Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
49 of your 181 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.7s · analysis 29.73s · 6.5 MB · GitHub API rate-limit (preflight)

grandamenium/cortextos

https://github.com/grandamenium/cortextos · scanned 2026-06-05 16:41 UTC (4 days, 23 hours ago) · 10 languages

552 raw signals (170 security + 382 graph) 12th percentile · Typescript · large (100-500K LoC) System graph score 86 (lower by 22)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 23 hours ago · v2 · 293 actionable findings from 2 signal sources. 68 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
67.5
/100
Security checks
50
102 findings
System graph
86
88.9% cov · 191 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 0.2 0.25 0.05
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 75.0 0.15 11.25
code_quality 44.0 0.10 4.40
Overall 1.00 63.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 38 Medium 39 Low 110 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 102 System graph 191 Crowd 0 Layer: Quality 105 Security 29 Software 93 Cicd 3 Api 1 Frontend 62
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Strongest dependencies (90), code quality (66); weakest documentation (48), practices (52).

Showing 187 of 293 actionable findings. 361 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks security auth conf 0.88 Token handoff appears to use a callback URL or fragment
A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete.
dashboard/src/middleware.ts:79
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 73, 76
.github/workflows/ci.yml:73, 76 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /tasks/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /tasks/:id/route.
dashboard/src/app/api/tasks/[id]/route.ts:78
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /approvals/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /approvals/:id/route.
dashboard/src/app/api/approvals/[id]/route.ts:21
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /tasks/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /tasks/:id/route.
dashboard/src/app/api/tasks/[id]/route.ts:41
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /approvals/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /approvals/:id/route.
dashboard/src/app/api/approvals/[id]/route.ts:52
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /tasks/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /tasks/:id/route.
dashboard/src/app/api/tasks/[id]/route.ts:213
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /tasks/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /tasks/:id/route.
dashboard/src/app/api/tasks/[id]/route.ts:116
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
src/bus/cron-state.ts:70
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences `self.cost` used but never assigned in __init__
Method `persist` of class `UsageTracker` reads `self.cost`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 124, 151
knowledge-base/scripts/mmrag.py:124, 151 (2 hits)
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 marked: GHSA-6v9c-7cg6-27q7
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-267c-6grr-h53f
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-26hh-7cqf-hhc6
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-36qx-fr4f-26g5
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-492v-c6pp-mqqv
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-8h8q-6873-q5fj
Next.js Vulnerable to Denial of Service with Server Components
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-c4j6-fc7j-m34r
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
dashboard/package-lock.json
high Security checks software dependencies conf 0.88 next: GHSA-mg66-mrh9-m8jx
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
dashboard/package-lock.json
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
dashboard/src/components/settings/users-tab.tsx:117
high Security checks security prompt injection conf 0.80 User-editable role instructions are inserted into the system prompt
Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior.
src/types/index.ts:640
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 7.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 7.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /settings/users/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /settings/users/route.
dashboard/src/app/api/settings/users/route.ts:42
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/system/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/system/route.
dashboard/src/app/api/settings/system/route.ts:31
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/telegram/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/telegram/route.
dashboard/src/app/api/settings/telegram/route.ts:13
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings/users/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings/users/route.
dashboard/src/app/api/settings/users/route.ts:23
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/system/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/system/route.
dashboard/src/app/api/settings/system/route.ts:40
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /skills/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /skills/route.
dashboard/src/app/api/skills/route.ts:114
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /agents/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /agents/route.
dashboard/src/app/api/agents/route.ts:22
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /approvals/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /approvals/route.
dashboard/src/app/api/approvals/route.ts:20
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/route.
dashboard/src/app/api/events/route.ts:18
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /experiments/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /experiments/route.
dashboard/src/app/api/experiments/route.ts:168
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /quota/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /quota/route.
dashboard/src/app/api/quota/route.ts:5
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /tasks/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /tasks/route.
dashboard/src/app/api/tasks/route.ts:24
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /agents/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /agents/route.
dashboard/src/app/api/agents/route.ts:51
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /skills/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /skills/route.
dashboard/src/app/api/skills/route.ts:87
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
dashboard/src/app/(auth)/login/page.tsx:32
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
src/types/index.ts:168 CI/CD securityagent runtimepermissions
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
src/pty/agent-pty.ts:247 CI/CD securityagent runtimepermissions
medium Security checks quality Quality conf 0.74 Audit export may include unredacted sensitive metadata
Audit logs can be useful live state, but exported debug bundles should redact user messages, transcripts, connector payloads, and large metadata values before sharing.
src/cli/bus.ts:7
medium Security checks quality Quality conf 0.74 Audit export may include unredacted sensitive metadata
Audit logs can be useful live state, but exported debug bundles should redact user messages, transcripts, connector payloads, and large metadata values before sharing.
src/bus/task.ts:7
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
dashboard/package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 14 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
lines 100, 562, 641, 660, 674, 723, 756, 765, +6 more
knowledge-base/scripts/mmrag.py:100, 562, 641, 660, 674, 723, 756, 765, +6 more (14 hits)
Error handlingquality
medium Security checks quality Quality conf 0.73 4 occurrences Codex session log reader may expose prompts or tool-call content
Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.
