Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
86 of your 143 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 88.22s for a 117.9 MB repo slow.
  • Repobility's analysis ran in 25.68s after the clone landed.

toeverything/AFFiNE

https://github.com/toeverything/AFFiNE · scanned 2026-06-05 08:38 UTC (5 days, 19 hours ago) · 10 languages

1552 raw signals (126 security + 1426 graph) 10/13 scanners ran 27th percentile · Typescript · huge (>500K LoC) System graph score 53 (higher by 25)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 19 hours ago · v2 · 693 actionable findings from 2 signal sources. 146 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
66.3
/100
Security checks
79
54 findings
System graph
53
100.0% cov · 639 findings
Critical
10
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 55.0 0.20 11.00
documentation_score 70.0 0.15 10.50
practices_score 96.0 0.15 14.40
code_quality 80.0 0.10 8.00
Overall 1.00 77.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 10 High 38 Medium 61 Low 212 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 54 System graph 639 Crowd 0 Layer: Quality 159 Security 26 Cicd 17 Software 59 Frontend 366 Hardware 2 Api 64
Scan summary Quality grade B+ (78/100). Dimensions: security 100, maintainability 60. 126 findings (64 security). 779,759 lines analyzed.

Showing 313 of 693 actionable findings. 839 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.90 ✓ Repobility [MINED129] Committed yarn npmAuthToken in .yarnrc.yml: `.yarnrc.yml` contains a yarn npmAuthToken. If this file is committed to the repo, the credential is leaked to every developer and CI system. Anyone with read access to the repo can publish packages as you.
1) Revoke the leaked credential immediately. 2) `git rm` the file. 3) Add it to .gitignore. 4) Use environment variables for npm/yarn/pip auth: `_authToken=${NPM_TOKEN}` (literal — npm expands env vars in .npmrc).
.yarnrc.yml:9
critical Security checks cicd CI/CD security conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
.devcontainer/docker-compose.yml:16 CI/CD securitycontainers
critical System graph security Secrets conf 1.00 Possible secret in packages/backend/server/ava.config.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/backend/server/ava.config.js:28
critical System graph security Secrets conf 1.00 Possible secret in packages/frontend/admin/src/modules/accounts/components/use-user-management.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/frontend/admin/src/modules/accounts/components/use-user-management.ts:138
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /recordings/:foldername has no auth: Express route DELETE /recordings/:foldername declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/recordings/:foldername', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:793
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /apps/:process_id/record has no auth: Express route POST /apps/:process_id/record declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/apps/:process_id/record', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:862
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /apps/:process_id/stop has no auth: Express route POST /apps/:process_id/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/apps/:process_id/stop', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:878
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /global/record has no auth: Express route POST /global/record declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/global/record', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:1050
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /global/stop has no auth: Express route POST /global/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/global/stop', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:1060
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /recordings/:foldername/transcribe has no auth: Express route POST /recordings/:foldername/transcribe declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/recordings/:foldername/transcribe', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:885
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /transcribe has no auth: Express route POST /transcribe declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/transcribe', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/frontend/media-capture-playground/server/main.ts:971
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences [MINED118] Dockerfile FROM `node:22-bookworm-slim` not pinned by digest: `FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:22-bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
lines 2, 20
.github/deployment/node/Dockerfile:2, 20 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 20 occurrences [MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `pgvector/pgvector:pg16@sha256:<digest>`. Re-pin via Dependabot Docker scope.
2 files, 20 locations
.github/workflows/build-test.yml:600, 615, 620, 671, 686, 749, 764, 968, +7 more (15 hits)
.github/workflows/copilot-test.yml:43, 58, 63, 118, 133 (5 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a repo that otherwise has 7800 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar:1
high Security checks software Prototype pollution conf 1.00 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie).
