octocode-cli 1.2.7 → 1.2.9

package/skills/octocode-research/.octocode/scan/2026-03-22T10-32-27-073Z/graph.md

@@ -0,0 +1,189 @@
+# Dependency Graph
+
+## Module Dependency Map
+
+```mermaid
+graph LR
+  src_server_ts["⚠️ src/server.ts"]
+  src_routes_package_ts["⚠️ src/…/package.ts"]
+  src_routes_tools_ts["⚠️ src/…/tools.ts"]
+  src_routes_github_ts["⚠️ src/…/github.ts"]
+  src_routes_local_ts["⚠️ src/…/local.ts"]
+  src_routes_lsp_ts["⚠️ src/…/lsp.ts"]
+  src___tests___integration_routes_test_ts["src/…/routes.test.ts"]
+  src_middleware_errorHandler_ts["src/…/errorHandler.ts"]
+  src_routes_prompts_ts["src/…/prompts.ts"]
+  src_middleware_logger_ts["src/…/logger.ts"]
+  src_utils_circuitBreaker_ts["⚠️ src/…/circuitBreaker.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"]
+  src___tests___unit_errorHandler_test_ts["src/…/errorHandler.test.ts"]
+  src_utils_logger_ts["⚠️ src/…/logger.ts"]
+  src_utils_responseFactory_ts["⚠️ src/…/responseFactory.ts"]
+  src_index_ts["src/index.ts"]
+  src_utils_asyncTimeout_ts["⚠️ src/…/asyncTimeout.ts"]
+  src_types_guards_ts["⚠️ src/…/guards.ts"]
+  src_utils_responseBuilder_ts["⚠️ src/…/responseBuilder.ts"]
+  src_mcpCache_ts["src/mcpCache.ts"]
+  src_utils_colors_ts["src/…/colors.ts"]
+  src_validation_index_ts["src/…/index.ts"]
+  src_utils_errorQueue_ts["src/…/errorQueue.ts"]
+  src_utils_responseParser_ts["⚠️ src/…/responseParser.ts"]
+  src_utils_routeFactory_ts["src/…/routeFactory.ts"]
+  src_validation_httpPreprocess_ts["⚠️ src/…/httpPreprocess.ts"]
+  src_utils_retry_ts["⚠️ src/…/retry.ts"]
+  src_server_ts --> src_index_ts
+  src_server_ts --> src_mcpCache_ts
+  src_server_ts --> src_middleware_errorHandler_ts
+  src_server_ts --> src_middleware_logger_ts
+  src_server_ts --> src_routes_prompts_ts
+  src_server_ts --> src_routes_tools_ts
+  src_server_ts --> src_utils_asyncTimeout_ts
+  src_server_ts --> src_utils_circuitBreaker_ts
+  src_server_ts --> src_utils_colors_ts
+  src_server_ts --> src_utils_errorQueue_ts
+  src_server_ts --> src_utils_logger_ts
+  src_routes_package_ts --> src_index_ts
+  src_routes_package_ts --> src_types_guards_ts
+  src_routes_package_ts --> src_utils_resilience_ts
+  src_routes_package_ts --> src_utils_responseBuilder_ts
+  src_routes_package_ts --> src_utils_responseFactory_ts
+  src_routes_package_ts --> src_utils_responseParser_ts
+  src_routes_package_ts --> src_validation_index_ts
+  src_routes_tools_ts --> src_index_ts
+  src_routes_tools_ts --> src_mcpCache_ts
+  src_routes_tools_ts --> src_utils_asyncTimeout_ts
+  src_routes_tools_ts --> src_utils_resilience_ts
+  src_routes_tools_ts --> src_utils_responseParser_ts
+  src_routes_github_ts --> src_index_ts
+  src_routes_github_ts --> src_types_guards_ts
+  src_routes_github_ts --> src_utils_resilience_ts
+  src_routes_github_ts --> src_utils_responseBuilder_ts
+  src_routes_github_ts --> src_utils_responseFactory_ts
+  src_routes_github_ts --> src_utils_routeFactory_ts
+  src_routes_github_ts --> src_validation_index_ts
+  src_routes_local_ts --> src_index_ts
+  src_routes_local_ts --> src_types_guards_ts
+  src_routes_local_ts --> src_utils_resilience_ts
+  src_routes_local_ts --> src_utils_responseBuilder_ts
+  src_routes_local_ts --> src_utils_responseFactory_ts
+  src_routes_local_ts --> src_utils_routeFactory_ts
+  src_routes_local_ts --> src_validation_index_ts
+  src_routes_lsp_ts --> src_index_ts
+  src_routes_lsp_ts --> src_types_guards_ts
+  src_routes_lsp_ts --> src_utils_resilience_ts
+  src_routes_lsp_ts --> src_utils_responseBuilder_ts
+  src_routes_lsp_ts --> src_utils_responseFactory_ts
+  src_routes_lsp_ts --> src_utils_routeFactory_ts
+  src_routes_lsp_ts --> src_validation_index_ts
+  src___tests___integration_routes_test_ts --> src_routes_github_ts
+  src___tests___integration_routes_test_ts --> src_routes_local_ts
+  src___tests___integration_routes_test_ts --> src_routes_lsp_ts
+  src___tests___integration_routes_test_ts --> src_routes_package_ts
+  src_middleware_errorHandler_ts --> src_index_ts
+  src_middleware_errorHandler_ts --> src_utils_asyncTimeout_ts
+  src_middleware_errorHandler_ts --> src_utils_logger_ts
+  src_routes_prompts_ts --> src_index_ts
+  src_routes_prompts_ts --> src_mcpCache_ts
+  src_routes_prompts_ts --> src_utils_asyncTimeout_ts
+  src_middleware_logger_ts --> src_utils_colors_ts
+  src_middleware_logger_ts --> src_utils_logger_ts
+  src_utils_circuitBreaker_ts --> src_index_ts
+  src_utils_circuitBreaker_ts --> src_utils_asyncTimeout_ts
+  src_utils_circuitBreaker_ts --> src_utils_colors_ts
+  src_utils_resilience_ts --> src_utils_asyncTimeout_ts
+  src_utils_resilience_ts --> src_utils_circuitBreaker_ts
+  src_utils_resilience_ts --> src_utils_retry_ts
+  src___tests___unit_errorHandler_test_ts --> src_middleware_errorHandler_ts
+  src___tests___unit_errorHandler_test_ts --> src_utils_asyncTimeout_ts
+  src_utils_logger_ts --> src_utils_colors_ts
+  src_utils_logger_ts --> src_utils_errorQueue_ts
+  src_utils_responseFactory_ts --> src_types_guards_ts
+  src_index_ts --> src_utils_responseBuilder_ts
+  src_utils_asyncTimeout_ts --> src_utils_errorQueue_ts
+  src_validation_index_ts --> src_validation_httpPreprocess_ts
+  src_utils_routeFactory_ts --> src_utils_responseParser_ts
+```
+
+## Critical Dependency Chains
+
+```mermaid
+graph LR
+  src_server_ts["src/server.ts"] ==> src_routes_tools_ts["src/…/tools.ts"]
+  src_routes_tools_ts["src/…/tools.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_tools_ts["src/…/tools.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src___tests___integration_routes_test_ts["src/…/routes.test.ts"] ==> src_routes_lsp_ts["src/…/lsp.ts"]
+  src_routes_lsp_ts["src/…/lsp.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_lsp_ts["src/…/lsp.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_package_ts["src/…/package.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_github_ts["src/…/github.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_local_ts["src/…/local.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+```
+
+## Summary
+
+| Metric | Value |
+|--------|-------|
+| Total modules | 52 |
+| Total edges | 92 |
+| Root modules | 20 |
+| Leaf modules | 22 |
+| Cycles | 0 |
+| Critical paths | 12 |
+| Test-only modules | 4 |
+| Unresolved imports | 0 |
+
+## Critical Modules (Hub Nodes)
+
+| Module | Score | Risk | Inbound | Outbound |
+|--------|-------|------|---------|----------|
+| `src/utils/logger.ts` | 112 | high | 4 | 2 |
+| `src/utils/responseBuilder.ts` | 109 | high | 6 | 0 |
+| `src/routes/tools.ts` | 79 | high | 1 | 8 |
+| `src/server.ts` | 71 | high | 0 | 11 |
