npm - octocode-cli - Versions diffs - 1.2.8 → 1.2.9 - Mend

octocode-cli 1.2.8 → 1.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (282) hide show

package/skills/octocode-research/.octocode/scan/2026-03-22T10-40-10-469Z/graph.md ADDED Viewed

@@ -0,0 +1,190 @@
+# Dependency Graph
+## Module Dependency Map
+```mermaid
+graph LR
+  src_server_ts["⚠️ src/server.ts"]
+  src_routes_package_ts["⚠️ src/…/package.ts"]
+  src_routes_tools_ts["⚠️ src/…/tools.ts"]
+  src_routes_github_ts["⚠️ src/…/github.ts"]
+  src_routes_local_ts["⚠️ src/…/local.ts"]
+  src_routes_lsp_ts["⚠️ src/…/lsp.ts"]
+  src___tests___integration_routes_test_ts["src/…/routes.test.ts"]
+  src_middleware_errorHandler_ts["src/…/errorHandler.ts"]
+  src_routes_prompts_ts["src/…/prompts.ts"]
+  src_middleware_logger_ts["src/…/logger.ts"]
+  src_utils_circuitBreaker_ts["⚠️ src/…/circuitBreaker.ts"]
+  src_utils_resilience_ts["⚠️ src/…/resilience.ts"]
+  src___tests___unit_errorHandler_test_ts["src/…/errorHandler.test.ts"]
+  src_utils_logger_ts["⚠️ src/…/logger.ts"]
+  src_utils_responseFactory_ts["⚠️ src/…/responseFactory.ts"]
+  src_index_ts["src/index.ts"]
+  src_utils_asyncTimeout_ts["⚠️ src/…/asyncTimeout.ts"]
+  src_types_guards_ts["⚠️ src/…/guards.ts"]
+  src_utils_responseBuilder_ts["⚠️ src/…/responseBuilder.ts"]
+  src_mcpCache_ts["src/mcpCache.ts"]
+  src_utils_colors_ts["src/…/colors.ts"]
+  src_validation_index_ts["src/…/index.ts"]
+  src_utils_errorQueue_ts["src/…/errorQueue.ts"]
+  src_utils_responseParser_ts["⚠️ src/…/responseParser.ts"]
+  src_utils_routeFactory_ts["src/…/routeFactory.ts"]
+  src_validation_httpPreprocess_ts["⚠️ src/…/httpPreprocess.ts"]
+  src_utils_retry_ts["⚠️ src/…/retry.ts"]
+  src_server_init_ts["⚠️ src/server-init.ts"]
+  src_server_ts --> src_index_ts
+  src_server_ts --> src_mcpCache_ts
+  src_server_ts --> src_middleware_errorHandler_ts
+  src_server_ts --> src_middleware_logger_ts
+  src_server_ts --> src_routes_prompts_ts
+  src_server_ts --> src_routes_tools_ts
+  src_server_ts --> src_utils_asyncTimeout_ts
+  src_server_ts --> src_utils_circuitBreaker_ts
+  src_server_ts --> src_utils_colors_ts
+  src_server_ts --> src_utils_errorQueue_ts
+  src_server_ts --> src_utils_logger_ts
+  src_routes_package_ts --> src_index_ts
+  src_routes_package_ts --> src_types_guards_ts
+  src_routes_package_ts --> src_utils_resilience_ts
+  src_routes_package_ts --> src_utils_responseBuilder_ts
+  src_routes_package_ts --> src_utils_responseFactory_ts
+  src_routes_package_ts --> src_utils_responseParser_ts
+  src_routes_package_ts --> src_validation_index_ts
+  src_routes_tools_ts --> src_index_ts
+  src_routes_tools_ts --> src_mcpCache_ts
+  src_routes_tools_ts --> src_utils_asyncTimeout_ts
+  src_routes_tools_ts --> src_utils_resilience_ts
+  src_routes_tools_ts --> src_utils_responseParser_ts
+  src_routes_github_ts --> src_index_ts
+  src_routes_github_ts --> src_types_guards_ts
+  src_routes_github_ts --> src_utils_resilience_ts
+  src_routes_github_ts --> src_utils_responseBuilder_ts
+  src_routes_github_ts --> src_utils_responseFactory_ts
+  src_routes_github_ts --> src_utils_routeFactory_ts
+  src_routes_github_ts --> src_validation_index_ts
+  src_routes_local_ts --> src_index_ts
+  src_routes_local_ts --> src_types_guards_ts
+  src_routes_local_ts --> src_utils_resilience_ts
+  src_routes_local_ts --> src_utils_responseBuilder_ts
+  src_routes_local_ts --> src_utils_responseFactory_ts
+  src_routes_local_ts --> src_utils_routeFactory_ts
+  src_routes_local_ts --> src_validation_index_ts
+  src_routes_lsp_ts --> src_index_ts
+  src_routes_lsp_ts --> src_types_guards_ts
+  src_routes_lsp_ts --> src_utils_resilience_ts
+  src_routes_lsp_ts --> src_utils_responseBuilder_ts
+  src_routes_lsp_ts --> src_utils_responseFactory_ts
+  src_routes_lsp_ts --> src_utils_routeFactory_ts
+  src_routes_lsp_ts --> src_validation_index_ts
+  src___tests___integration_routes_test_ts --> src_routes_github_ts
+  src___tests___integration_routes_test_ts --> src_routes_local_ts
+  src___tests___integration_routes_test_ts --> src_routes_lsp_ts
+  src___tests___integration_routes_test_ts --> src_routes_package_ts
+  src_middleware_errorHandler_ts --> src_index_ts
+  src_middleware_errorHandler_ts --> src_utils_asyncTimeout_ts
+  src_middleware_errorHandler_ts --> src_utils_logger_ts
+  src_routes_prompts_ts --> src_index_ts
+  src_routes_prompts_ts --> src_mcpCache_ts
+  src_routes_prompts_ts --> src_utils_asyncTimeout_ts
+  src_middleware_logger_ts --> src_utils_colors_ts
+  src_middleware_logger_ts --> src_utils_logger_ts
+  src_utils_circuitBreaker_ts --> src_index_ts
+  src_utils_circuitBreaker_ts --> src_utils_asyncTimeout_ts
+  src_utils_circuitBreaker_ts --> src_utils_colors_ts
+  src_utils_resilience_ts --> src_utils_asyncTimeout_ts
+  src_utils_resilience_ts --> src_utils_circuitBreaker_ts
+  src_utils_resilience_ts --> src_utils_retry_ts
+  src___tests___unit_errorHandler_test_ts --> src_middleware_errorHandler_ts
+  src___tests___unit_errorHandler_test_ts --> src_utils_asyncTimeout_ts
+  src_utils_logger_ts --> src_utils_colors_ts
+  src_utils_logger_ts --> src_utils_errorQueue_ts
+  src_utils_responseFactory_ts --> src_types_guards_ts
+  src_index_ts --> src_utils_responseBuilder_ts
+  src_utils_asyncTimeout_ts --> src_utils_errorQueue_ts
+  src_validation_index_ts --> src_validation_httpPreprocess_ts
+  src_utils_routeFactory_ts --> src_utils_responseParser_ts
+```
+## Critical Dependency Chains
+```mermaid
+graph LR
+  src_server_ts["src/server.ts"] ==> src_routes_tools_ts["src/…/tools.ts"]
+  src_routes_tools_ts["src/…/tools.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_tools_ts["src/…/tools.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src___tests___integration_routes_test_ts["src/…/routes.test.ts"] ==> src_routes_lsp_ts["src/…/lsp.ts"]
+  src_routes_lsp_ts["src/…/lsp.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_lsp_ts["src/…/lsp.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_github_ts["src/…/github.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_local_ts["src/…/local.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_routes_package_ts["src/…/package.ts"] ==> src_utils_resilience_ts["src/…/resilience.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+  src_utils_resilience_ts["src/…/resilience.ts"] ==> src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"]