Sanitize keys BEFORE merge: function sanitize(obj) { delete obj.__proto__; delete obj.constructor; delete obj.prototype; return obj; } Or use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation.
blocksuite/affine/blocks/surface/src/utils/path-data-parser/parser.ts:101
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
packages/backend/server/src/core/permission/types.ts:279
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
packages/frontend/core/src/desktop/dialogs/setting/account-setting/integrations-panel.tsx:287
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
packages/frontend/admin/src/modules/setup/create-admin.tsx:92
high System graph security Secrets conf 1.00 .env file present in repo: blocksuite/playground/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/collection/${this.name}/blob/${key} (blocksuite/playground/apps/_common/sync/blob/mock-server.ts:24)
`blocksuite/playground/apps/_common/sync/blob/mock-server.ts:24` calls `DELETE /api/collection/${this.name}/blob/${key}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/collection/<p>/blob/<p>` If this points at an e…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /${name}.png (blocksuite/framework/store/src/__tests__/test-utils-dom.ts:74)
`blocksuite/framework/store/src/__tests__/test-utils-dom.ts:74` calls `GET /${name}.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/<p>.png` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/collection/${this.name}/blob/${key} (blocksuite/playground/apps/_common/sync/blob/mock-server.ts:44)
`blocksuite/playground/apps/_common/sync/blob/mock-server.ts:44` calls `GET /api/collection/${this.name}/blob/${key}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/collection/<p>/blob/<p>` If this points at an exte…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/recordings/${fileName}/recording.wav (packages/frontend/media-capture-playground/web/components/saved-recording-item.tsx:641)
`packages/frontend/media-capture-playground/web/components/saved-recording-item.tsx:641` calls `GET /api/recordings/${fileName}/recording.wav` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/recordings/<p>/recording.…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /Clear-Site-Data (blocksuite/playground/apps/_common/components/starter-debug-menu.ts:245)
`blocksuite/playground/apps/_common/components/starter-debug-menu.ts:245` calls `GET /Clear-Site-Data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/clear-site-data` If this points at an external API, prefix it wit…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8025/api/v2/messages (tests/kit/src/utils/cloud.ts:20)
`tests/kit/src/utils/cloud.ts:20` calls `GET http://localhost:8025/api/v2/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8025/api/v2/messages` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:8025/api/v2/messages (tests/kit/src/utils/cloud.ts:26)
`tests/kit/src/utils/cloud.ts:26` calls `GET http://localhost:8025/api/v2/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:8025/api/v2/messages` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.revenuecat.com/v2/projects/${this.projectId}/customers/${customerId}/aliases (packages/backend/server/src/plugins/payment/revenuecat/service.ts:229)
`packages/backend/server/src/plugins/payment/revenuecat/service.ts:229` calls `GET https://api.revenuecat.com/v2/projects/${this.projectId}/customers/${customerId}/aliases` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matchin…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.revenuecat.com/v2/projects/${this.projectId}/customers/${customerId}/subscriptions (packages/backend/server/src/plugins/payment/revenuecat/service.ts:303)
`packages/backend/server/src/plugins/payment/revenuecat/service.ts:303` calls `GET https://api.revenuecat.com/v2/projects/${this.projectId}/customers/${customerId}/subscriptions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.revenuecat.com/v2/projects/${this.projectId}/entitlements/${entId}?expand=product (packages/backend/server/src/plugins/payment/revenuecat/service.ts:191)
`packages/backend/server/src/plugins/payment/revenuecat/service.ts:191` calls `GET https://api.revenuecat.com/v2/projects/${this.projectId}/entitlements/${entId}?expand=product` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.revenuecat.com/v2/projects/${this.projectId}/subscriptions?store_subscription_identifier=${encodeURIComponent(externalRef)} (packages/backend/server/src/plugins/payment/revenuecat/service.ts:268)
`packages/backend/server/src/plugins/payment/revenuecat/service.ts:268` calls `GET https://api.revenuecat.com/v2/projects/${this.projectId}/subscriptions?store_subscription_identifier=${encodeURIComponent(externalRef)}` but no backend route matches that path. This is a runtime 404 waiting to happen…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.unsplash.com/search/photos?${query} (packages/backend/server/src/plugins/copilot/controller.ts:316)
`packages/backend/server/src/plugins/copilot/controller.ts:316` calls `GET https://api.unsplash.com/search/photos?${query}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.unsplash.com/search/photos` If th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://readwise.io/api/v2/auth/ (packages/frontend/core/src/modules/integration/entities/readwise-crawler.ts:74)
`packages/frontend/core/src/modules/integration/entities/readwise-crawler.ts:74` calls `GET https://readwise.io/api/v2/auth/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/readwise.io/api/v2/auth` If this po…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/worker/questionnaire (packages/frontend/component/src/components/auth-components/onboarding-page.tsx:220)
`packages/frontend/component/src/components/auth-components/onboarding-page.tsx:220` calls `POST /api/worker/questionnaire` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/worker/questionnaire` If this points at an e…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.revenuecat.com/v1/subscribers/identify (packages/backend/server/src/plugins/payment/revenuecat/service.ts:148)
`packages/backend/server/src/plugins/payment/revenuecat/service.ts:148` calls `POST https://api.revenuecat.com/v1/subscribers/identify` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.revenuecat.com/v1/sub…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/collection/${this.name}/blob/${key} (blocksuite/playground/apps/_common/sync/blob/mock-server.ts:80)
`blocksuite/playground/apps/_common/sync/blob/mock-server.ts:80` calls `PUT /api/collection/${this.name}/blob/${key}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/collection/<p>/blob/<p>` If this points at an exte…
Dangling fetchFetch
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/backend/server/src/base/cache/provider.ts:97
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/backend/server/src/base/cache/provider.ts:97 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in tools/cli/src/clean.ts:69
Found a known-risky pattern (exec_used). Review and replace if possible.