+| `src/utils/circuitBreaker.ts` | 70 | high | 4 | 3 |
+| `src/routes/lsp.ts` | 66 | high | 1 | 7 |
+| `src/utils/retry.ts` | 66 | high | 2 | 1 |
+| `src/routes/package.ts` | 57 | medium | 1 | 8 |
+| `src/routes/github.ts` | 54 | medium | 1 | 7 |
+| `src/routes/local.ts` | 46 | medium | 1 | 7 |
+| `src/server-init.ts` | 48 | medium | 0 | 0 |
+| `src/types/errorGuards.ts` | 47 | medium | 1 | 0 |
+| `src/utils/responseParser.ts` | 43 | medium | 3 | 0 |
+| `src/types/guards.ts` | 40 | medium | 6 | 0 |
+| `src/utils/responseFactory.ts` | 38 | medium | 4 | 2 |
+| `src/validation/schemas.ts` | 37 | medium | 1 | 1 |
+| `src/types/responses.ts` | 34 | medium | 1 | 1 |
+| `src/validation/httpPreprocess.ts` | 31 | medium | 3 | 0 |
+| `src/middleware/queryParser.ts` | 31 | medium | 2 | 0 |
+| `src/utils/asyncTimeout.ts` | 26 | low | 7 | 1 |
+
+## Test-Only Modules
+
+- `src/routes/github.ts`
+- `src/routes/local.ts`
+- `src/routes/lsp.ts`
+- `src/routes/package.ts`

package/skills/octocode-research/.octocode/scan/2026-03-22T10-32-27-073Z/security.json

@@ -0,0 +1 @@
+{"schemaVersion":"1.1.0","generatedAt":"2026-03-22T10:32:30.560Z","findings":[{"id":"AST-ISSUE-0062","severity":"high","category":"hardcoded-secret","file":"src/routes/tools.ts","lineStart":206,"lineEnd":206,"title":"Potential hardcoded secret","reason":"String literal matches a secret pattern (password, API key, token, high-entropy string). Secrets in source code risk credential leaks. Validate: use localSearchCode to find the variable, then lspFindReferences to check if it is used in auth or network calls.","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Move secret to environment variable or secrets manager.","steps":["Replace the hardcoded value with process.env.YOUR_SECRET.","Add the variable to your .env file (excluded from git).","Verify the secret is not committed in git history."]},"impact":"Credential leak in source code exposes API access, database credentials, or authentication tokens to anyone with repo access.","tags":["security","secrets"],"lspHints":[{"tool":"lspFindReferences","symbolName":"secret","lineHint":206,"file":"src/routes/tools.ts","expectedResult":"find all usages of this secret value — if used only in tests or as a regex pattern, it is a false positive"}],"ruleId":"security.hardcoded-secret","confidence":"high","evidence":{"category":"hardcoded-secret","location":"src/routes/tools.ts:206-206","source":"","sink":"runtime usage","context":"literal","sanitizerStatus":"missing","propagationSteps":["src/routes/tools.ts:206"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:prototype-pollution-risk","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"find all usages of this secret value — if used only in tests or as a regex pattern, it is a false positive","tools":["localSearchCode","lspFindReferences"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":206,"lineEnd":206,"label":"propagation step"}]},{"id":"AST-ISSUE-0063","severity":"high","category":"prototype-pollution-risk","file":"src/routes/tools.ts","lineStart":352,"lineEnd":352,"title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: schemas[toolName]","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":352,"file":"src/routes/tools.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"medium","evidence":{"category":"prototype-pollution-risk","location":"src/routes/tools.ts:352-352","source":"computed-property-write","sink":"Dynamic bracket assignment: schemas[toolName]","guarded":false,"sanitizerStatus":"missing","propagationSteps":["src/routes/tools.ts:352"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":352,"lineEnd":352,"label":"propagation step"}]},{"id":"AST-ISSUE-0064","severity":"high","category":"prototype-pollution-risk","file":"src/utils/circuitBreaker.ts","lineStart":288,"lineEnd":288,"title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: states[name]","files":["src/utils/circuitBreaker.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":288,"file":"src/utils/circuitBreaker.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"medium","evidence":{"category":"prototype-pollution-risk","location":"src/utils/circuitBreaker.ts:288-288","source":"computed-property-write","sink":"Dynamic bracket assignment: states[name]","guarded":false,"sanitizerStatus":"missing","propagationSteps":["src/utils/circuitBreaker.ts:288"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:over-abstraction","paired:type-assertion-escape","paired:uncleared-timer","paired:move-to-caller"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/circuitBreaker.ts","lineStart":288,"lineEnd":288,"label":"propagation step"}]},{"id":"AST-ISSUE-0111","severity":"high","category":"sql-injection-risk","file":"src/utils/logger.ts","lineStart":57,"lineEnd":57,"title":"SQL query built with template literal interpolation","reason":"Template literals with SQL keywords and interpolated expressions risk SQL injection if user input flows into the query.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Use parameterized queries or a query builder.","steps":["Replace template literal with parameterized query (e.g. db.query(sql, [param])).","Use an ORM or query builder that handles escaping.","If raw SQL is necessary, validate and sanitize all interpolated values."]},"impact":"SQL injection can expose, modify, or destroy database contents and potentially escalate to full server compromise.","tags":["security","injection","sql"],"ruleId":"security.sql-injection-risk","confidence":"high","evidence":{"category":"sql-injection-risk","location":"src/utils/logger.ts:57-57","sink":"sql template literal","sanitizerStatus":"missing","propagationSteps":["src/utils/logger.ts:57-57"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk","paired:listener-leak-risk"],"recommendedValidation":{"summary":"Validate both the structural location and the behavioral path before presenting the claim as fact.","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":57,"lineEnd":57,"label":"propagation step"}]},{"id":"AST-ISSUE-0112","severity":"high","category":"sql-injection-risk","file":"src/utils/logger.ts","lineStart":83,"lineEnd":83,"title":"SQL query built with template literal interpolation","reason":"Template literals with SQL keywords and interpolated expressions risk SQL injection if user input flows into the query.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Use parameterized queries or a query builder.","steps":["Replace template literal with parameterized query (e.g. db.query(sql, [param])).","Use an ORM or query builder that handles escaping.","If raw SQL is necessary, validate and sanitize all interpolated values."]