+  src_utils_circuitBreaker_ts["src/…/circuitBreaker.ts"] ==> src_index_ts["src/index.ts"]
+  src_index_ts["src/index.ts"] ==> src_utils_responseBuilder_ts["src/…/responseBuilder.ts"]
+```
+## Summary
+| Metric | Value |
+|--------|-------|
+| Total modules | 53 |
+| Total edges | 93 |
+| Root modules | 21 |
+| Leaf modules | 22 |
+| Cycles | 0 |
+| Critical paths | 12 |
+| Test-only modules | 4 |
+| Unresolved imports | 0 |
+## Critical Modules (Hub Nodes)
+| Module | Score | Risk | Inbound | Outbound |
+|--------|-------|------|---------|----------|
+| `src/utils/logger.ts` | 112 | high | 4 | 2 |
+| `src/utils/responseBuilder.ts` | 109 | high | 6 | 0 |
+| `src/routes/tools.ts` | 79 | high | 1 | 8 |
+| `src/server.ts` | 71 | high | 0 | 11 |
+| `src/utils/circuitBreaker.ts` | 70 | high | 4 | 3 |
+| `src/routes/lsp.ts` | 65 | high | 1 | 7 |
+| `src/utils/retry.ts` | 66 | high | 2 | 1 |
+| `src/routes/github.ts` | 54 | medium | 1 | 7 |
+| `src/routes/local.ts` | 46 | medium | 1 | 7 |
+| `src/server-init.ts` | 48 | medium | 0 | 0 |
+| `src/types/errorGuards.ts` | 47 | medium | 1 | 0 |
+| `src/utils/responseParser.ts` | 43 | medium | 3 | 0 |
+| `src/types/guards.ts` | 40 | medium | 6 | 0 |
+| `src/routes/package.ts` | 40 | medium | 1 | 8 |
+| `src/utils/responseFactory.ts` | 38 | medium | 4 | 2 |
+| `src/validation/schemas.ts` | 37 | medium | 2 | 1 |
+| `src/types/responses.ts` | 34 | medium | 1 | 1 |
+| `src/validation/httpPreprocess.ts` | 31 | medium | 3 | 0 |
+| `src/utils/asyncTimeout.ts` | 26 | low | 7 | 1 |
+| `src/utils/resilience.ts` | 21 | low | 5 | 3 |
+## Test-Only Modules
+- `src/routes/github.ts`
+- `src/routes/local.ts`
+- `src/routes/lsp.ts`
+- `src/routes/package.ts`

package/skills/octocode-research/.octocode/scan/2026-03-22T10-40-10-469Z/security.json ADDED Viewed

@@ -0,0 +1 @@

+ {"schemaVersion":"1.1.0","generatedAt":"2026-03-22T10:40:13.784Z","findings":[{"id":"AST-ISSUE-0055","severity":"high","category":"hardcoded-secret","file":"src/routes/tools.ts","lineStart":206,"lineEnd":206,"title":"Potential hardcoded secret","reason":"String literal matches a secret pattern (password, API key, token, high-entropy string). Secrets in source code risk credential leaks. Validate: use localSearchCode to find the variable, then lspFindReferences to check if it is used in auth or network calls.","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Move secret to environment variable or secrets manager.","steps":["Replace the hardcoded value with process.env.YOUR_SECRET.","Add the variable to your .env file (excluded from git).","Verify the secret is not committed in git history."]},"impact":"Credential leak in source code exposes API access, database credentials, or authentication tokens to anyone with repo access.","tags":["security","secrets"],"lspHints":[{"tool":"lspFindReferences","symbolName":"secret","lineHint":206,"file":"src/routes/tools.ts","expectedResult":"find all usages of this secret value — if used only in tests or as a regex pattern, it is a false positive"}],"ruleId":"security.hardcoded-secret","confidence":"high","evidence":{"category":"hardcoded-secret","location":"src/routes/tools.ts:206-206","source":"","sink":"runtime usage","context":"literal","sanitizerStatus":"missing","propagationSteps":["src/routes/tools.ts:206"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:prototype-pollution-risk","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"find all usages of this secret value — if used only in tests or as a regex pattern, it is a false positive","tools":["localSearchCode","lspFindReferences"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":206,"lineEnd":206,"label":"propagation step"}]},{"id":"AST-ISSUE-0056","severity":"high","category":"prototype-pollution-risk","file":"src/routes/tools.ts","lineStart":352,"lineEnd":352,"title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: schemas[toolName]","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":352,"file":"src/routes/tools.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"medium","evidence":{"category":"prototype-pollution-risk","location":"src/routes/tools.ts:352-352","source":"computed-property-write","sink":"Dynamic bracket assignment: schemas[toolName]","guarded":false,"sanitizerStatus":"missing","propagationSteps":["src/routes/tools.ts:352"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":352,"lineEnd":352,"label":"propagation step"}]},{"id":"AST-ISSUE-0057","severity":"high","category":"prototype-pollution-risk","file":"src/utils/circuitBreaker.ts","lineStart":288,"lineEnd":288,"title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: states[name]","files":["src/utils/circuitBreaker.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":288,"file":"src/utils/circuitBreaker.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"medium","evidence":{"category":"prototype-pollution-risk","location":"src/utils/circuitBreaker.ts:288-288","source":"computed-property-write","sink":"Dynamic bracket assignment: states[name]","guarded":false,"sanitizerStatus":"missing","propagationSteps":["src/utils/circuitBreaker.ts:288"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:over-abstraction","paired:type-assertion-escape","paired:uncleared-timer","paired:move-to-caller"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/circuitBreaker.ts","lineStart":288,"lineEnd":288,"label":"propagation step"}]},{"id":"AST-ISSUE-0103","severity":"high","category":"sql-injection-risk","file":"src/utils/logger.ts","lineStart":57,"lineEnd":57,"title":"SQL query built with template literal interpolation","reason":"Template literals with SQL keywords and interpolated expressions risk SQL injection if user input flows into the query.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Use parameterized queries or a query builder.","steps":["Replace template literal with parameterized query (e.g. db.query(sql, [param])).","Use an ORM or query builder that handles escaping.","If raw SQL is necessary, validate and sanitize all interpolated values."]