Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
113 of your 217 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.48s · analysis 16.85s · 3.3 MB · GitHub API rate-limit (preflight)

miracodeai/mira

https://github.com/miracodeai/mira · scanned 2026-06-05 15:00 UTC (5 days, 1 hour ago) · 10 languages

502 raw signals (208 security + 294 graph) 61st percentile · Python · medium (20-100K LoC) System graph score 53 (higher by 18)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 1 hour ago · v2 · 270 actionable findings from 2 signal sources. 60 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
57.1
/100
Security checks
61
151 findings
System graph
53
100.0% cov · 119 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 11.9 0.25 2.98
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 97.0 0.15 14.55
code_quality 39.0 0.10 3.90
Overall 1.00 71.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 99 Medium 30 Low 83 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 151 System graph 119 Crowd 0 Layer: Quality 88 Security 68 Software 46 Cicd 6 Frontend 8 Hardware 4 Api 50
Scan summary Quality grade B (71/100). Dimensions: security 12, maintainability 100. 208 findings (75 security). 43,192 lines analyzed.

Showing 213 of 270 actionable findings. 330 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: PUT /api/admin/settings
Handler `set_global_settings` serves an /admin path (/api/admin/settings) and the function has no Depends/Security parameter and no auth marker in its body. Admin without auth = full takeover.
src/mira/dashboard/api.py:441
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}.
src/mira/dashboard/api.py:1380
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}.
src/mira/dashboard/api.py:1515
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/rules/global/{rule_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/rules/global/{rule_id}.
src/mira/dashboard/api.py:1570
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /users/{user_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /users/{user_id}.
src/mira/dashboard/auth.py:125
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/rules/global/{rule_id}/toggle.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/rules/global/{rule_id}/toggle.
src/mira/dashboard/api.py:1576
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/delete.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/delete.
src/mira/dashboard/api.py:562
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/keep.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/keep.
src/mira/dashboard/api.py:555
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/context/{context_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/context/{context_id}.
src/mira/dashboard/api.py:1360
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/rules/{rule_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/rules/{rule_id}.
src/mira/dashboard/api.py:1498
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/rules/global/{rule_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/rules/global/{rule_id}.
src/mira/dashboard/api.py:1554
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
src/mira/security/osv.py:113
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `node:20-slim` not pinned by digest
`FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 2, 10
Dockerfile:2, 10 (2 hits)
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
ui/mira/package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
ui/mira/package-lock.json
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/relationships/custom/{edge_id} has no auth
Handler `delete_custom_edge` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1661
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/relationships/overrides has no auth
Handler `delete_override` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1623
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/repos/{owner}/{repo}/context/{context_id} has no auth
Handler `delete_context` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1381
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/repos/{owner}/{repo}/rules/{rule_id} has no auth
Handler `delete_repo_rule` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1516
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/rules/global/{rule_id} has no auth
Handler `delete_global_rule` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1571
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /users/{user_id} has no auth
Handler `delete_user` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/auth.py:126
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PATCH /api/rules/global/{rule_id}/toggle has no auth
Handler `toggle_global_rule` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1577
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/relationships/custom has no auth
Handler `add_custom_edge` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1648
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/relationships/overrides has no auth
Handler `set_override` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1609
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/repos/sync has no auth
Handler `sync_repos` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:571
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/repos/{owner}/{repo}/context has no auth
Handler `create_context` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1348
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/repos/{owner}/{repo}/index has no auth
Handler `trigger_index` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1836
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/repos/{owner}/{repo}/rules has no auth
Handler `create_repo_rule` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1485
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/rules/global has no auth
Handler `create_global_rule` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1542
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/setup/complete has no auth
Handler `complete_setup` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:680
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/uninstalls/{installation_id}/delete has no auth
Handler `delete_uninstall_data` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:563
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/uninstalls/{installation_id}/keep has no auth
Handler `keep_uninstall_data` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:556
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /github/webhook has no auth
Handler `webhook` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/github_app/webhooks.py:99
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /logout has no auth
Handler `logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/auth.py:72
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /users has no auth
Handler `create_user` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/auth.py:115
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /api/repos/{owner}/{repo}/context/{context_id} has no auth
Handler `update_context` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1361
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /api/repos/{owner}/{repo}/rules/{rule_id} has no auth
Handler `update_repo_rule` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1499
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /api/rules/global/{rule_id} has no auth
Handler `update_global_rule` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:1555
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /api/settings/models has no auth
Handler `set_models` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/api.py:487
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /theme has no auth
Handler `set_theme` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
src/mira/dashboard/auth.py:92
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 6 locations
.github/workflows/ci.yml:24, 56, 57, 79 (4 hits)
.github/workflows/docker-publish.yml:19
.github/workflows/evals.yml:27
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 7 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `astral-sh/setup-uv` pinned to mutable ref `@v7` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 7 locations