},"impact":"SQL injection can expose, modify, or destroy database contents and potentially escalate to full server compromise.","tags":["security","injection","sql"],"ruleId":"security.sql-injection-risk","confidence":"high","evidence":{"category":"sql-injection-risk","location":"src/utils/logger.ts:83-83","sink":"sql template literal","sanitizerStatus":"missing","propagationSteps":["src/utils/logger.ts:83-83"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk","paired:listener-leak-risk"],"recommendedValidation":{"summary":"Validate both the structural location and the behavioral path before presenting the claim as fact.","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":83,"lineEnd":83,"label":"propagation step"}]},{"id":"AST-ISSUE-0135","severity":"high","category":"unvalidated-input-sink","file":"src/middleware/errorHandler.ts","lineStart":15,"lineEnd":65,"title":"Unvalidated input reaches response sink in errorHandler(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/middleware/errorHandler.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on errorHandler."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"errorHandler","lineHint":15,"file":"src/middleware/errorHandler.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":15,"file":"src/middleware/errorHandler.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/middleware/errorHandler.ts:15-65","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["sanitizeQueryParams:28","extractToolName:36"]},"analysisLens":"hybrid","correlatedSignals":["paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"sanitizeQueryParams","lineStart":28,"lineEnd":28,"label":"propagation step"},{"file":"extractToolName","lineStart":36,"lineEnd":36,"label":"propagation step"}]},{"id":"AST-ISSUE-0136","severity":"high","category":"unvalidated-input-sink","file":"src/routes/package.ts","lineStart":17,"lineEnd":47,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/package.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":17,"file":"src/routes/package.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":17,"file":"src/routes/package.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/package.ts:17-47","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["parseAndValidate:19"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dependency-critical-path","paired:cognitive-complexity","paired:unreachable-module","paired:dependency-test-only","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"parseAndValidate","lineStart":19,"lineEnd":19,"label":"propagation step"}]},{"id":"AST-ISSUE-0137","severity":"high","category":"unvalidated-input-sink","file":"src/routes/prompts.ts","lineStart":88,"lineEnd":138,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/prompts.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":88,"file":"src/routes/prompts.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":88,"file":"src/routes/prompts.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/prompts.ts:88-138","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":[],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0138","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":158,"lineEnd":211,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":158,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":158,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:158-211","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0139","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":228,"lineEnd":290,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":228,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":228,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:228-290","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0140","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":564,"lineEnd":677,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":564,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":564,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:564-677","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["validateToolCallBody:604"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"validateToolCallBody","lineStart":604,"lineEnd":604,"label":"propagation step"}]},{"id":"AST-ISSUE-0141","severity":"high","category":"unvalidated-input-sink","file":"src/utils/routeFactory.ts","lineStart":91,"lineEnd":116,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/utils/routeFactory.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":91,"file":"src/utils/routeFactory.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":91,"file":"src/utils/routeFactory.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/utils/routeFactory.ts:91-116","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["parseAndValidate:94"]},"analysisLens":"hybrid","correlatedSignals":["paired:unreachable-module","paired:dead-export","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"parseAndValidate","lineStart":94,"lineEnd":94,"label":"propagation step"}]},{"id":"AST-ISSUE-0245","severity":"medium","category":"input-passthrough-risk","file":"src/middleware/logger.ts","lineStart":19,"lineEnd":60,"title":"Input passthrough without validation in requestLogger(req)","reason":"Parameter 'req' (external input) is passed to getRequestId without validation. Downstream callees may not validate either.","files":["src/middleware/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on requestLogger to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"requestLogger","lineHint":19,"file":"src/middleware/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of req"},{"tool":"lspFindReferences","symbolName":"req","lineHint":19,"file":"src/middleware/logger.ts","expectedResult":"find all usages of req to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/middleware/logger.ts:19-60","sourceParameters":["req"],"sink":"getRequestId","sanitizerStatus":"missing","propagationSteps":["getRequestId:25"]},"analysisLens":"hybrid","correlatedSignals":["critical-path-context","paired:listener-leak-risk","paired:similar-function-body","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of req","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"getRequestId","lineStart":25,"lineEnd":25,"label":"propagation step"}]},{"id":"AST-ISSUE-0246","severity":"medium","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":404,"lineEnd":413,"title":"Input passthrough without validation in sanitizeQueryParams(query)","reason":"Parameter 'query' (external input) is passed to Object.entries