tools/cli/src/clean.ts:69 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in tools/utils/src/yarn.ts:23
Found a known-risky pattern (exec_used). Review and replace if possible.
tools/utils/src/yarn.ts:23 Exec used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
blocksuite/affine/blocks/surface/src/utils/rough/math.ts:2
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
.docker/selfhost/compose.yml:46 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
.devcontainer/docker-compose.yml:25 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
.github/deployment/node/Dockerfile:21 CI/CD securitycontainers
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/admin/src/components/ui/chart.tsx:70
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/admin/src/modules/settings/config-input-row.tsx:192
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/core/src/components/root-app-sidebar/user-info/unknow-user.tsx:25
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/core/src/desktop/dialogs/setting/general-setting/experimental-features/arts.tsx:13
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/core/src/desktop/dialogs/setting/general-setting/plans/lifetime/believer-card.tsx:19
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/core/src/desktop/dialogs/setting/workspace-setting/storage/blob-management.tsx:55
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/frontend/core/src/desktop/pages/workspace/detail-page/tabs/journal/template-onboarding.tsx:118
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/affine/shared/src/services/embed-iframe/embed-iframe-service.ts:122
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/affine/shared/src/services/link-preview-service/link-preview-service.ts:86
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/framework/store/src/__tests__/test-utils-dom.ts:74
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/playground/apps/_common/components/starter-debug-menu.ts:245
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/playground/apps/_common/sync/blob/mock-server.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — blocksuite/playground/apps/_common/sync/websocket/utils.ts:3
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/__tests__/copilot/copilot.e2e.ts:478
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/__tests__/user/user.e2e.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/core/doc/reader.ts:286
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/plugins/calendar/providers/caldav.ts:678
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/plugins/calendar/providers/google.ts:331
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/plugins/captcha/service.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/plugins/copilot/controller.ts:316
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/backend/server/src/plugins/payment/revenuecat/service.ts:191
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/common/nbstore/src/impls/cloud/blob.ts:103
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/admin/src/fetch-utils.ts:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/apps/electron-renderer/src/app/effects/recording.ts:74
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/apps/electron/src/main/auth/handlers.ts:56
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/apps/electron/src/main/protocol.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/apps/mobile-shared/src/nbstore/payload.ts:124
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/component/src/components/auth-components/onboarding-page.tsx:110
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/blocksuite/ai/actions/edgeless-response.ts:544
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/blocksuite/ai/actions/page-response.ts:172
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/blocksuite/ai/provider/setup-provider.tsx:50
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/components/affine/page-history-modal/data.ts:86
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/components/providers/workspace-side-effects.tsx:69
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/desktop/pages/auth/oauth-login.tsx:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/cloud/impl/auth.ts:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/cloud/services/auth.ts:115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/cloud/services/captcha.ts:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/cloud/services/fetch.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/cloud/stores/auth.ts:89
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/import-template/store/downloader.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/modules/integration/entities/readwise-crawler.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/utils/first-app-data.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/core/src/utils/opus-encoding.ts:90
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: .github/deployment/node/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph quality Integrity conf 1.00 Frontend route `/admin/settings` has no Link/navigate to it — packages/frontend/admin/src/modules/settings/index.spec.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph cicd CI/CD security conf 1.00 22 occurrences GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
8 files, 22 locations
.github/workflows/build-test.yml:52, 62, 65, 386, 650 (5 hits)
.github/workflows/build-images.yml:212, 219, 221, 267 (4 hits)
.github/workflows/copilot-test-automatically.yml:21, 26 (4 hits)
.github/workflows/release-mobile.yml:117, 188, 215 (3 hits)
.github/workflows/release-desktop-platform.yml:104 (2 hits)
.github/workflows/release.yml:164, 171 (2 hits)
.github/workflows/copilot-test.yml:93
.github/workflows/release-desktop.yml:500
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/release-desktop-platform.yml
.github/workflows/release-desktop.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in packages/frontend/media-capture-playground/server/main.ts:93
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
packages/frontend/media-capture-playground/server/main.ts:93 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/admin/src/components/ui/chart.tsx:70