4 files, 4 locations
dashboard/src/lib/cost-parser.ts:2
src/cli/bus.ts:210
src/daemon/agent-manager.ts:374
src/pty/codex-app-server-pty.ts:80
high Security checks quality Quality conf 0.74 15 occurrences Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
9 files, 15 locations
dashboard/src/app/(dashboard)/approvals/page.tsx:37, 77, 173 (3 hits)
dashboard/src/app/(dashboard)/comms/page.tsx:61, 82, 83 (3 hits)
dashboard/src/app/(dashboard)/tasks/page.tsx:103, 121 (2 hits)
dashboard/src/app/(dashboard)/workflows/page.tsx:179, 197 (2 hits)
dashboard/src/app/(auth)/login/page.tsx:25
dashboard/src/app/(dashboard)/experiments/page.tsx:167
dashboard/src/app/(dashboard)/workflows/[agent]/[name]/page.tsx:98
dashboard/src/app/(dashboard)/workflows/health/page.tsx:142
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
dashboard/package-lock.json
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
dashboard/src/app/(dashboard)/comms/page.tsx:57
medium Security checks software dependencies conf 0.88 next: GHSA-ffhc-5mcf-pf4q
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 next: GHSA-gx5p-jg67-6x7h
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 next: GHSA-h64f-5h5j-jqjh
Next.js has a Denial of Service in the Image Optimization API
dashboard/package-lock.json
medium Security checks software dependencies conf 0.88 next: GHSA-wfc6-r584-vfw7
Next.js vulnerable to cache poisoning in React Server Component responses
dashboard/package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)
`@types/bcryptjs` is pinned/resolved at 2.4.6 but the latest stable release on the npm registry is 3.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
medium Security checks software dependencies conf 0.90 npm package `commander` is 1 major version(s) behind (14.0.3 -> 15.0.0)
`commander` is pinned/resolved at 14.0.3 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 files, 2 locations
dashboard/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
dashboard/package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — dashboard/src/app/api/media/[...filepath]/route.ts:172
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — dashboard/src/components/tasks/deliverable-preview.tsx:248
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/app/(dashboard)/approvals/page.tsx:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/app/(dashboard)/comms/page.tsx:83
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/app/(dashboard)/tasks/page.tsx:59
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/components/agents/goals-tab.tsx:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/components/comms/channel-view.tsx:299
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/components/knowledge-base/kb-client.tsx:90
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/src/lib/quota.ts:82
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/bus/metrics.ts:514
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/bus/oauth.ts:208
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/telegram/api.ts:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in dashboard/src/components/tasks/deliverable-preview.tsx:248
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
dashboard/src/components/tasks/deliverable-preview.tsx:248 Dangerous innerhtml
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — knowledge-base/scripts/mmrag.py:423
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks quality Quality conf 0.60 21 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
src/utils/cron-health.ts:5, 9 (2 hits)
dashboard/src/app/api/comms/channels/route.ts:1
dashboard/src/app/api/comms/feed/route.ts:97
dashboard/src/app/api/experiments/route.ts:36
dashboard/src/app/api/kb/search/route.ts:36
dashboard/src/app/api/messages/stream/[agent]/route.ts:80
dashboard/src/app/api/workflows/crons/[agent]/[name]/route.ts:7
dashboard/src/app/api/workflows/health/route.ts:65
duplicationquality
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
dashboard/package-lock.json
low Security checks software dependencies conf 0.88 next: GHSA-3g8h-86w9-wvmq
Next.js's Middleware / Proxy redirects can be cache-poisoned
dashboard/package-lock.json
low Security checks software dependencies conf 0.88 next: GHSA-vfv6-92ff-j949
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
dashboard/package-lock.json
low Security checks software dependencies conf 0.90 npm package `@base-ui/react` is minor version(s) behind (1.3.0 -> 1.5.0)
`@base-ui/react` is pinned/resolved at 1.3.0 but the latest stable release on the npm registry is 1.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `@inquirer/prompts` is minor version(s) behind (8.4.0 -> 8.5.2)
`@inquirer/prompts` is pinned/resolved at 8.4.0 but the latest stable release on the npm registry is 8.5.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@tabler/icons-react` is minor version(s) behind (3.41.1 -> 3.44.0)
`@tabler/icons-react` is pinned/resolved at 3.41.1 but the latest stable release on the npm registry is 3.44.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `better-sqlite3` is minor version(s) behind (12.8.0 -> 12.10.0)
`better-sqlite3` is pinned/resolved at 12.8.0 but the latest stable release on the npm registry is 12.10.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `isomorphic-dompurify` is minor version(s) behind (3.9.0 -> 3.16.0)
`isomorphic-dompurify` is pinned/resolved at 3.9.0 but the latest stable release on the npm registry is 3.16.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `ora` is minor version(s) behind (9.3.0 -> 9.4.0)
`ora` is pinned/resolved at 9.3.0 but the latest stable release on the npm registry is 9.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `shadcn` is minor version(s) behind (4.1.2 -> 4.10.0)
`shadcn` is pinned/resolved at 4.1.2 but the latest stable release on the npm registry is 4.10.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `tailwind-merge` is minor version(s) behind (3.5.0 -> 3.6.0)
`tailwind-merge` is pinned/resolved at 3.5.0 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/package.json
low Security checks software dependencies conf 0.90 npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)
`tsx` is pinned/resolved at 4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low System graph quality Integrity conf 1.00 36 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `BOT_TOKEN`, `CHAT_ID`, `CLAUDE_CODE_OAUTH_TOKEN`, `CORTEXTOS_CONFIRM_UPSTREAM_MERGE`, `CORTEXTOS_DIR`, `CTX_AGENT_DIR`, `CTX_AGENT_NAME`, `CTX_DEBUG_ALLOW_CRASH_TRIGGER` + 28 more. Add them (with a placeholder/comment) to .env.example so onboardin…
config drift