without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on sanitizeQueryParams to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"sanitizeQueryParams","lineHint":404,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of query"},{"tool":"lspFindReferences","symbolName":"query","lineHint":404,"file":"src/utils/logger.ts","expectedResult":"find all usages of query to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:404-413","sourceParameters":["query"],"sink":"Object.entries","sanitizerStatus":"missing","propagationSteps":["Object.entries:407"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of query","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"Object.entries","lineStart":407,"lineEnd":407,"label":"propagation step"}]},{"id":"AST-ISSUE-0247","severity":"medium","category":"input-passthrough-risk","file":"src/validation/toolCallSchema.ts","lineStart":85,"lineEnd":105,"title":"Input passthrough without validation in validateToolCallBody(body)","reason":"Parameter 'body' (external input) is passed to toolCallBodySchema.safeParse without validation. Downstream callees may not validate either.","files":["src/validation/toolCallSchema.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on validateToolCallBody to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"validateToolCallBody","lineHint":85,"file":"src/validation/toolCallSchema.ts","expectedResult":"trace outgoing calls to verify downstream validation of body"},{"tool":"lspFindReferences","symbolName":"body","lineHint":85,"file":"src/validation/toolCallSchema.ts","expectedResult":"find all usages of body to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/validation/toolCallSchema.ts:85-105","sourceParameters":["body"],"sink":"toolCallBodySchema.safeParse","sanitizerStatus":"missing","propagationSteps":["toolCallBodySchema.safeParse:86"]},"analysisLens":"hybrid","correlatedSignals":["paired:dead-export","paired:over-abstraction","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of body","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"toolCallBodySchema.safeParse","lineStart":86,"lineEnd":86,"label":"propagation step"}]},{"id":"AST-ISSUE-0290","severity":"low","category":"input-passthrough-risk","file":"src/middleware/queryParser.ts","lineStart":13,"lineEnd":19,"title":"Input passthrough without validation in <anonymous>(message)","reason":"Parameter 'message' (external input) is passed to super without validation. Downstream callees may not validate either.","files":["src/middleware/queryParser.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on <anonymous> to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":13,"file":"src/middleware/queryParser.ts","expectedResult":"trace outgoing calls to verify downstream validation of message"},{"tool":"lspFindReferences","symbolName":"message","lineHint":13,"file":"src/middleware/queryParser.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/middleware/queryParser.ts:13-19","sourceParameters":["message"],"sink":"super","sanitizerStatus":"missing","propagationSteps":["super:14"]},"analysisLens":"hybrid","correlatedSignals":["paired:dead-export","paired:semantic-dead-export","paired:unreachable-module","paired:cognitive-complexity","paired:prototype-pollution-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"super","lineStart":14,"lineEnd":14,"label":"propagation step"}]},{"id":"AST-ISSUE-0291","severity":"low","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":231,"lineEnd":246,"title":"Input passthrough without validation in logError(message)","reason":"Parameter 'message' (external input) is passed to formatLogEntry without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on logError to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"logError","lineHint":231,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of message"},{"tool":"lspFindReferences","symbolName":"message","lineHint":231,"file":"src/utils/logger.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:231-246","sourceParameters":["message"],"sink":"formatLogEntry","sanitizerStatus":"missing","propagationSteps":["formatLogEntry:237"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"formatLogEntry","lineStart":237,"lineEnd":237,"label":"propagation step"}]},{"id":"AST-ISSUE-0292","severity":"low","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":251,"lineEnd":256,"title":"Input passthrough without validation in logWarn(message, data)","reason":"Parameters 'message', 'data' (external input) are passed to formatLogEntry without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on logWarn to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"logWarn","lineHint":251,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of message, data"},{"tool":"lspFindReferences","symbolName":"message","lineHint":251,"file":"src/utils/logger.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:251-256","sourceParameters":["message","data"],"sink":"formatLogEntry","sanitizerStatus":"missing","propagationSteps":["formatLogEntry:252","formatLogEntry:252"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message, data","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"formatLogEntry","lineStart":252,"lineEnd":252,"label":"propagation step"},{"file":"formatLogEntry","lineStart":252,"lineEnd":252,"label":"propagation step"}]},{"id":"AST-ISSUE-0372","severity":"low","category":"prototype-pollution-risk","file":"src/middleware/queryParser.ts","lineStart":64,"lineEnd":64,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: cleanedQuery[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/middleware/queryParser.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":64,"file":"src/middleware/queryParser.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/middleware/queryParser.ts:64-64","source":"computed-property-write","sink":"Dynamic bracket assignment: cleanedQuery[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/middleware/queryParser.ts:64"]},"analysisLens":"hybrid","correlatedSignals":["paired:dead-export","paired:semantic-dead-export","paired:unreachable-module","paired:cognitive-complexity","paired:input-passthrough-risk"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/middleware/queryParser.ts","lineStart":64,"lineEnd":64,"label":"propagation step"}]},{"id":"AST-ISSUE-0373","severity":"low","category":"prototype-pollution-risk","file":"src/routes/tools.ts","lineStart":437,"lineEnd":437,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: schemas[toolName] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":437,"file":"src/routes/tools.