},"impact":"SQL injection can expose, modify, or destroy database contents and potentially escalate to full server compromise.","tags":["security","injection","sql"],"ruleId":"security.sql-injection-risk","confidence":"high","evidence":{"category":"sql-injection-risk","location":"src/utils/logger.ts:57-57","sink":"sql template literal","sanitizerStatus":"missing","propagationSteps":["src/utils/logger.ts:57-57"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk","paired:listener-leak-risk"],"recommendedValidation":{"summary":"Validate both the structural location and the behavioral path before presenting the claim as fact.","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":57,"lineEnd":57,"label":"propagation step"}]},{"id":"AST-ISSUE-0104","severity":"high","category":"sql-injection-risk","file":"src/utils/logger.ts","lineStart":83,"lineEnd":83,"title":"SQL query built with template literal interpolation","reason":"Template literals with SQL keywords and interpolated expressions risk SQL injection if user input flows into the query.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Use parameterized queries or a query builder.","steps":["Replace template literal with parameterized query (e.g. db.query(sql, [param])).","Use an ORM or query builder that handles escaping.","If raw SQL is necessary, validate and sanitize all interpolated values."]},"impact":"SQL injection can expose, modify, or destroy database contents and potentially escalate to full server compromise.","tags":["security","injection","sql"],"ruleId":"security.sql-injection-risk","confidence":"high","evidence":{"category":"sql-injection-risk","location":"src/utils/logger.ts:83-83","sink":"sql template literal","sanitizerStatus":"missing","propagationSteps":["src/utils/logger.ts:83-83"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk","paired:listener-leak-risk"],"recommendedValidation":{"summary":"Validate both the structural location and the behavioral path before presenting the claim as fact.","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":83,"lineEnd":83,"label":"propagation step"}]},{"id":"AST-ISSUE-0127","severity":"high","category":"unvalidated-input-sink","file":"src/middleware/errorHandler.ts","lineStart":15,"lineEnd":65,"title":"Unvalidated input reaches response sink in errorHandler(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/middleware/errorHandler.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on errorHandler."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"errorHandler","lineHint":15,"file":"src/middleware/errorHandler.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":15,"file":"src/middleware/errorHandler.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/middleware/errorHandler.ts:15-65","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["sanitizeQueryParams:28","extractToolName:36"]},"analysisLens":"hybrid","correlatedSignals":["paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"sanitizeQueryParams","lineStart":28,"lineEnd":28,"label":"propagation step"},{"file":"extractToolName","lineStart":36,"lineEnd":36,"label":"propagation step"}]},{"id":"AST-ISSUE-0128","severity":"high","category":"unvalidated-input-sink","file":"src/routes/package.ts","lineStart":17,"lineEnd":47,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/package.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":17,"file":"src/routes/package.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":17,"file":"src/routes/package.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/package.ts:17-47","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["parseAndValidate:19"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dependency-critical-path","paired:unreachable-module","paired:dependency-test-only","paired:over-abstraction","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"parseAndValidate","lineStart":19,"lineEnd":19,"label":"propagation step"}]},{"id":"AST-ISSUE-0129","severity":"high","category":"unvalidated-input-sink","file":"src/routes/prompts.ts","lineStart":88,"lineEnd":138,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/prompts.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":88,"file":"src/routes/prompts.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":88,"file":"src/routes/prompts.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/prompts.ts:88-138","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":[],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0130","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":158,"lineEnd":211,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":158,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":158,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:158-211","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0131","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":228,"lineEnd":290,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":228,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":228,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:228-290","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":[]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]}},{"id":"AST-ISSUE-0132","severity":"high","category":"unvalidated-input-sink","file":"src/routes/tools.ts","lineStart":564,"lineEnd":677,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":564,"file":"src/routes/tools.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":564,"file":"src/routes/tools.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/routes/tools.ts:564-677","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["validateToolCallBody:604"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:prototype-pollution-risk","paired:untested-critical-code","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"validateToolCallBody","lineStart":604,"lineEnd":604,"label":"propagation step"}]},{"id":"AST-ISSUE-0133","severity":"high","category":"unvalidated-input-sink","file":"src/utils/routeFactory.ts","lineStart":91,"lineEnd":116,"title":"Unvalidated input reaches response sink in <anonymous>(req)","reason":"Parameter 'req' (external input) flows into response without validation (no type guard, schema call, or conditional check).","files":["src/utils/routeFactory.ts"],"suggestedFix":{"strategy":"Add input validation before the sink operation.","steps":["Add schema validation (e.g. zod, joi) for input parameters.","Use parameterized APIs instead of template interpolation for SQL/exec.","Trace data flow: lspCallHierarchy(outgoing) on <anonymous>."]