Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
28 of your 172 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 105.51s for a 128.8 MB repo slow.
  • Repobility's analysis ran in 12.66s after the clone landed.

editor

https://github.com/pascalorg/editor.git · scanned 2026-06-05 04:11 UTC (11 hours, 44 minutes ago) · 10 languages

2837 findings (86 legacy + 2751 scanner) 11/13 scanners ran 42nd percentile · Typescript · large (100-500K LoC) Scanner says 79 (lower by 6)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 11 hours, 44 minutes ago · v12 · 395 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
78.4
/100
Repobility
78
86 legacy
9-layer
79
100.0% cov · 309 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 40.0 0.20 8.00
documentation_score 89.0 0.15 13.35
practices_score 73.0 0.15 10.95
code_quality 70.0 0.10 7.00
Overall 1.00 73.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: low × excluding tests × Reset all
Severity: Critical 0 High 54 Medium 8 Low 91 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 86 9-layer 309 Crowd 0 Layer: Quality 279 Security 13 Software 61 Api 1 Frontend 39 Cicd 2
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 79.0/100 with 100.0% coverage. It contains 5409 nodes across 5 cross-layer flows, written primarily in mixed languages. Engine surfaced 309 findings — concentrated in quality (215), software (50), frontend (39). Risk profile is high: 0 critical, 2 high, 6 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 91 of 395 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/editor/src/components/editor-2d/renderers/floorplan-geometry-renderer.tsx:157 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/mcp/src/resources/scene-summary.ts:159 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/editor/src/components/editor-2d/svg-paths.ts:103 xsslegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/mcp/src/storage/sqlite-driver.ts:15 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/mcp/src/prompts/renovation-from-photos.ts:42 qualitylegacy
low Legacy quality quality conf 0.68 Multiple AI-agent scaffold marker files are present
Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior.
.github/copilot-instructions.md:1 qualitylegacy
low 9-layer frontend frontend-quality conf 1.00 "active" state uses light bg in a dark theme — apps/ifc-converter/components/PreviewToolbar.tsx:53
A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`. Why: P-E in CHEC…
frontend-qualityfq.active-light-bg
low 9-layer frontend frontend-quality conf 1.00 "active" state uses light bg in a dark theme — packages/editor/src/components/editor/snapshot-capture-overlay.tsx:525
A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`. Why: P-E in CHEC…
frontend-qualityfq.active-light-bg
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/editor/lib/graph-schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/editor/lib/scene-store-server.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/editor/next.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/ifc-converter/next-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/ifc-converter/next.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/eslint-config/base.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/eslint-config/next.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/eslint-config/react-internal.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/bridge/node-shims.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/index.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/lib/safe-fetch.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/prompts/scene-guidance.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/storage/store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/apply-patch.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/construction-tools.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/create-level.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/create-wall.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/cut-opening.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/delete-node.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/describe-node.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/duplicate-level.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/export-glb.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/export-json.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/find-nodes.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/get-node.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/measure.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/place-item.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/redo.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/room-tools.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/delete-scene.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/list-scenes.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/load-scene.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/project-status.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/rename-scene.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-lifecycle/save-scene.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/scene-query.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/schemas.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/set-zone.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/undo.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/tools/validate-scene.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/transports/http.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/mcp/src/transports/stdio.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/nodes/src/slab/boundary-editor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/nodes/src/slab/schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/lib/layers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/r3f.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/store/use-item-light-pool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/store/use-viewer.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/store/use-viewer.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/viewer/src/systems/level/level-system.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `bvent_v1` in packages/core/src/store/actions/reparent.test.ts:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `cosOld` in packages/editor/src/components/ui/sidebar/panels/site-panel/tree-node-drag.tsx:64
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `level_old` in packages/core/src/registry/subtree.test.ts:119
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
89 tests / 855 src (ratio 0.10).
tests
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
apps/ifc-converter/package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/registry/__bench__/relations-resolver.bench.ts:140
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/ifc-converter/src/index.ts:669
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/examples/embed-in-agent.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/scripts/smoke.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/scripts/spike.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/viewer/src/components/viewer/index.tsx:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/viewer/src/components/viewer/post-processing.tsx:277
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: packages/core/src/material-library.ts (2441 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/core/src/registry/types.ts (1449 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/editor-2d/renderers/floorplan-registry-layer.tsx (1893 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/editor/floorplan-panel.tsx (9351 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/editor/node-arrow-handles.tsx (2199 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/editor/selection-manager.tsx (1897 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/tools/item/use-placement-coordinator.tsx (1921 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/ui/item-catalog/catalog-items.tsx (2909 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/editor/src/components/ui/sidebar/panels/site-panel/index.tsx (1640 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/ifc-converter/src/index.ts (2079 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/nodes/src/column/renderer.tsx (2259 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/viewer/src/systems/door/door-system.tsx (2327 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/viewer/src/systems/window/window-system.tsx (3426 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
packages/mcp/src/transports/http.ts:198 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
packages/mcp/src/prompts/renovation-from-photos.ts:23 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/core/src/hooks/spatial-grid/spatial-grid-sync.ts:115 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/core/src/hooks/scene-registry/scene-registry.ts:69 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
apps/editor/app/api/scenes/[id]/route.ts:176 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/editor/src/components/editor/first-person/build-collider-world.ts:309 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/core/src/utils/clone-scene-graph.ts:63 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/core/src/registry/__bench__/relations-resolver.bench.ts:27 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/b7e4675c-21fa-456f-b3cf-29ebcf0dc441/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/b7e4675c-21fa-456f-b3cf-29ebcf0dc441/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.