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/admin/src/components/ui/chart.tsx:70 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/admin/src/modules/settings/config-input-row.tsx:192
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/admin/src/modules/settings/config-input-row.tsx:192 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/core/src/components/root-app-sidebar/user-info/unknow-user.tsx:25
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/core/src/components/root-app-sidebar/user-info/unknow-user.tsx:25 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/core/src/desktop/dialogs/setting/general-setting/experimental-features/arts.tsx:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/core/src/desktop/dialogs/setting/general-setting/experimental-features/arts.tsx:13 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/core/src/desktop/dialogs/setting/general-setting/plans/lifetime/believer-card.tsx:19
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/core/src/desktop/dialogs/setting/general-setting/plans/lifetime/believer-card.tsx:19 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/frontend/core/src/desktop/dialogs/setting/workspace-setting/storage/blob-management.tsx:55
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/frontend/core/src/desktop/dialogs/setting/workspace-setting/storage/blob-management.tsx:55 Dangerous innerhtml
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
.docker/selfhost/compose.yml:2 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
.docker/selfhost/compose.yml:2 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 2 occurrences Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
lines 16, 25
.devcontainer/docker-compose.yml:16, 25 (2 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml
low System graph quality Maintenance conf 1.00 242 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: node:22-bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 2, 20
.github/deployment/node/Dockerfile:2, 20 (2 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: nyc.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/change-tone.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/check-code-error.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/continue-with-ai.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/continue-writing.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/explain-code.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/explain-selection.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/fix-spelling.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/generate-an-image-with-image.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/generate-an-image-with-text.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/generate-headings.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/generate-presentation.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/image-processing.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/improve-writing.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/make-it-real.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/summarize.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/write-an-article.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/ai-action/write-an-tweet.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/base/base-test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/attachments.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/collections.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/doc.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/edgeless-note-block.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/edgeless-text-block.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/image-block.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/image.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/network.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/reasoning.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/tags.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/chat-with/text.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/settings/embedding.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/e2e/types/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud-copilot/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/comments.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/login.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/open-in-app.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/share-page-1.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/share-page-2.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/storage.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/template.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/e2e/workspace.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-cloud/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-desktop/e2e/image.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-desktop/e2e/split-view.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-desktop/e2e/tabs.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-desktop/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-mobile/e2e/explorer-favorite.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-mobile/e2e/home.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/affine-mobile/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 72 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
9 files, 72 locations
.github/workflows/release-desktop.yml:56, 76, 87, 231, 246, 254, 303, 359, +9 more (28 hits)
.github/workflows/build-test.yml:49, 72, 195, 252, 285, 318, 349, 377, +7 more (15 hits)
.github/workflows/build-images.yml:49, 81, 113, 157, 180, 190, 207, 225, +3 more (11 hits)
.github/workflows/release-desktop-platform.yml:72, 93, 180, 187, 199, 220 (8 hits)
.github/workflows/release-mobile.yml:49, 76, 96, 156 (4 hits)
.github/workflows/copilot-test.yml:25, 77, 147 (3 hits)
.github/workflows/pr-title-lint.yml:23
.github/workflows/release.yml:75
CI/CD securitySupply chainGitHub Actions
low System graph quality Tests conf 1.00 Low test-to-source ratio
715 tests / 6422 src (ratio 0.11).