},"impact":"Unvalidated external input reaching a dangerous sink (eval, SQL, exec, innerHTML, file write) enables injection attacks.","tags":["security","input-validation","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":91,"file":"src/utils/routeFactory.ts","expectedResult":"trace outgoing calls to see where req data flows"},{"tool":"lspFindReferences","symbolName":"req","lineHint":91,"file":"src/utils/routeFactory.ts","expectedResult":"check all usages of req parameter within function"}],"ruleId":"security.unvalidated-input-sink","confidence":"high","evidence":{"category":"unvalidated-input-sink","location":"src/utils/routeFactory.ts:91-116","sourceParameters":["req"],"sink":"response","sanitizerStatus":"missing","propagationSteps":["parseAndValidate:94"]},"analysisLens":"hybrid","correlatedSignals":["paired:unreachable-module","paired:dead-export","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to see where req data flows","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"parseAndValidate","lineStart":94,"lineEnd":94,"label":"propagation step"}]},{"id":"AST-ISSUE-0179","severity":"medium","category":"input-passthrough-risk","file":"src/middleware/logger.ts","lineStart":19,"lineEnd":60,"title":"Input passthrough without validation in requestLogger(req)","reason":"Parameter 'req' (external input) is passed to getRequestId without validation. Downstream callees may not validate either.","files":["src/middleware/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on requestLogger to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"requestLogger","lineHint":19,"file":"src/middleware/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of req"},{"tool":"lspFindReferences","symbolName":"req","lineHint":19,"file":"src/middleware/logger.ts","expectedResult":"find all usages of req to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/middleware/logger.ts:19-60","sourceParameters":["req"],"sink":"getRequestId","sanitizerStatus":"missing","propagationSteps":["getRequestId:25"]},"analysisLens":"hybrid","correlatedSignals":["critical-path-context","paired:listener-leak-risk","paired:similar-function-body","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of req","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"getRequestId","lineStart":25,"lineEnd":25,"label":"propagation step"}]},{"id":"AST-ISSUE-0180","severity":"medium","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":404,"lineEnd":413,"title":"Input passthrough without validation in sanitizeQueryParams(query)","reason":"Parameter 'query' (external input) is passed to Object.entries without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on sanitizeQueryParams to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"sanitizeQueryParams","lineHint":404,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of query"},{"tool":"lspFindReferences","symbolName":"query","lineHint":404,"file":"src/utils/logger.ts","expectedResult":"find all usages of query to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:404-413","sourceParameters":["query"],"sink":"Object.entries","sanitizerStatus":"missing","propagationSteps":["Object.entries:407"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of query","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"Object.entries","lineStart":407,"lineEnd":407,"label":"propagation step"}]},{"id":"AST-ISSUE-0181","severity":"medium","category":"input-passthrough-risk","file":"src/validation/toolCallSchema.ts","lineStart":85,"lineEnd":105,"title":"Input passthrough without validation in validateToolCallBody(body)","reason":"Parameter 'body' (external input) is passed to toolCallBodySchema.safeParse without validation. Downstream callees may not validate either.","files":["src/validation/toolCallSchema.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on validateToolCallBody to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"validateToolCallBody","lineHint":85,"file":"src/validation/toolCallSchema.ts","expectedResult":"trace outgoing calls to verify downstream validation of body"},{"tool":"lspFindReferences","symbolName":"body","lineHint":85,"file":"src/validation/toolCallSchema.ts","expectedResult":"find all usages of body to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"medium","evidence":{"category":"input-passthrough-risk","location":"src/validation/toolCallSchema.ts:85-105","sourceParameters":["body"],"sink":"toolCallBodySchema.safeParse","sanitizerStatus":"missing","propagationSteps":["toolCallBodySchema.safeParse:86"]},"analysisLens":"hybrid","correlatedSignals":["paired:dead-export","paired:over-abstraction","paired:move-to-caller"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of body","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"toolCallBodySchema.safeParse","lineStart":86,"lineEnd":86,"label":"propagation step"}]},{"id":"AST-ISSUE-0224","severity":"low","category":"input-passthrough-risk","file":"src/middleware/queryParser.ts","lineStart":12,"lineEnd":18,"title":"Input passthrough without validation in <anonymous>(message)","reason":"Parameter 'message' (external input) is passed to super without validation. Downstream callees may not validate either.","files":["src/middleware/queryParser.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on <anonymous> to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"<anonymous>","lineHint":12,"file":"src/middleware/queryParser.ts","expectedResult":"trace outgoing calls to verify downstream validation of message"},{"tool":"lspFindReferences","symbolName":"message","lineHint":12,"file":"src/middleware/queryParser.