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/routes/tools.ts:437-437","source":"computed-property-write","sink":"Dynamic bracket assignment: schemas[toolName]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/routes/tools.ts:437"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":437,"lineEnd":437,"label":"propagation step"}]},{"id":"AST-ISSUE-0374","severity":"low","category":"prototype-pollution-risk","file":"src/types/mcp.ts","lineStart":94,"lineEnd":94,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: properties[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/types/mcp.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":94,"file":"src/types/mcp.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/types/mcp.ts:94-94","source":"computed-property-write","sink":"Dynamic bracket assignment: properties[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/types/mcp.ts:94"]},"analysisLens":"hybrid","correlatedSignals":["paired:semantic-dead-export","paired:dead-export","paired:over-abstraction","paired:move-to-caller"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/types/mcp.ts","lineStart":94,"lineEnd":94,"label":"propagation step"}]},{"id":"AST-ISSUE-0375","severity":"low","category":"prototype-pollution-risk","file":"src/utils/logger.ts","lineStart":409,"lineEnd":409,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: sanitized[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":409,"file":"src/utils/logger.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/utils/logger.ts:409-409","source":"computed-property-write","sink":"Dynamic bracket assignment: sanitized[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/utils/logger.ts:409"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":409,"lineEnd":409,"label":"propagation step"}]}],"findingsCount":22,"severityBreakdown":{"critical":0,"high":12,"medium":3,"low":7,"info":0},"categoryBreakdown":{"hardcoded-secret":1,"prototype-pollution-risk":6,"sql-injection-risk":2,"unvalidated-input-sink":7,"input-passthrough-risk":6}}

package/skills/octocode-research/.octocode/scan/2026-03-22T10-32-27-073Z/summary.json

@@ -0,0 +1 @@
+{"schemaVersion":"1.1.0","generatedAt":"2026-03-22T10:32:30.560Z","repoRoot":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research","options":{"minFunctionStatements":6,"minFlowStatements":6,"root":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research","includeTests":false,"emitTree":true,"json":false,"graph":true,"out":null,"treeDepth":4,"findingsLimit":null,"parser":"auto","criticalComplexityThreshold":30,"deepLinkTopN":12,"packageRoot":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research/packages","ignoreDirs":[".git",".next",".yarn",".cache",".octocode","node_modules","dist","coverage","out"],"couplingThreshold":15,"fanInThreshold":20,"fanOutThreshold":15,"godModuleStatements":500,"godModuleExports":20,"godFunctionStatements":100,"godFunctionMiThreshold":10,"cognitiveComplexityThreshold":15,"barrelSymbolThreshold":30,"layerOrder":[],"parameterThreshold":5,"halsteadEffortThreshold":500000,"maintainabilityIndexThreshold":20,"anyThreshold":5,"flowDupThreshold":3,"maxRecsPerCategory":2,"features":null,"scope":["/Users/guybary/Documents/octocode-mcp/skills/octocode-research/src"],"scopeSymbols":null,"noCache":false,"clearCache":false,"semantic":true,"overrideChainThreshold":3,"shotgunThreshold":8,"sdpMinDelta":0.15,"sdpMaxSourceInstability":0.6,"secretEntropyThreshold":4.5,"secretMinLength":20,"similarityThreshold":0.85,"mockThreshold":10,"noDiversify":false,"graphAdvanced":false,"flow":true},"parser":{"requested":"auto","effective":"typescript (primary) + tree-sitter (node count)","treeSitterAvailable":true,"treeSitterError":null},"summary":{"totalPackages":1,"totalFiles":36,"totalNodes":22378,"totalFunctions":283,"totalFlows":372,"totalDependencyFiles":52,"byPackage":{"octocode-skill":{"files":36,"nodes":22414,"functions":283,"flows":372,"topKinds":[["Identifier",7734],["PropertyAccessExpression",1442],["CallExpression",1221],["PropertyAssignment",1027],["StringLiteral",968],["BinaryExpression",550],["Block",439],["VariableDeclaration",431]],"rootPath":"octocode-research"}}},"agentOutput":{"totalFindings":375,"totalBeforeTruncation":375,"droppedCategories":[],"findingStats":{"overall":{"totalFindings":375,"severityBreakdown":{"critical":8,"high":133,"medium":148,"low":86,"info":0}},"pillars":{"architecture":{"totalFindings":68,"severityBreakdown":{"critical":8,"high":32,"medium":28,"low":0,"info":0}},"code-quality":{"totalFindings":45,"severityBreakdown":{"critical":0,"high":10,"medium":31,"low":4,"info":0}},"dead-code":{"totalFindings":240,"severityBreakdown":{"critical":0,"high":79,"medium":86,"low":75,"info":0}},"security":{"totalFindings":22,"severityBreakdown":{"critical":0,"high":12,"medium":3,"low":7,"info":0}},"test-quality":{"totalFindings":0,"severityBreakdown":{"critical":0,"high":0,"medium":0,"low":0,"info":0}}}},"analysisSummary":{"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]}},"highPriority":141,"mediumPriority":148,"lowPriority":86,"topRecommendations":[{"id":"AST-ISSUE-0001","file":"src/server.ts","severity":"critical","category":"dependency-critical-path","title":"Critical dependency chain risk: 6 files (2 entry points)","reason":"Potentially high-change surface: src/server.ts -> src/routes/tools.ts -> src/utils/resilience.ts -> src/utils/circuitBreaker.ts -> src/index.ts -> src/utils/responseBuilder.ts (351 weight). Also reached from: src/routes/tools.ts.","suggestedFix":{"strategy":"Break chain at `src/server.ts` (fan-out: 11, fan-in: 0).","steps":["Extract interface from `src/server.ts` — it has 11 outbound dependencies.","Downstream modules depend on the interface, not the implementation.","This splits the chain into two independent segments."]}},{"id":"AST-ISSUE-0002","file":"src/__tests__/integration/routes.test.ts","severity":"critical","category":"dependency-critical-path","title":"Critical dependency chain risk: 6 files (2 entry points)","reason":"Potentially high-change surface: src/__tests__/integration/routes.test.ts -> src/routes/lsp.ts -> src/utils/resilience.ts -> src/utils/circuitBreaker.ts -> src/index.ts -> src/utils/responseBuilder.ts (268 weight). Also reached from: src/routes/lsp.ts.","suggestedFix":{"strategy":"Break chain at `src/routes/lsp.ts` (fan-out: 7, fan-in: 1).","steps":["Extract interface from `src/routes/lsp.ts` — it has 7 outbound dependencies.","Downstream modules depend on the interface, not the implementation.","This splits the chain into two independent segments."]