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `affine_permission_should_project_from_legacy` in packages/backend/server/src/__tests__/models/permission-projection.spec.ts:189
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `cleanupLegacy` in packages/backend/server/src/core/entitlement/projection.ts:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `favoritesOld` in packages/frontend/core/src/modules/navigation-panel/services/navigation-panel.ts:12
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in packages/backend/server/src/__tests__/models/feature-user.spec.ts:62
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in packages/backend/server/src/__tests__/models/feature.spec.ts:30
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in packages/backend/server/src/core/auth/dev.ts:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in packages/backend/server/src/models/common/feature.ts:47
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in packages/backend/server/src/models/user-feature.ts:39
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `free_plan_v1` in tests/kit/src/utils/cloud.ts:125
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `handledOld` in packages/frontend/core/src/blocksuite/ai/utils/apply-model/markdown-diff.ts:62
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/__tests__/copilot/byok.spec.ts:83
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/core/entitlement/__tests__/projection-checker.spec.ts:65
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/core/entitlement/__tests__/projection.spec.ts:68
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/core/entitlement/projection-checker.ts:194
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/core/quota/__tests__/state.spec.ts:59
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pro_plan_v1` in packages/backend/server/src/seed/index.ts:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `quota_exceeded_readonly_workspace_v1` in packages/backend/server/src/__tests__/e2e/workspace/team.spec.ts:295
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resolveOld` in blocksuite/affine/data-view/src/__tests__/calendar.unit.spec.ts:668
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sub_old` in packages/backend/server/src/__tests__/payment/service.spec.ts:777
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `team_plan_v1` in packages/backend/server/src/__tests__/models/feature-workspace.spec.ts:70
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `team_plan_v1` in packages/backend/server/src/__tests__/workspace/blobs.e2e.ts:299
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `team_plan_v1` in packages/backend/server/src/core/permission/__tests__/policy.spec.ts:274
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `team_plan_v1` in packages/backend/server/src/core/permission/policy.ts:82
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `team_plan_v1` in packages/backend/server/src/models/workspace-feature.ts:60
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `upsertLegacy` in packages/backend/server/src/models/workspace-runtime-state.ts:86
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `withLegacy` in packages/frontend/core/src/modules/workspace-property/stores/workspace-property.ts:38
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 3 occurrences package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
3 files, 3 locations
package.json
packages/backend/server/package.json
packages/frontend/templates/package.json
CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/blocks/embed/src/embed-iframe-block/components/embed-iframe-link-input-base.ts:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/data-view/src/view-presets/table/pc-virtual/virtual/batch-task-manager.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/ext-loader/src/view-provider.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/gfx/turbo-renderer/src/renderer-utils.ts:174
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/shared/src/commands/model-crud/get-selected-models.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/shared/src/test-utils/affine-template.ts:311
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/affine/widgets/linked-doc/src/transformers/notion-html.ts:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/framework/store/src/__tests__/test-utils-dom.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/framework/store/src/extension/extension.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/framework/store/src/model/store/store.ts:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/playground/apps/_common/components/pdf/worker.ts:122
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — blocksuite/playground/apps/_common/mock-services.ts:100
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/backend/server/scripts/genconfig.ts:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/backend/server/scripts/self-host-predeploy.js:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/backend/server/src/__tests__/mocks/factory.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/backend/server/src/__tests__/nestjs/error-handler.spec.ts:172
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/backend/server/src/seed/index.ts:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/common/infra/src/livedata/livedata.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/common/nbstore/src/sync/indexer/index.ts:270
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/common/nbstore/src/worker/consumer.ts:151
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/apps/electron/scripts/build-layers.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/apps/electron/scripts/dev.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/apps/electron/scripts/generate-assets.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/apps/electron/scripts/macos-arm64-output-check.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/apps/ios/codegen.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/component/src/ui/avatar/avatar.stories.tsx:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/component/src/ui/icon-picker/picker/emoji/gen-data.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/component/src/ui/menu/menu.stories.tsx:118
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/component/src/ui/modal/confirm-modal.stories.tsx:30
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/component/src/ui/notification/notification-center.stories.tsx:188
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/blocksuite/view-extensions/code-block-preview/mermaid-preview.ts:415