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/middleware/queryParser.ts:12-18","sourceParameters":["message"],"sink":"super","sanitizerStatus":"missing","propagationSteps":["super:13"]},"analysisLens":"hybrid","correlatedSignals":["paired:unreachable-module","paired:cognitive-complexity","paired:prototype-pollution-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"super","lineStart":13,"lineEnd":13,"label":"propagation step"}]},{"id":"AST-ISSUE-0225","severity":"low","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":231,"lineEnd":246,"title":"Input passthrough without validation in logError(message)","reason":"Parameter 'message' (external input) is passed to formatLogEntry without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on logError to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"logError","lineHint":231,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of message"},{"tool":"lspFindReferences","symbolName":"message","lineHint":231,"file":"src/utils/logger.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:231-246","sourceParameters":["message"],"sink":"formatLogEntry","sanitizerStatus":"missing","propagationSteps":["formatLogEntry:237"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"formatLogEntry","lineStart":237,"lineEnd":237,"label":"propagation step"}]},{"id":"AST-ISSUE-0226","severity":"low","category":"input-passthrough-risk","file":"src/utils/logger.ts","lineStart":251,"lineEnd":256,"title":"Input passthrough without validation in logWarn(message, data)","reason":"Parameters 'message', 'data' (external input) are passed to formatLogEntry without validation. Downstream callees may not validate either.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Validate input before passing to downstream functions.","steps":["Add schema validation (e.g. zod, joi) at the entry point.","Trace downstream: lspCallHierarchy(outgoing) on logWarn to verify callees validate.","Search for validation middleware: localSearchCode for guard/validate/sanitize patterns."]},"impact":"Unchecked input passed downstream can reach sinks in callees — validation gaps compound across the call chain.","tags":["security","input-validation","passthrough"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"logWarn","lineHint":251,"file":"src/utils/logger.ts","expectedResult":"trace outgoing calls to verify downstream validation of message, data"},{"tool":"lspFindReferences","symbolName":"message","lineHint":251,"file":"src/utils/logger.ts","expectedResult":"find all usages of message to check if validation occurs upstream"}],"ruleId":"security.input-passthrough-risk","confidence":"low","evidence":{"category":"input-passthrough-risk","location":"src/utils/logger.ts:251-256","sourceParameters":["message","data"],"sink":"formatLogEntry","sanitizerStatus":"missing","propagationSteps":["formatLogEntry:252","formatLogEntry:252"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:listener-leak-risk"],"recommendedValidation":{"summary":"trace outgoing calls to verify downstream validation of message, data","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"formatLogEntry","lineStart":252,"lineEnd":252,"label":"propagation step"},{"file":"formatLogEntry","lineStart":252,"lineEnd":252,"label":"propagation step"}]},{"id":"AST-ISSUE-0304","severity":"low","category":"prototype-pollution-risk","file":"src/middleware/queryParser.ts","lineStart":63,"lineEnd":63,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: cleanedQuery[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/middleware/queryParser.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":63,"file":"src/middleware/queryParser.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/middleware/queryParser.ts:63-63","source":"computed-property-write","sink":"Dynamic bracket assignment: cleanedQuery[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/middleware/queryParser.ts:63"]},"analysisLens":"hybrid","correlatedSignals":["paired:unreachable-module","paired:cognitive-complexity","paired:input-passthrough-risk"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/middleware/queryParser.ts","lineStart":63,"lineEnd":63,"label":"propagation step"}]},{"id":"AST-ISSUE-0305","severity":"low","category":"prototype-pollution-risk","file":"src/routes/tools.ts","lineStart":437,"lineEnd":437,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: schemas[toolName] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/routes/tools.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":437,"file":"src/routes/tools.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/routes/tools.ts:437-437","source":"computed-property-write","sink":"Dynamic bracket assignment: schemas[toolName]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/routes/tools.ts:437"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:hardcoded-secret","paired:untested-critical-code","paired:unvalidated-input-sink","paired:listener-leak-risk","paired:over-abstraction","paired:type-assertion-escape"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/routes/tools.ts","lineStart":437,"lineEnd":437,"label":"propagation step"}]},{"id":"AST-ISSUE-0306","severity":"low","category":"prototype-pollution-risk","file":"src/types/mcp.ts","lineStart":94,"lineEnd":94,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: properties[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/types/mcp.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":94,"file":"src/types/mcp.