}},{"id":"AST-ISSUE-0008","file":"src/validation/schemas.ts","severity":"critical","category":"untested-critical-code","title":"Untested critical code: src/validation/schemas.ts","reason":"High-risk file has no test imports. fan-in=1, fan-out=1, complexity=37 (risk score: 81).","suggestedFix":{"strategy":"Add test coverage for this critical module.","steps":["Create a test file that imports and exercises the public API of this module.","Focus on the highest-complexity functions and exported behaviors first.","Add integration tests if this module sits on a critical dependency path.","Consider property-based tests for complex data transformations."]}},{"id":"AST-ISSUE-0009","file":"src/server-init.ts","severity":"high","category":"await-in-loop","title":"await inside loop — sequential async execution","reason":"Each await runs serially. For N iterations this takes N * latency instead of max(latency). Use Promise.all() or Promise.allSettled() for parallel execution.","suggestedFix":{"strategy":"Collect promises and await them in parallel with Promise.all().","steps":["Collect all async operations into an array of promises.","Use await Promise.all(promises) or Promise.allSettled(promises).","If order matters or rate limiting is needed, use a batching utility."]}},{"id":"AST-ISSUE-0010","file":"src/server-init.ts","severity":"high","category":"await-in-loop","title":"await inside loop — sequential async execution","reason":"Each await runs serially. For N iterations this takes N * latency instead of max(latency). Use Promise.all() or Promise.allSettled() for parallel execution.","suggestedFix":{"strategy":"Collect promises and await them in parallel with Promise.all().","steps":["Collect all async operations into an array of promises.","Use await Promise.all(promises) or Promise.allSettled(promises).","If order matters or rate limiting is needed, use a batching utility."]}},{"id":"AST-ISSUE-0013","file":"src/index.ts","severity":"high","category":"barrel-explosion","title":"Barrel explosion: src/index.ts","reason":"Barrel re-exports 77 symbols (threshold: 30). Large barrels hurt bundling.","suggestedFix":{"strategy":"Split barrel or use direct imports to reduce bundler cost.","steps":["Group re-exports by domain into sub-barrels.","Let consumers import directly from source modules.","Remove unused re-exports (check dead-re-export findings)."]}},{"id":"AST-ISSUE-0014","file":"src/routes/lsp.ts","severity":"high","category":"cognitive-complexity","title":"High cognitive complexity: extractLocations (36)","reason":"Function cognitive complexity is 36 (threshold: 15). Nested branches compound reading difficulty.","suggestedFix":{"strategy":"Reduce nesting and simplify control flow.","steps":["Convert nested branches into early returns / guard clauses.","Extract deeply nested blocks into named helper functions.","Replace complex boolean chains with named predicates."]}},{"id":"AST-ISSUE-0015","file":"src/routes/package.ts","severity":"high","category":"cognitive-complexity","title":"High cognitive complexity: extractPackages (33)","reason":"Function cognitive complexity is 33 (threshold: 15). Nested branches compound reading difficulty.","suggestedFix":{"strategy":"Reduce nesting and simplify control flow.","steps":["Convert nested branches into early returns / guard clauses.","Extract deeply nested blocks into named helper functions.","Replace complex boolean chains with named predicates."]}},{"id":"AST-ISSUE-0018","file":"src/middleware/queryParser.ts","severity":"high","category":"dead-export","title":"Unused export: sendToolResult","reason":"Exported symbol \"sendToolResult\" has no observed import or re-export usage in production or test files.","suggestedFix":{"strategy":"Remove or internalize unused exports.","steps":["Confirm symbol is not part of intentional public API surface.","Remove export modifier or delete symbol if truly unused.","Re-run scan and tests to ensure no hidden runtime usage."]}},{"id":"AST-ISSUE-0019","file":"src/types/errorGuards.ts","severity":"high","category":"dead-export","title":"Unused export: isErrorWithStatus","reason":"Exported symbol \"isErrorWithStatus\" has no observed import or re-export usage in production or test files.","suggestedFix":{"strategy":"Remove or internalize unused exports.","steps":["Confirm symbol is not part of intentional public API surface.","Remove export modifier or delete symbol if truly unused.","Re-run scan and tests to ensure no hidden runtime usage."]}},{"id":"AST-ISSUE-0051","file":"src/mcpCache.ts","severity":"high","category":"distance-from-main-sequence","title":"Distance from Main Sequence: src/mcpCache.ts (D=1.00)","reason":"Zone of Pain (concrete + stable): hard to extend, painful to change. A=0.00, I=0.00, D=1.00 (threshold: 0.7).","suggestedFix":{"strategy":"Add abstractions (interfaces/types) or reduce inbound coupling.","steps":["Extract interfaces for key behaviors to increase abstractness.","Consider splitting into abstract contracts + concrete implementations.","Reduce inbound coupling by narrowing the public API surface."]}},{"id":"AST-ISSUE-0052","file":"src/types/guards.ts","severity":"high","category":"distance-from-main-sequence","title":"Distance from Main Sequence: src/types/guards.ts (D=1.00)","reason":"Zone of Pain (concrete + stable): hard to extend, painful to change. A=0.00, I=0.00, D=1.00 (threshold: 0.7).","suggestedFix":{"strategy":"Add abstractions (interfaces/types) or reduce inbound coupling.","steps":["Extract interfaces for key behaviors to increase abstractness.","Consider splitting into abstract contracts + concrete implementations.","Reduce inbound coupling by narrowing the public API surface."]}},{"id":"AST-ISSUE-0058","file":"src/validation/index.ts","severity":"high","category":"export-star-leak","title":"export * leaks entire module surface: ./schemas.js","reason":"`export * from './schemas.js'` re-exports every symbol from the source, defeating granular tree-shaking. Target exports 39 symbols.","suggestedFix":{"strategy":"Replace export * with explicit named re-exports.","steps":["List the symbols actually consumed from `./schemas.js` by downstream modules.","Replace `export * from './schemas.js'` with `export { A, B, C } from './schemas.js'`.","This lets bundlers eliminate unused re-exports during tree-shaking."]}},{"id":"AST-ISSUE-0059","file":"src/utils/retry.ts","severity":"high","category":"feature-envy","title":"Feature envy: src/utils/retry.ts → src/types/errorGuards.ts","reason":"Module imports 5/5 symbols (100%) from \"src/types/errorGuards.ts\". This suggests the logic may belong in or closer to the target module.","suggestedFix":{"strategy":"Move dependent logic to the target module or extract a shared module.","steps":["Identify which functions/logic in this file use the imported symbols.","Move that logic to the target module if it belongs there.","If shared, extract a dedicated module that both can import from.","Reduce the import surface by passing data instead of importing behaviors."]