.github/workflows/docker-publish.yml:22, 30, 38 (3 hits)
.github/workflows/ci.yml:27 (2 hits)
.github/workflows/evals.yml:30 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.6.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
lines 2, 23
.pre-commit-config.yaml:2, 23 (2 hits)
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
uv.lock
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
ui/mira/src/pages/users.tsx:86
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
ui/mira/src/pages/login.tsx:65
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-142
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dr…
uv.lock
high System graph security auth conf 1.00 FastAPI DELETE `cancel_index` without auth dependency — src/mira/dashboard/api.py:1937
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1937 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_context` without auth dependency — src/mira/dashboard/api.py:1380
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1380 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_custom_edge` without auth dependency — src/mira/dashboard/api.py:1660
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1660 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_global_rule` without auth dependency — src/mira/dashboard/api.py:1570
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1570 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_override` without auth dependency — src/mira/dashboard/api.py:1622
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1622 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_repo_rule` without auth dependency — src/mira/dashboard/api.py:1515
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1515 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_user` without auth dependency — src/mira/dashboard/auth.py:125
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/auth.py:125 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `toggle_global_rule` without auth dependency — src/mira/dashboard/api.py:1576
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1576 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `add_custom_edge` without auth dependency — src/mira/dashboard/api.py:1647
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1647 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `complete_setup` without auth dependency — src/mira/dashboard/api.py:679
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:679 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_context` without auth dependency — src/mira/dashboard/api.py:1347
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1347 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_global_rule` without auth dependency — src/mira/dashboard/api.py:1541
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1541 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_repo_rule` without auth dependency — src/mira/dashboard/api.py:1484
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1484 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_user` without auth dependency — src/mira/dashboard/auth.py:114
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/auth.py:114 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `delete_uninstall_data` without auth dependency — src/mira/dashboard/api.py:562
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:562 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `keep_uninstall_data` without auth dependency — src/mira/dashboard/api.py:555
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:555 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `set_override` without auth dependency — src/mira/dashboard/api.py:1608
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1608 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sync_repos` without auth dependency — src/mira/dashboard/api.py:570
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:570 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `trigger_index` without auth dependency — src/mira/dashboard/api.py:1835
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1835 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `set_global_settings` without auth dependency — src/mira/dashboard/api.py:440
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:440 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `set_models` without auth dependency — src/mira/dashboard/api.py:486
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:486 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `set_theme` without auth dependency — src/mira/dashboard/auth.py:91
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/auth.py:91 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_context` without auth dependency — src/mira/dashboard/api.py:1360
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1360 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_global_rule` without auth dependency — src/mira/dashboard/api.py:1554
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1554 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_repo_rule` without auth dependency — src/mira/dashboard/api.py:1498
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/mira/dashboard/api.py:1498 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/mira/analysis/severity.py:21
Found a known-risky pattern (eval_used). Review and replace if possible.
src/mira/analysis/severity.py:21 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in src/mira/analysis/severity.py:22
Found a known-risky pattern (exec_used). Review and replace if possible.
src/mira/analysis/severity.py:22 Exec used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 12.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 12.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /users/{user_id}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /users/{user_id}.
src/mira/dashboard/auth.py:125
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/admin/settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/admin/settings.
src/mira/dashboard/api.py:426
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/models.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/models.
src/mira/dashboard/api.py:368
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /users.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /users.
src/mira/dashboard/auth.py:105
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /login.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /login.
src/mira/dashboard/auth.py:48
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /logout.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /logout.
src/mira/dashboard/auth.py:71
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /users.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /users.
src/mira/dashboard/auth.py:114
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/admin/settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/admin/settings.
src/mira/dashboard/api.py:440
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/models.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/models.
src/mira/dashboard/api.py:486
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /theme.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /theme.
src/mira/dashboard/auth.py:91
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/custom/{edge_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/custom/{edge_id}.
src/mira/dashboard/api.py:1660
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/overrides.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/overrides.
src/mira/dashboard/api.py:1622
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}.
src/mira/dashboard/api.py:1380
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}.
src/mira/dashboard/api.py:1515
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/rules/global/{rule_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/rules/global/{rule_id}.
src/mira/dashboard/api.py:1570
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/indexing/estimate.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/indexing/estimate.
src/mira/dashboard/api.py:325
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /me.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /me.