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/types/mcp.ts:94-94","source":"computed-property-write","sink":"Dynamic bracket assignment: properties[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/types/mcp.ts:94"]},"analysisLens":"hybrid","correlatedSignals":["paired:semantic-dead-export","paired:dead-export","paired:over-abstraction","paired:move-to-caller"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/types/mcp.ts","lineStart":94,"lineEnd":94,"label":"propagation step"}]},{"id":"AST-ISSUE-0307","severity":"low","category":"prototype-pollution-risk","file":"src/utils/logger.ts","lineStart":409,"lineEnd":409,"title":"Prototype pollution risk: computed-property-write (guarded)","reason":"Dynamic bracket assignment: sanitized[key] — guards detected (internal iteration or key check), likely false positive. Verify the key variable does not trace to external input.","files":["src/utils/logger.ts"],"suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]},"impact":"Prototype pollution can override built-in methods, bypass security checks, or achieve remote code execution.","tags":["security","prototype-pollution","injection"],"lspHints":[{"tool":"lspCallHierarchy","symbolName":"bracket-assignment","lineHint":409,"file":"src/utils/logger.ts","expectedResult":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive"}],"ruleId":"security.prototype-pollution-risk","confidence":"low","evidence":{"category":"prototype-pollution-risk","location":"src/utils/logger.ts:409-409","source":"computed-property-write","sink":"Dynamic bracket assignment: sanitized[key]","guarded":true,"sanitizerStatus":"present","propagationSteps":["src/utils/logger.ts:409"]},"analysisLens":"hybrid","correlatedSignals":["hot-file","critical-path-context","paired:dead-export","paired:semantic-dead-export","paired:sql-injection-risk","paired:empty-catch","paired:excessive-parameters","paired:input-passthrough-risk"],"recommendedValidation":{"summary":"trace callers to determine if user-controlled data reaches this site — if key comes from Object.keys() on internal object, dismiss as false positive","tools":["localSearchCode","lspCallHierarchy"]},"flowTrace":[{"file":"src/utils/logger.ts","lineStart":409,"lineEnd":409,"label":"propagation step"}]}],"findingsCount":22,"severityBreakdown":{"critical":0,"high":12,"medium":3,"low":7,"info":0},"categoryBreakdown":{"hardcoded-secret":1,"prototype-pollution-risk":6,"sql-injection-risk":2,"unvalidated-input-sink":7,"input-passthrough-risk":6}}

package/skills/octocode-research/.octocode/scan/2026-03-22T10-40-10-469Z/summary.json ADDED Viewed

@@ -0,0 +1 @@

+ {"schemaVersion":"1.1.0","generatedAt":"2026-03-22T10:40:13.784Z","repoRoot":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research","options":{"minFunctionStatements":6,"minFlowStatements":6,"root":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research","includeTests":false,"emitTree":true,"json":false,"graph":true,"out":null,"treeDepth":4,"findingsLimit":null,"parser":"auto","criticalComplexityThreshold":30,"deepLinkTopN":12,"packageRoot":"/Users/guybary/Documents/octocode-mcp/skills/octocode-research/packages","ignoreDirs":[".git",".next",".yarn",".cache",".octocode","node_modules","dist","coverage","out"],"couplingThreshold":15,"fanInThreshold":20,"fanOutThreshold":15,"godModuleStatements":500,"godModuleExports":20,"godFunctionStatements":100,"godFunctionMiThreshold":10,"cognitiveComplexityThreshold":15,"barrelSymbolThreshold":30,"layerOrder":[],"parameterThreshold":5,"halsteadEffortThreshold":500000,"maintainabilityIndexThreshold":20,"anyThreshold":5,"flowDupThreshold":3,"maxRecsPerCategory":2,"features":null,"scope":["/Users/guybary/Documents/octocode-mcp/skills/octocode-research/src"],"scopeSymbols":null,"noCache":false,"clearCache":false,"semantic":true,"overrideChainThreshold":3,"shotgunThreshold":8,"sdpMinDelta":0.15,"sdpMaxSourceInstability":0.6,"secretEntropyThreshold":4.5,"secretMinLength":20,"similarityThreshold":0.85,"mockThreshold":10,"noDiversify":false,"graphAdvanced":false,"flow":true},"parser":{"requested":"auto","effective":"typescript (primary) + tree-sitter (node count)","treeSitterAvailable":true,"treeSitterError":null},"summary":{"totalPackages":1,"totalFiles":36,"totalNodes":21976,"totalFunctions":286,"totalFlows":357,"totalDependencyFiles":53,"byPackage":{"octocode-skill":{"files":36,"nodes":21981,"functions":286,"flows":357,"topKinds":[["Identifier",7581],["PropertyAccessExpression",1403],["CallExpression",1200],["PropertyAssignment",1018],["StringLiteral",948],["BinaryExpression",539],["Block",432],["VariableDeclaration",424]],"rootPath":"octocode-research"}}},"agentOutput":{"totalFindings":307,"totalBeforeTruncation":307,"droppedCategories":[],"findingStats":{"overall":{"totalFindings":307,"severityBreakdown":{"critical":7,"high":126,"medium":90,"low":84,"info":0}},"pillars":{"architecture":{"totalFindings":67,"severityBreakdown":{"critical":7,"high":32,"medium":28,"low":0,"info":0}},"code-quality":{"totalFindings":41,"severityBreakdown":{"critical":0,"high":8,"medium":29,"low":4,"info":0}},"dead-code":{"totalFindings":177,"severityBreakdown":{"critical":0,"high":74,"medium":30,"low":73,"info":0}},"security":{"totalFindings":22,"severityBreakdown":{"critical":0,"high":12,"medium":3,"low":7,"info":0}},"test-quality":{"totalFindings":0,"severityBreakdown":{"critical":0,"high":0,"medium":0,"low":0,"info":0}}}},"analysisSummary":{"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]}},"highPriority":133,"mediumPriority":90,"lowPriority":84,"topRecommendations":[{"id":"AST-ISSUE-0001","file":"src/server.ts","severity":"critical","category":"dependency-critical-path","title":"Critical dependency chain risk: 6 files (2 entry points)","reason":"Potentially high-change surface: src/server.ts -> src/routes/tools.ts -> src/utils/resilience.ts -> src/utils/circuitBreaker.ts -> src/index.ts -> src/utils/responseBuilder.ts (351 weight). Also reached from: src/routes/tools.ts.","suggestedFix":{"strategy":"Break chain at `src/server.ts` (fan-out: 11, fan-in: 0).","steps":["Extract interface from `src/server.ts` — it has 11 outbound dependencies.","Downstream modules depend on the interface, not the implementation.","This splits the chain into two independent segments."]}},{"id":"AST-ISSUE-0002","file":"src/__tests__/integration/routes.test.ts","severity":"critical","category":"dependency-critical-path","title":"Critical dependency chain risk: 6 files (2 entry points)","reason":"Potentially high-change surface: src/__tests__/integration/routes.test.ts -> src/routes/lsp.ts -> src/utils/resilience.ts -> src/utils/circuitBreaker.ts -> src/index.ts -> src/utils/responseBuilder.ts (267 weight). Also reached from: src/routes/lsp.ts.","suggestedFix":{"strategy":"Break chain at `src/routes/lsp.ts` (fan-out: 7, fan-in: 1).","steps":["Extract interface from `src/routes/lsp.ts` — it has 7 outbound dependencies.","Downstream modules depend on the interface, not the implementation.","This splits the chain into two independent segments."]