}},{"id":"AST-ISSUE-0060","file":"src/validation/schemas.ts","severity":"high","category":"feature-envy","title":"Feature envy: src/validation/schemas.ts → src/validation/httpPreprocess.ts","reason":"Module imports 7/7 symbols (100%) from \"src/validation/httpPreprocess.ts\". This suggests the logic may belong in or closer to the target module.","suggestedFix":{"strategy":"Move dependent logic to the target module or extract a shared module.","steps":["Identify which functions/logic in this file use the imported symbols.","Move that logic to the target module if it belongs there.","If shared, extract a dedicated module that both can import from.","Reduce the import surface by passing data instead of importing behaviors."]}},{"id":"AST-ISSUE-0061","file":"src/validation/schemas.ts","severity":"high","category":"god-module","title":"God module: src/validation/schemas.ts","reason":"Module is excessively large: 39 exports (threshold: 20).","suggestedFix":{"strategy":"Split module into focused sub-modules with single responsibilities.","steps":["Identify distinct functional groups within the module.","Extract each group into a dedicated module.","Create a barrel if backward compatibility is needed.","Update imports incrementally."]}},{"id":"AST-ISSUE-0062","file":"src/routes/tools.ts","severity":"high","category":"hardcoded-secret","title":"Potential hardcoded secret","reason":"String literal matches a secret pattern (password, API key, token, high-entropy string). Secrets in source code risk credential leaks. Validate: use localSearchCode to find the variable, then lspFindReferences to check if it is used in auth or network calls.","suggestedFix":{"strategy":"Move secret to environment variable or secrets manager.","steps":["Replace the hardcoded value with process.env.YOUR_SECRET.","Add the variable to your .env file (excluded from git).","Verify the secret is not committed in git history."]}},{"id":"AST-ISSUE-0063","file":"src/routes/tools.ts","severity":"high","category":"prototype-pollution-risk","title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: schemas[toolName]","suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]}},{"id":"AST-ISSUE-0064","file":"src/utils/circuitBreaker.ts","severity":"high","category":"prototype-pollution-risk","title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: states[name]","suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]}},{"id":"AST-ISSUE-0065","file":"src/middleware/queryParser.ts","severity":"high","category":"semantic-dead-export","title":"Semantically dead export: sendToolResult","reason":"Exported symbol \"sendToolResult\" has zero semantic references across the entire program (confirmed via TypeChecker, not just import matching).","suggestedFix":{"strategy":"Remove the export or delete the symbol if unused internally.","steps":["Verify the symbol is not used via dynamic imports or runtime reflection.","Remove the export keyword, or delete the symbol entirely if also unused locally.","Re-run scan to confirm finding is resolved."]}}],"filesWithIssues":[{"file":"src/server.ts","issueCount":8,"issueIds":["AST-ISSUE-0001","AST-ISSUE-0127","AST-ISSUE-0244","AST-ISSUE-0251","AST-ISSUE-0258","AST-ISSUE-0288","AST-ISSUE-0301","AST-ISSUE-0302"]},{"file":"src/__tests__/integration/routes.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0002"]},{"file":"src/routes/package.ts","issueCount":6,"issueIds":["AST-ISSUE-0003","AST-ISSUE-0015","AST-ISSUE-0117","AST-ISSUE-0136","AST-ISSUE-0235","AST-ISSUE-0300"]},{"file":"src/routes/github.ts","issueCount":4,"issueIds":["AST-ISSUE-0004","AST-ISSUE-0114","AST-ISSUE-0232","AST-ISSUE-0297"]},{"file":"src/routes/local.ts","issueCount":5,"issueIds":["AST-ISSUE-0005","AST-ISSUE-0115","AST-ISSUE-0233","AST-ISSUE-0279","AST-ISSUE-0298"]},{"file":"src/__tests__/integration/circuitBreaker.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0006"]},{"file":"src/__tests__/unit/circuitBreaker.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0007"]},{"file":"src/validation/schemas.ts","issueCount":16,"issueIds":["AST-ISSUE-0008","AST-ISSUE-0060","AST-ISSUE-0061","AST-ISSUE-0097","AST-ISSUE-0098","AST-ISSUE-0099","AST-ISSUE-0100","AST-ISSUE-0101","AST-ISSUE-0102","AST-ISSUE-0103","AST-ISSUE-0104","AST-ISSUE-0105","AST-ISSUE-0106","AST-ISSUE-0107","AST-ISSUE-0108","AST-ISSUE-0109"]},{"file":"src/server-init.ts","issueCount":10,"issueIds":["AST-ISSUE-0009","AST-ISSUE-0010","AST-ISSUE-0118","AST-ISSUE-0134","AST-ISSUE-0172","AST-ISSUE-0236","AST-ISSUE-0243","AST-ISSUE-0250","AST-ISSUE-0257","AST-ISSUE-0259"]},{"file":"src/utils/retry.ts","issueCount":11,"issueIds":["AST-ISSUE-0011","AST-ISSUE-0012","AST-ISSUE-0046","AST-ISSUE-0047","AST-ISSUE-0048","AST-ISSUE-0049","AST-ISSUE-0059","AST-ISSUE-0092","AST-ISSUE-0093","AST-ISSUE-0094","AST-ISSUE-0095"]},{"file":"src/index.ts","issueCount":59,"issueIds":["AST-ISSUE-0013","AST-ISSUE-0133","AST-ISSUE-0175","AST-ISSUE-0176","AST-ISSUE-0177","AST-ISSUE-0178","AST-ISSUE-0179","AST-ISSUE-0180","AST-ISSUE-0181","AST-ISSUE-0182","AST-ISSUE-0183","AST-ISSUE-0184","AST-ISSUE-0185","AST-ISSUE-0186","AST-ISSUE-0187","AST-ISSUE-0188","AST-ISSUE-0189","AST-ISSUE-0190","AST-ISSUE-0191","AST-ISSUE-0192","AST-ISSUE-0193","AST-ISSUE-0194","AST-ISSUE-0195","AST-ISSUE-0196","AST-ISSUE-0197","AST-ISSUE-0198","AST-ISSUE-0199","AST-ISSUE-0200","AST-ISSUE-0201","AST-ISSUE-0202","AST-ISSUE-0203","AST-ISSUE-0204","AST-ISSUE-0205","AST-ISSUE-0206","AST-ISSUE-0207","AST-ISSUE-0208","AST-ISSUE-0209","AST-ISSUE-0210","AST-ISSUE-0211","AST-ISSUE-0212","AST-ISSUE-0213","AST-ISSUE-0214","AST-ISSUE-0215","AST-ISSUE-0216","AST-ISSUE-0217","AST-ISSUE-0218","AST-ISSUE-0219","AST-ISSUE-0220","AST-ISSUE-0221","AST-ISSUE-0222","AST-ISSUE-0223","AST-ISSUE-0224","AST-ISSUE-0225","AST-ISSUE-0226","AST-ISSUE-0227","AST-ISSUE-0228","AST-ISSUE-0229","AST-ISSUE-0230","AST-ISSUE-0231"]},{"file":"src/routes/lsp.ts","issueCount":5,"issueIds":["AST-ISSUE-0014","AST-ISSUE-0116","AST-ISSUE-0145","AST-ISSUE-0234","AST-ISSUE-0299"]},{"file":"src/utils/responseParser.ts","issueCount":15,"issueIds":["AST-ISSUE-0016","AST-ISSUE-0017","AST-ISSUE-0045","AST-ISSUE-0091","AST-ISSUE-0131","AST-ISSUE-0166","AST-ISSUE-0167","AST-ISSUE-0168","AST-ISSUE-0271","AST-ISSUE-0272","AST-ISSUE-0273","