src/mira/dashboard/auth.py:79
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /api/rules/global/{rule_id}/toggle.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /api/rules/global/{rule_id}/toggle.
src/mira/dashboard/api.py:1576
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/repos/sync.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/repos/sync.
src/mira/dashboard/api.py:570
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/uninstalls/{installation_id}/delete.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/uninstalls/{installation_id}/delete.
src/mira/dashboard/api.py:562
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
src/mira/index/context.py:82
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
ui/mira/src/App.tsx:55
ui/mira/src/components/dashboard/layout.tsx:124
ui/mira/src/pages/rules.tsx:41
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
scripts/start_local.sh:7
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
ui/mira/package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 7 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
5 files, 7 locations
src/mira/core/passes.py:98, 118 (2 hits)
src/mira/github_app/index_handlers.py:314, 333 (2 hits)
src/mira/dashboard/auth.py:122
src/mira/dashboard/events.py:59
src/mira/dashboard/models_config.py:93
Error handlingquality
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
Dockerfile:10 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:16 CI/CD securitycontainers
high Security checks quality Quality conf 0.74 2 occurrences Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
lines 397, 409
ui/mira/src/lib/api.ts:397, 409 (2 hits)
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
uv.lock
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
ui/mira/package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (9.39.4 -> 10.0.1)
`@eslint/js` is pinned/resolved at 9.39.4 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
ui/mira/package.json
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 1 major version(s) behind (5.2.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 5.2.0 but the latest stable release on the npm registry is 6.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
ui/mira/package.json
medium Security checks software dependencies conf 0.90 npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)
`globals` is pinned/resolved at 14.0.0 but the latest stable release on the npm registry is 17.6.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
ui/mira/package.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
ui/mira/package-lock.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
ui/mira/package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — ui/mira/src/components/ui/chart.tsx:93
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — ui/mira/src/lib/api.ts:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — ui/mira/src/lib/auth.tsx:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph quality Integrity conf 1.00 9 occurrences Frontend route `repos` has no Link/navigate to it — ui/mira/src/App.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
9 occurrences
repo-level (9 hits)
Orphan pageWiring
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-publish.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in ui/mira/src/components/ui/chart.tsx:93
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
ui/mira/src/components/ui/chart.tsx:93 Dangerous innerhtml
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 6 locations
src/mira/index/indexer.py:61
src/mira/llm/provider.py:416
ui/mira/src/components/dashboard/dependencies-graph.tsx:1
ui/mira/src/components/dashboard/relationship-graph.tsx:1
ui/mira/src/pages/settings.tsx:3
ui/mira/src/pages/setup.tsx:75
duplicationquality
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
ui/mira/package-lock.json
low Security checks software dependencies conf 0.90 npm package `@xyflow/react` is minor version(s) behind (12.10.2 -> 12.11.0)
`@xyflow/react` is pinned/resolved at 12.10.2 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
ui/mira/package.json
low Security checks software dependencies conf 0.90 npm package `shadcn` is minor version(s) behind (4.7.0 -> 4.10.0)
`shadcn` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 4.10.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
ui/mira/package.json
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:10 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: ui/mira/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: ui/mira/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: ui/mira/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 16 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/mira/dashboard/db.py:delete_repos_by_installation, src/mira/dashboard/db.py:delete_repo This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separat…
16 occurrences
repo-level (16 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/mira/llm/provider.py:complete, src/mira/llm/bedrock.py:complete, src/mira/llm/base.py:complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mira_salt_v1` in src/mira/dashboard/db.py:233
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in src/mira/dashboard/models_config.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: fix
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/llm/response_parser.py:298
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_installation_deleted
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/github_app/index_handlers.py:106
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_repos_removed
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/github_app/index_handlers.py:132
low System graph software Dead code conf 1.00 Possibly dead Python function: list_packages_org_wide_sqlite
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/index/store.py:1145
low System graph software Dead code conf 1.00 Possibly dead Python function: parse_poetry_lock
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/index/manifests.py:330
low System graph software Dead code conf 1.00 Possibly dead Python function: poll_repo
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/security/poller.py:166
low System graph software Dead code conf 1.00 Possibly dead Python function: progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/index/status.py:38
low System graph software Dead code conf 1.00 Possibly dead Python function: render_by_language
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/render_benchmark_charts.py:300
low System graph software Dead code conf 1.00 Possibly dead Python function: run_forever
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/mira/security/poller.py:248
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — ui/mira/src/components/dashboard/blast-graph.tsx:214
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — ui/mira/src/components/dashboard/dependencies-graph.tsx:269