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/desktop/dialogs/setting/general-setting/meetings/index.tsx:162
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/desktop/pages/onboarding/index.tsx:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/desktop/pages/workspace/index.tsx:303
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/modules/collection-rules/services/collection-rules.ts:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/modules/peek-view/view/image-preview/index.tsx:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/modules/peek-view/view/peek-view-manager.tsx:116
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/core/src/modules/share-menu/view/share-menu/general-access/public-page-button.tsx:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/media-capture-playground/server/gemini.ts:104
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/media-capture-playground/server/main.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/frontend/media-capture-playground/web/components/app-list.tsx:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/affine-cloud-copilot/e2e/ai-action/check-code-error.spec.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/affine-cloud-copilot/e2e/ai-action/explain-code.spec.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/affine-local/e2e/blocksuite/clipboard/clipboard.spec.ts:422
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/affine-local/e2e/blocksuite/edgeless/canvas-renderer.perf.spec.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/blocksuite/e2e/utils/actions/misc.ts:168
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/kit/src/mobile.ts:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/kit/src/utils/cloud.ts:139
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/changelog/index.js:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/cli/src/bundle.ts:300
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/cli/src/rspack/index.ts:118
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/doc-diff/src/index.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/doc-diff/src/rootdoc.ts:86
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/doc-diff/src/table.ts:99
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/revert-update/index.ts:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/utils/src/workspace.ts:74
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tools/utils/src/yarn.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/workspaces/:workspaceId/mcp/
`packages/backend/server/src/plugins/copilot/mcp/controller.ts` declares `DELETE /api/workspaces/:workspaceId/mcp/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider rem…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/avatars/:id
`packages/backend/server/src/core/user/controller.ts` declares `GET /api/avatars/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/calendar/oauth/callback
`packages/backend/server/src/plugins/calendar/controller.ts` declares `GET /api/calendar/oauth/callback` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or do…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/copilot/blob/:userId/:workspaceId/:key
`packages/backend/server/src/plugins/copilot/controller.ts` declares `GET /api/copilot/blob/:userId/:workspaceId/:key` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/copilot/unsplash/photos
`packages/backend/server/src/plugins/copilot/controller.ts` declares `GET /api/copilot/unsplash/photos` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/team/licenses/:license/health
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `GET /api/team/licenses/:license/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider r…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/worker/image-proxy
`packages/backend/server/src/plugins/worker/controller.ts` declares `GET /api/worker/image-proxy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/blobs/:name
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/blobs/:name` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/docs/:docId/comment-attachments/:key
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/docs/:docId/comment-attachments/:key` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead cod…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/docs/:guid
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/docs/:guid` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or d…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/docs/:guid/histories/:timestamp
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/docs/:guid/histories/:timestamp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — c…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/public-docs/:docId
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/public-docs/:docId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider remov…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:id/public-docs/:docId/root-doc
`packages/backend/server/src/core/workspaces/controller.ts` declares `GET /api/workspaces/:id/public-docs/:docId/root-doc` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consi…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/workspaces/:workspaceId/mcp/
`packages/backend/server/src/plugins/copilot/mcp/controller.ts` declares `GET /api/workspaces/:workspaceId/mcp/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removi…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /apps/:process_id/icon
`packages/frontend/media-capture-playground/server/main.ts` declares `GET /apps/:process_id/icon` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /rpc/workspaces/:workspaceId/content
`packages/backend/server/src/core/doc-service/controller.ts` declares `GET /rpc/workspaces/:workspaceId/content` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removi…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /rpc/workspaces/:workspaceId/docs/:docId
`packages/backend/server/src/core/doc-service/controller.ts` declares `GET /rpc/workspaces/:workspaceId/docs/:docId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider re…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /rpc/workspaces/:workspaceId/docs/:docId/content
`packages/backend/server/src/core/doc-service/controller.ts` declares `GET /rpc/workspaces/:workspaceId/docs/:docId/content` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /rpc/workspaces/:workspaceId/docs/:docId/markdown
`packages/backend/server/src/core/doc-service/controller.ts` declares `GET /rpc/workspaces/:workspaceId/docs/:docId/markdown` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /session