}},{"id":"AST-ISSUE-0008","file":"src/server-init.ts","severity":"high","category":"await-in-loop","title":"await inside loop — sequential async execution","reason":"Each await runs serially. For N iterations this takes N * latency instead of max(latency). Use Promise.all() or Promise.allSettled() for parallel execution.","suggestedFix":{"strategy":"Collect promises and await them in parallel with Promise.all().","steps":["Collect all async operations into an array of promises.","Use await Promise.all(promises) or Promise.allSettled(promises).","If order matters or rate limiting is needed, use a batching utility."]}},{"id":"AST-ISSUE-0009","file":"src/server-init.ts","severity":"high","category":"await-in-loop","title":"await inside loop — sequential async execution","reason":"Each await runs serially. For N iterations this takes N * latency instead of max(latency). Use Promise.all() or Promise.allSettled() for parallel execution.","suggestedFix":{"strategy":"Collect promises and await them in parallel with Promise.all().","steps":["Collect all async operations into an array of promises.","Use await Promise.all(promises) or Promise.allSettled(promises).","If order matters or rate limiting is needed, use a batching utility."]}},{"id":"AST-ISSUE-0012","file":"src/utils/responseParser.ts","severity":"high","category":"cognitive-complexity","title":"High cognitive complexity: parseToolResponse (29)","reason":"Function cognitive complexity is 29 (threshold: 15). Nested branches compound reading difficulty.","suggestedFix":{"strategy":"Reduce nesting and simplify control flow.","steps":["Convert nested branches into early returns / guard clauses.","Extract deeply nested blocks into named helper functions.","Replace complex boolean chains with named predicates."]}},{"id":"AST-ISSUE-0013","file":"src/utils/responseParser.ts","severity":"high","category":"cognitive-complexity","title":"High cognitive complexity: parseToolResponseBulk (30)","reason":"Function cognitive complexity is 30 (threshold: 15). Nested branches compound reading difficulty.","suggestedFix":{"strategy":"Reduce nesting and simplify control flow.","steps":["Convert nested branches into early returns / guard clauses.","Extract deeply nested blocks into named helper functions.","Replace complex boolean chains with named predicates."]}},{"id":"AST-ISSUE-0014","file":"src/types/errorGuards.ts","severity":"high","category":"dead-export","title":"Unused export: hasMessage","reason":"Exported symbol \"hasMessage\" has no observed import or re-export usage in production or test files.","suggestedFix":{"strategy":"Remove or internalize unused exports.","steps":["Confirm symbol is not part of intentional public API surface.","Remove export modifier or delete symbol if truly unused.","Re-run scan and tests to ensure no hidden runtime usage."]}},{"id":"AST-ISSUE-0015","file":"src/types/errorGuards.ts","severity":"high","category":"dead-export","title":"Unused export: hasHeaders","reason":"Exported symbol \"hasHeaders\" has no observed import or re-export usage in production or test files.","suggestedFix":{"strategy":"Remove or internalize unused exports.","steps":["Confirm symbol is not part of intentional public API surface.","Remove export modifier or delete symbol if truly unused.","Re-run scan and tests to ensure no hidden runtime usage."]}},{"id":"AST-ISSUE-0044","file":"src/mcpCache.ts","severity":"high","category":"distance-from-main-sequence","title":"Distance from Main Sequence: src/mcpCache.ts (D=1.00)","reason":"Zone of Pain (concrete + stable): hard to extend, painful to change. A=0.00, I=0.00, D=1.00 (threshold: 0.7).","suggestedFix":{"strategy":"Add abstractions (interfaces/types) or reduce inbound coupling.","steps":["Extract interfaces for key behaviors to increase abstractness.","Consider splitting into abstract contracts + concrete implementations.","Reduce inbound coupling by narrowing the public API surface."]}},{"id":"AST-ISSUE-0045","file":"src/types/guards.ts","severity":"high","category":"distance-from-main-sequence","title":"Distance from Main Sequence: src/types/guards.ts (D=1.00)","reason":"Zone of Pain (concrete + stable): hard to extend, painful to change. A=0.00, I=0.00, D=1.00 (threshold: 0.7).","suggestedFix":{"strategy":"Add abstractions (interfaces/types) or reduce inbound coupling.","steps":["Extract interfaces for key behaviors to increase abstractness.","Consider splitting into abstract contracts + concrete implementations.","Reduce inbound coupling by narrowing the public API surface."]}},{"id":"AST-ISSUE-0051","file":"src/validation/index.ts","severity":"high","category":"export-star-leak","title":"export * leaks entire module surface: ./schemas.js","reason":"`export * from './schemas.js'` re-exports every symbol from the source, defeating granular tree-shaking. Target exports 39 symbols.","suggestedFix":{"strategy":"Replace export * with explicit named re-exports.","steps":["List the symbols actually consumed from `./schemas.js` by downstream modules.","Replace `export * from './schemas.js'` with `export { A, B, C } from './schemas.js'`.","This lets bundlers eliminate unused re-exports during tree-shaking."]}},{"id":"AST-ISSUE-0052","file":"src/utils/retry.ts","severity":"high","category":"feature-envy","title":"Feature envy: src/utils/retry.ts → src/types/errorGuards.ts","reason":"Module imports 5/5 symbols (100%) from \"src/types/errorGuards.ts\". This suggests the logic may belong in or closer to the target module.","suggestedFix":{"strategy":"Move dependent logic to the target module or extract a shared module.","steps":["Identify which functions/logic in this file use the imported symbols.","Move that logic to the target module if it belongs there.","If shared, extract a dedicated module that both can import from.","Reduce the import surface by passing data instead of importing behaviors."]