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — ui/mira/src/components/dashboard/relationship-graph.tsx:467
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}
`src/mira/dashboard/api.py` declares `DELETE /api/repos/{owner}/{repo}/context/{context_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}
`src/mira/dashboard/api.py` declares `DELETE /api/repos/{owner}/{repo}/rules/{rule_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/rules/global/{rule_id}
`src/mira/dashboard/api.py` declares `DELETE /api/rules/global/{rule_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /users/{user_id}
`src/mira/dashboard/auth.py` declares `DELETE /users/{user_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/admin/settings
`src/mira/dashboard/api.py` declares `GET /api/admin/settings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/events
`src/mira/dashboard/api.py` declares `GET /api/events` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/indexing/estimate
`src/mira/dashboard/api.py` declares `GET /api/indexing/estimate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/indexing/status
`src/mira/dashboard/api.py` declares `GET /api/indexing/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/learned-rules
`src/mira/dashboard/api.py` declares `GET /api/learned-rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/packages/search
`src/mira/dashboard/api.py` declares `GET /api/packages/search` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/relationships
`src/mira/dashboard/api.py` declares `GET /api/relationships` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/relationships/{owner}/{repo}
`src/mira/dashboard/api.py` declares `GET /api/relationships/{owner}/{repo}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos
`src/mira/dashboard/api.py` declares `GET /api/repos` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/blast-radius
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/blast-radius` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/blast-radius.svg
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/blast-radius.svg` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/context
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/context` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/dependencies
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/dependencies` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/external-refs
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/external-refs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/files
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/learned-rules
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/learned-rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/packages
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/packages` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/rules
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/repos/{owner}/{repo}/vulnerabilities
`src/mira/dashboard/api.py` declares `GET /api/repos/{owner}/{repo}/vulnerabilities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/rules/global
`src/mira/dashboard/api.py` declares `GET /api/rules/global` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/settings/models
`src/mira/dashboard/api.py` declares `GET /api/settings/models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/setup/status
`src/mira/dashboard/api.py` declares `GET /api/setup/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/uninstalls/pending
`src/mira/dashboard/api.py` declares `GET /api/uninstalls/pending` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/version
`src/mira/dashboard/api.py` declares `GET /api/version` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/vulnerabilities
`src/mira/dashboard/api.py` declares `GET /api/vulnerabilities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/vulnerabilities/summary
`src/mira/dashboard/api.py` declares `GET /api/vulnerabilities/summary` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /me
`src/mira/dashboard/auth.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /users
`src/mira/dashboard/auth.py` declares `GET /users` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /api/rules/global/{rule_id}/toggle
`src/mira/dashboard/api.py` declares `PATCH /api/rules/global/{rule_id}/toggle` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/repos/sync
`src/mira/dashboard/api.py` declares `POST /api/repos/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/repos/{owner}/{repo}/context
`src/mira/dashboard/api.py` declares `POST /api/repos/{owner}/{repo}/context` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/repos/{owner}/{repo}/rules
`src/mira/dashboard/api.py` declares `POST /api/repos/{owner}/{repo}/rules` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/rules/global
`src/mira/dashboard/api.py` declares `POST /api/rules/global` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/setup/complete
`src/mira/dashboard/api.py` declares `POST /api/setup/complete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/uninstalls/{installation_id}/delete
`src/mira/dashboard/api.py` declares `POST /api/uninstalls/{installation_id}/delete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/uninstalls/{installation_id}/keep
`src/mira/dashboard/api.py` declares `POST /api/uninstalls/{installation_id}/keep` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`src/mira/dashboard/auth.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /logout
`src/mira/dashboard/auth.py` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /users
`src/mira/dashboard/auth.py` declares `POST /users` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /api/admin/settings
`src/mira/dashboard/api.py` declares `PUT /api/admin/settings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /api/repos/{owner}/{repo}/context/{context_id}
`src/mira/dashboard/api.py` declares `PUT /api/repos/{owner}/{repo}/context/{context_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /api/repos/{owner}/{repo}/rules/{rule_id}
`src/mira/dashboard/api.py` declares `PUT /api/repos/{owner}/{repo}/rules/{rule_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consum…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /api/rules/global/{rule_id}
`src/mira/dashboard/api.py` declares `PUT /api/rules/global/{rule_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /api/settings/models
`src/mira/dashboard/api.py` declares `PUT /api/settings/models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /theme
`src/mira/dashboard/auth.py` declares `PUT /theme` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: src/mira/dashboard/api.py (1982 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_engine.py (1629 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ceef786b-85b1-4201-8535-6d88dc0ad55d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ceef786b-85b1-4201-8535-6d88dc0ad55d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.