← Legacy view v2 (rp.*)

toylala03-star/learnhskforme12.github.io

https://github.com/toylala03-star/learnhskforme12.github.io.git · lang: typescript · LOC: · source: user_submitted

Quality

55.8

Grade C

Security

94.1

Findings

0 critical · 5 high

Status

completed

May 29, 2026 07:57

medium: 7 low: 6 high: 5 info: 5

Top rules by occurrence

Rule	Severity	Count
`MINED113` Express POST/PUT/DELETE/PATCH route without auth	high	3
`MINED047` Emoji In Source	info	2
`CORE_NO_LICENSE` No LICENSE file	low	1
`AUC009` [AUC009] Sensitive function route lacks elevated authorizat…	medium	1
`AUC005` [AUC005] No authorization-focused tests detected: No test f…	low	1
`AUC001` [AUC001] No Repobility access matrix policy found: The repo…	medium	1
`CFG006` [CFG006] Missing .gitignore: No .gitignore file. Risk of co…	medium	1
`MINED045` Ts Non Null Assertion	info	1
`CORE_NO_CI` No CI/CD configuration found	medium	1
`MINED044` Js Console Log Prod	info	1

First 23 findings (severity-sorted)

high CORE_NO_TESTS No test files found

No test files found

high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862

server.ts:53 · conf 0.80

[MINED113] Express POST /api/gemini/explain has no auth: Express route POST /api/gemini/explain declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) o…

high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862

server.ts:123 · conf 0.80

[MINED113] Express POST /api/gemini/story has no auth: Express route POST /api/gemini/story declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…

high MINED113 Express POST/PUT/DELETE/PATCH route without auth CWE-306CWE-862

server.ts:183 · conf 0.80

[MINED113] Express POST /api/gemini/tutor has no auth: Express route POST /api/gemini/tutor declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…

high SEC135 Auth/permission check missing on AI-generated endpoint

server.ts:53 · conf 1.00

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

· conf 0.92

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

medium AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

· conf 0.74

[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.

server.ts:183 · conf 0.68

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

medium CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.

· conf 1.00

[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.

medium CORE_NO_CI No CI/CD configuration found

No CI/CD configuration found

medium WEB003 Public web service has no security.txt

.well-known/security.txt · conf 0.78

Public web service has no security.txt

medium WEB015 Public web app has no Content Security Policy

index.html · conf 0.70

Public web app has no Content Security Policy

low AUC005 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

· conf 0.76

[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

low CORE_NO_LICENSE No LICENSE file

No LICENSE file

low WEB001 Public web app has no robots.txt

robots.txt · conf 0.74

Public web app has no robots.txt

low WEB002 Public web app has no sitemap

sitemap.xml · conf 0.72

Public web app has no sitemap

low WEB008 Public docs site has no llms.txt

llms.txt · conf 0.64

Public docs site has no llms.txt

low WEB011 Public web app has no humans.txt

humans.txt · conf 0.50

Public web app has no humans.txt

info MINED044 Js Console Log Prod CWE-532

server.ts:112 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED045 Ts Non Null Assertion CWE-476

src/components/StrokePractice.tsx:49 · conf 1.00

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

info MINED047 Emoji In Source

server.ts:61 · conf 1.00

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

info MINED047 Emoji In Source

src/components/StrokePractice.tsx:134 · conf 1.00

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

info MINED052 Ts Any Typed CWE-704

server.ts:47 · conf 1.00

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/8bd8b392-5a86-49d2-bbae-ce13836146fb/.