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/src/app/api/auth/[...nextauth]/route.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/src/app/api/knowledge/search/route.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/src/lib/__tests__/markdown-parser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/src/lib/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: ecosystem.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/doctor.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/ecosystem.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/get-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/goals.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/notify-agent.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/restart.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/uninstall.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/cli/workers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/e2e/mock-claude.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/integration/migration-guide-references-upgrade-cmd.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/playwright/dashboard-auth.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/sprint2-lifecycle.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/sprint3-experiments.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/sprint5-metrics.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/sprint8-dashboard.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/bus/agents.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/bus/crons-schema.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/bus/event.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/bus/message.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/bus/save-output.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/cli/add-agent-codex.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/cli/add-agent-validation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/cli/init-validation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/cli/lifecycle-markers.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/cli/send-telegram-normalize.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/daemon/agent-manager.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/dashboard/cron-utils-validation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/hooks/extract-facts.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/hooks/hook-crash-alert.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/telegram/transcribe.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/utils/allowed-roots.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/utils/lock.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/unit/utils/org.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tsup.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: knowledge-base/scripts/mmrag.py:cmd_status, knowledge-base/scripts/mmrag.py:cmd_list This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_collections
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1450
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_delete
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1464
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_ingest
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1070
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1418
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_query
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1153
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_reset
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1485
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_status
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1380
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_usage
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
knowledge-base/scripts/mmrag.py:1319
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — dashboard/src/lib/actions/skills.ts:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — dashboard/src/lib/auth.ts:156
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — dashboard/src/lib/sync.ts:47
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — dashboard/src/lib/watcher.ts:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/migrate-runtime-field.ts:191
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/bus/knowledge-base.ts:296
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/add-agent.ts:97
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/bus.ts:122
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/dashboard.ts:58
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/doctor.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/ecosystem.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/enable-agent.ts:202
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/get-config.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/goals.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/import-agent.ts:47
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/init.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/install.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/list-agents.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/list-skills.ts:122
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/notify-agent.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/restart.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/setup.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/start.ts:60
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/status.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/stop.ts:49
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/tunnel.ts:310
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/uninstall.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/update.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/cli/workers.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/agent-manager.ts:54
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/agent-process.ts:85
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/cron-migration.ts:278
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/fast-checker.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/index.ts:239
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/ipc-server.ts:526
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/daemon/worker-process.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/e2e/mock-claude.js:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/integration/phase4-performance.test.ts:209
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/integration/phase5-performance.test.ts:243
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: knowledge-base/scripts/mmrag.py (1580 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/cli/bus.ts (2780 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/daemon/agent-manager.ts (1293 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integration/phase5-e2e-simulation.test.ts (1357 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integration/phase5-failure-modes.test.ts (1339 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/fe92d101-9133-494a-88fb-6b9c0f3458e0/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/fe92d101-9133-494a-88fb-6b9c0f3458e0/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.