`packages/backend/server/src/core/auth/session.ts` declares `GET /session` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /user
`packages/backend/server/src/core/auth/session.ts` declares `GET /user` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /workspace/*path
`packages/backend/server/src/core/doc-renderer/controller.ts` declares `GET /workspace/*path` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: HEAD /api/workspaces/:id/public-docs/:docId
`packages/backend/server/src/core/workspaces/controller.ts` declares `HEAD /api/workspaces/:id/public-docs/:docId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider remo…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: OPTIONS /api/telemetry/collect
`packages/backend/server/src/core/telemetry/controller.ts` declares `OPTIONS /api/telemetry/collect` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docume…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: OPTIONS /api/worker/image-proxy
`packages/backend/server/src/plugins/worker/controller.ts` declares `OPTIONS /api/worker/image-proxy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: OPTIONS /api/worker/link-preview
`packages/backend/server/src/plugins/worker/controller.ts` declares `OPTIONS /api/worker/link-preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/auth/native/exchange
`packages/backend/server/src/core/auth/controller.ts` declares `POST /api/auth/native/exchange` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/calendar/oauth/callback
`packages/backend/server/src/plugins/calendar/controller.ts` declares `POST /api/calendar/oauth/callback` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or d…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/calendar/oauth/preflight
`packages/backend/server/src/plugins/calendar/controller.ts` declares `POST /api/calendar/oauth/preflight` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/calendar/webhook/google
`packages/backend/server/src/plugins/calendar/controller.ts` declares `POST /api/calendar/webhook/google` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or d…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/revenuecat/webhook
`packages/backend/server/src/plugins/payment/revenuecat/controller.ts` declares `POST /api/revenuecat/webhook` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/setup/create-admin-user
`packages/backend/server/src/core/selfhost/controller.ts` declares `POST /api/setup/create-admin-user` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/stripe/webhook
`packages/backend/server/src/plugins/payment/controller.ts` declares `POST /api/stripe/webhook` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/team/licenses/:license/activate
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `POST /api/team/licenses/:license/activate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — conside…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/team/licenses/:license/create-customer-portal
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `POST /api/team/licenses/:license/create-customer-portal` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/team/licenses/:license/deactivate
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `POST /api/team/licenses/:license/deactivate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consi…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/team/licenses/:license/recurring
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `POST /api/team/licenses/:license/recurring` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consid…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/team/licenses/:license/seats
`packages/backend/server/src/plugins/payment/license/controller.ts` declares `POST /api/team/licenses/:license/seats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider r…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/telemetry/collect
`packages/backend/server/src/core/telemetry/controller.ts` declares `POST /api/telemetry/collect` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/worker/link-preview
`packages/backend/server/src/plugins/worker/controller.ts` declares `POST /api/worker/link-preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/workspaces/:workspaceId/mcp/
`packages/backend/server/src/plugins/copilot/mcp/controller.ts` declares `POST /api/workspaces/:workspaceId/mcp/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider remov…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /global/record
`packages/frontend/media-capture-playground/server/main.ts` declares `POST /global/record` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /global/stop
`packages/frontend/media-capture-playground/server/main.ts` declares `POST /global/stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /rpc/workspaces/:workspaceId/docs/:docId/diff
`packages/backend/server/src/core/doc-service/controller.ts` declares `POST /rpc/workspaces/:workspaceId/docs/:docId/diff` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consi…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /transcribe
`packages/frontend/media-capture-playground/server/main.ts` declares `POST /transcribe` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /multipart
`packages/backend/server/src/core/storage/r2-proxy.ts` declares `PUT /multipart` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /upload
`packages/backend/server/src/core/storage/r2-proxy.ts` declares `PUT /upload` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /recordings
`packages/frontend/media-capture-playground/server/main.ts` declares `USE /recordings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/all/src/__tests__/adapters/html.unit.spec.ts (3182 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/all/src/__tests__/adapters/markdown.unit.spec.ts (4944 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/all/src/__tests__/adapters/notion-html.unit.spec.ts (2093 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/blocks/embed-doc/src/embed-linked-doc-block/styles.ts (2232 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/gfx/template/src/toolbar/cards.ts (1411 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: blocksuite/affine/widgets/drag-handle/src/watchers/drag-event-watcher.ts (1742 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.

Showing first 300 of 313. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/afab7b39-e811-445c-b495-24ac5273d6de/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/afab7b39-e811-445c-b495-24ac5273d6de/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.