 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/permissions/yoloClassifier.ts (1603 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/plugins/marketplaceManager.ts (2644 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/plugins/pluginLoader.ts (3579 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/plugins/schemas.ts (1681 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/powershell/parser.ts (1804 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/providerProfile.test.ts (1599 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/providerProfile.ts (1767 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/providerProfiles.test.ts (2139 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/sessionStorage.ts (5357 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/shell/readOnlyCommandValidation.ts (1893 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/swarm/inProcessRunner.ts (1565 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/teleport.tsx (1225 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/utils/worktree.ts (1583 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/services/api/codexOAuthShared.ts:67 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/commands/plugin/parseArgs.ts:46 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/commands/mcp/addCommand.ts:129 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/bridge/bridgeEnabled.ts:81 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
scripts/provider-launch.ts:196 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
scripts/grpc-cli.ts:107 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
scripts/provider-recommend.ts:254 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
src/grpc/server.ts:22 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
src/entrypoints/mcp.ts:226 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
scripts/grpc-cli.ts:16 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a75ab839-80fb-497b-bd17-48a725fff0cb/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a75ab839-80fb-497b-bd17-48a725fff0cb/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.