AST-ISSUE-0349","AST-ISSUE-0350","AST-ISSUE-0351","AST-ISSUE-0352"]},{"file":"src/middleware/queryParser.ts","issueCount":6,"issueIds":["AST-ISSUE-0018","AST-ISSUE-0065","AST-ISSUE-0113","AST-ISSUE-0144","AST-ISSUE-0290","AST-ISSUE-0372"]},{"file":"src/types/errorGuards.ts","issueCount":23,"issueIds":["AST-ISSUE-0019","AST-ISSUE-0020","AST-ISSUE-0021","AST-ISSUE-0022","AST-ISSUE-0023","AST-ISSUE-0024","AST-ISSUE-0128","AST-ISSUE-0147","AST-ISSUE-0148","AST-ISSUE-0149","AST-ISSUE-0303","AST-ISSUE-0304","AST-ISSUE-0305","AST-ISSUE-0306","AST-ISSUE-0307","AST-ISSUE-0308","AST-ISSUE-0309","AST-ISSUE-0310","AST-ISSUE-0311","AST-ISSUE-0312","AST-ISSUE-0313","AST-ISSUE-0314","AST-ISSUE-0315"]},{"file":"src/types/guards.ts","issueCount":14,"issueIds":["AST-ISSUE-0025","AST-ISSUE-0026","AST-ISSUE-0027","AST-ISSUE-0028","AST-ISSUE-0052","AST-ISSUE-0066","AST-ISSUE-0067","AST-ISSUE-0068","AST-ISSUE-0119","AST-ISSUE-0126","AST-ISSUE-0316","AST-ISSUE-0317","AST-ISSUE-0318","AST-ISSUE-0368"]},{"file":"src/types/responses.ts","issueCount":18,"issueIds":["AST-ISSUE-0029","AST-ISSUE-0030","AST-ISSUE-0071","AST-ISSUE-0072","AST-ISSUE-0073","AST-ISSUE-0074","AST-ISSUE-0075","AST-ISSUE-0120","AST-ISSUE-0157","AST-ISSUE-0158","AST-ISSUE-0159","AST-ISSUE-0160","AST-ISSUE-0265","AST-ISSUE-0266","AST-ISSUE-0325","AST-ISSUE-0326","AST-ISSUE-0327","AST-ISSUE-0328"]},{"file":"src/types/toolTypes.ts","issueCount":10,"issueIds":["AST-ISSUE-0031","AST-ISSUE-0076","AST-ISSUE-0121","AST-ISSUE-0161","AST-ISSUE-0162","AST-ISSUE-0173","AST-ISSUE-0260","AST-ISSUE-0267","AST-ISSUE-0329","AST-ISSUE-0330"]},{"file":"src/utils/circuitBreaker.ts","issueCount":16,"issueIds":["AST-ISSUE-0032","AST-ISSUE-0033","AST-ISSUE-0064","AST-ISSUE-0077","AST-ISSUE-0078","AST-ISSUE-0079","AST-ISSUE-0080","AST-ISSUE-0268","AST-ISSUE-0287","AST-ISSUE-0289","AST-ISSUE-0332","AST-ISSUE-0333","AST-ISSUE-0334","AST-ISSUE-0335","AST-ISSUE-0336","AST-ISSUE-0337"]},{"file":"src/utils/logEmoji.ts","issueCount":11,"issueIds":["AST-ISSUE-0034","AST-ISSUE-0035","AST-ISSUE-0036","AST-ISSUE-0081","AST-ISSUE-0122","AST-ISSUE-0163","AST-ISSUE-0174","AST-ISSUE-0261","AST-ISSUE-0340","AST-ISSUE-0341","AST-ISSUE-0342"]},{"file":"src/utils/logger.ts","issueCount":33,"issueIds":["AST-ISSUE-0037","AST-ISSUE-0038","AST-ISSUE-0039","AST-ISSUE-0040","AST-ISSUE-0041","AST-ISSUE-0082","AST-ISSUE-0083","AST-ISSUE-0084","AST-ISSUE-0085","AST-ISSUE-0086","AST-ISSUE-0111","AST-ISSUE-0112","AST-ISSUE-0164","AST-ISSUE-0237","AST-ISSUE-0238","AST-ISSUE-0239","AST-ISSUE-0240","AST-ISSUE-0246","AST-ISSUE-0253","AST-ISSUE-0255","AST-ISSUE-0276","AST-ISSUE-0282","AST-ISSUE-0283","AST-ISSUE-0284","AST-ISSUE-0285","AST-ISSUE-0291","AST-ISSUE-0292","AST-ISSUE-0343","AST-ISSUE-0344","AST-ISSUE-0345","AST-ISSUE-0346","AST-ISSUE-0347","AST-ISSUE-0375"]},{"file":"src/utils/responseFactory.ts","issueCount":14,"issueIds":["AST-ISSUE-0042","AST-ISSUE-0043","AST-ISSUE-0044","AST-ISSUE-0088","AST-ISSUE-0089","AST-ISSUE-0090","AST-ISSUE-0123","AST-ISSUE-0130","AST-ISSUE-0142","AST-ISSUE-0242","AST-ISSUE-0348","AST-ISSUE-0369","AST-ISSUE-0370","AST-ISSUE-0371"]},{"file":"src/validation/toolCallSchema.ts","issueCount":11,"issueIds":["AST-ISSUE-0050","AST-ISSUE-0170","AST-ISSUE-0171","AST-ISSUE-0247","AST-ISSUE-0274","AST-ISSUE-0362","AST-ISSUE-0363","AST-ISSUE-0364","AST-ISSUE-0365","AST-ISSUE-0366","AST-ISSUE-0367"]},{"file":"src/mcpCache.ts","issueCount":5,"issueIds":["AST-ISSUE-0051","AST-ISSUE-0254","AST-ISSUE-0256","AST-ISSUE-0275","AST-ISSUE-0293"]},{"file":"src/utils/asyncTimeout.ts","issueCount":3,"issueIds":["AST-ISSUE-0053","AST-ISSUE-0252","AST-ISSUE-0331"]},{"file":"src/utils/colors.ts","issueCount":4,"issueIds":["AST-ISSUE-0054","AST-ISSUE-0132","AST-ISSUE-0338","AST-ISSUE-0339"]},{"file":"src/utils/errorQueue.ts","issueCount":2,"issueIds":["AST-ISSUE-0055","AST-ISSUE-0269"]},{"file":"src/utils/responseBuilder.ts","issueCount":6,"issueIds":["AST-ISSUE-0056","AST-ISSUE-0110","AST-ISSUE-0146","AST-ISSUE-0270","AST-ISSUE-0280","AST-ISSUE-0281"]},{"file":"src/validation/httpPreprocess.ts","issueCount":10,"issueIds":["AST-ISSUE-0057","AST-ISSUE-0096","AST-ISSUE-0354","AST-ISSUE-0355","AST-ISSUE-0356","AST-ISSUE-0357","AST-ISSUE-0358","AST-ISSUE-0359","AST-ISSUE-0360","AST-ISSUE-0361"]},{"file":"src/validation/index.ts","issueCount":4,"issueIds":["AST-ISSUE-0058","AST-ISSUE-0143","AST-ISSUE-0241","AST-ISSUE-0277"]},{"file":"src/routes/tools.ts","issueCount":10,"issueIds":["AST-ISSUE-0062","AST-ISSUE-0063","AST-ISSUE-0125","AST-ISSUE-0138","AST-ISSUE-0139","AST-ISSUE-0140","AST-ISSUE-0249","AST-ISSUE-0262","AST-ISSUE-0286","AST-ISSUE-0373"]},{"file":"src/types/mcp.ts","issueCount":18,"issueIds":["AST-ISSUE-0069","AST-ISSUE-0070","AST-ISSUE-0150","AST-ISSUE-0151","AST-ISSUE-0152","AST-ISSUE-0153","AST-ISSUE-0154","AST-ISSUE-0155","AST-ISSUE-0156","AST-ISSUE-0263","AST-ISSUE-0264","AST-ISSUE-0319","AST-ISSUE-0320","AST-ISSUE-0321","AST-ISSUE-0322","AST-ISSUE-0323","AST-ISSUE-0324","AST-ISSUE-0374"]},{"file":"src/utils/resilience.ts","issueCount":3,"issueIds":["AST-ISSUE-0087","AST-ISSUE-0129","AST-ISSUE-0165"]},{"file":"src/utils/routeFactory.ts","issueCount":4,"issueIds":["AST-ISSUE-0124","AST-ISSUE-0141","AST-ISSUE-0169","AST-ISSUE-0353"]},{"file":"src/middleware/errorHandler.ts","issueCount":3,"issueIds":["AST-ISSUE-0135","AST-ISSUE-0294","AST-ISSUE-0295"]},{"file":"src/routes/prompts.ts","issueCount":1,"issueIds":["AST-ISSUE-0137"]},{"file":"src/middleware/logger.ts","issueCount":4,"issueIds":["AST-ISSUE-0245","AST-ISSUE-0248","AST-ISSUE-0278","AST-ISSUE-0296"]}]},"analysisSummary":{"graphSignals":[{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}}],"astSignals":[{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}}],"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]}},"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]},"investigationPrompts":["Inspect src/utils/responseBuilder.ts first and validate the graph claim with localSearchCode plus LSP navigation.","Use file-inventory.json for src/server-init.ts to explain why the code shape matches the finding.","Use a hybrid investigation before proposing a refactor because the signals do not fully align yet.","Cross-check the top hotspot src/utils/logger.ts with the strongest architecture finding before editing code."],"parseErrors":[],"outputFiles":{"summary":"summary.json","architecture":"architecture.json","codeQuality":"code-quality.json","deadCode":"dead-code.json","fileInventory":"file-inventory.json","findings":"findings.json","security":"security.json","graph":"graph.md","astTrees":"ast-trees.txt","summaryMd":"summary.md"}}