}},{"id":"AST-ISSUE-0053","file":"src/validation/schemas.ts","severity":"high","category":"feature-envy","title":"Feature envy: src/validation/schemas.ts → src/validation/httpPreprocess.ts","reason":"Module imports 7/7 symbols (100%) from \"src/validation/httpPreprocess.ts\". This suggests the logic may belong in or closer to the target module.","suggestedFix":{"strategy":"Move dependent logic to the target module or extract a shared module.","steps":["Identify which functions/logic in this file use the imported symbols.","Move that logic to the target module if it belongs there.","If shared, extract a dedicated module that both can import from.","Reduce the import surface by passing data instead of importing behaviors."]}},{"id":"AST-ISSUE-0054","file":"src/validation/schemas.ts","severity":"high","category":"god-module","title":"God module: src/validation/schemas.ts","reason":"Module is excessively large: 39 exports (threshold: 20).","suggestedFix":{"strategy":"Split module into focused sub-modules with single responsibilities.","steps":["Identify distinct functional groups within the module.","Extract each group into a dedicated module.","Create a barrel if backward compatibility is needed.","Update imports incrementally."]}},{"id":"AST-ISSUE-0055","file":"src/routes/tools.ts","severity":"high","category":"hardcoded-secret","title":"Potential hardcoded secret","reason":"String literal matches a secret pattern (password, API key, token, high-entropy string). Secrets in source code risk credential leaks. Validate: use localSearchCode to find the variable, then lspFindReferences to check if it is used in auth or network calls.","suggestedFix":{"strategy":"Move secret to environment variable or secrets manager.","steps":["Replace the hardcoded value with process.env.YOUR_SECRET.","Add the variable to your .env file (excluded from git).","Verify the secret is not committed in git history."]}},{"id":"AST-ISSUE-0056","file":"src/routes/tools.ts","severity":"high","category":"prototype-pollution-risk","title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: schemas[toolName]","suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]}},{"id":"AST-ISSUE-0057","file":"src/utils/circuitBreaker.ts","severity":"high","category":"prototype-pollution-risk","title":"Prototype pollution risk: computed-property-write","reason":"Dynamic bracket assignment: states[name]","suggestedFix":{"strategy":"Guard against __proto__, constructor, and prototype keys before merging.","steps":["Validate keys: reject \"__proto__\", \"constructor\", \"prototype\" before assignment.","Use Object.create(null) as the target for merges when possible.","Replace custom deep-merge with a hardened library (e.g. lodash.merge with prototype guard).","For Object.assign, ensure the source is sanitized or use structuredClone()."]}},{"id":"AST-ISSUE-0058","file":"src/types/guards.ts","severity":"high","category":"semantic-dead-export","title":"Semantically dead export: isPositiveNumber","reason":"Exported symbol \"isPositiveNumber\" has zero semantic references across the entire program (confirmed via TypeChecker, not just import matching).","suggestedFix":{"strategy":"Remove the export or delete the symbol if unused internally.","steps":["Verify the symbol is not used via dynamic imports or runtime reflection.","Remove the export keyword, or delete the symbol entirely if also unused locally.","Re-run scan to confirm finding is resolved."]}},{"id":"AST-ISSUE-0059","file":"src/types/guards.ts","severity":"high","category":"semantic-dead-export","title":"Semantically dead export: isNonNegativeNumber","reason":"Exported symbol \"isNonNegativeNumber\" has zero semantic references across the entire program (confirmed via TypeChecker, not just import matching).","suggestedFix":{"strategy":"Remove the export or delete the symbol if unused internally.","steps":["Verify the symbol is not used via dynamic imports or runtime reflection.","Remove the export keyword, or delete the symbol entirely if also unused locally.","Re-run scan to confirm finding is resolved."]}},{"id":"AST-ISSUE-0102","file":"src/utils/responseBuilder.ts","severity":"high","category":"similar-function-body","title":"Similar function: fileContent (97% similar to bulkResult in src/utils/responseBuilder.ts)","reason":"\"fileContent\" and \"bulkResult\" have 97% structural similarity. Near-duplicates diverge over time and should be consolidated.","suggestedFix":{"strategy":"Extract shared logic into a parameterized helper.","steps":["Compare src/utils/responseBuilder.ts:133 with src/utils/responseBuilder.ts:410.","Identify the varying parts and extract them as parameters.","Create a shared function and call it from both locations."]}}],"filesWithIssues":[{"file":"src/server.ts","issueCount":8,"issueIds":["AST-ISSUE-0001","AST-ISSUE-0119","AST-ISSUE-0178","AST-ISSUE-0185","AST-ISSUE-0192","AST-ISSUE-0222","AST-ISSUE-0235","AST-ISSUE-0236"]},{"file":"src/__tests__/integration/routes.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0002"]},{"file":"src/routes/github.ts","issueCount":4,"issueIds":["AST-ISSUE-0003","AST-ISSUE-0106","AST-ISSUE-0166","AST-ISSUE-0231"]},{"file":"src/routes/local.ts","issueCount":4,"issueIds":["AST-ISSUE-0004","AST-ISSUE-0107","AST-ISSUE-0167","AST-ISSUE-0232"]},{"file":"src/routes/package.ts","issueCount":6,"issueIds":["AST-ISSUE-0005","AST-ISSUE-0109","AST-ISSUE-0128","AST-ISSUE-0169","AST-ISSUE-0196","AST-ISSUE-0234"]},{"file":"src/__tests__/integration/circuitBreaker.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0006"]},{"file":"src/__tests__/unit/circuitBreaker.test.ts","issueCount":1,"issueIds":["AST-ISSUE-0007"]},{"file":"src/server-init.ts","issueCount":10,"issueIds":["AST-ISSUE-0008","AST-ISSUE-0009","AST-ISSUE-0110","AST-ISSUE-0126","AST-ISSUE-0162","AST-ISSUE-0170","AST-ISSUE-0177","AST-ISSUE-0184","AST-ISSUE-0191","AST-ISSUE-0193"]},{"file":"src/utils/retry.ts","issueCount":11,"issueIds":["AST-ISSUE-0010","AST-ISSUE-0011","AST-ISSUE-0039","AST-ISSUE-0040","AST-ISSUE-0041","AST-ISSUE-0042","AST-ISSUE-0052","AST-ISSUE-0084","AST-ISSUE-0085","AST-ISSUE-0086","AST-ISSUE-0087"]},{"file":"src/utils/responseParser.ts","issueCount":15,"issueIds":["AST-ISSUE-0012","AST-ISSUE-0013","AST-ISSUE-0038","AST-ISSUE-0083","AST-ISSUE-0123","AST-ISSUE-0156","AST-ISSUE-0157","AST-ISSUE-0158","AST-ISSUE-0206","AST-ISSUE-0207","AST-ISSUE-0208","AST-ISSUE-0281","AST-ISSUE-0282","AST-ISSUE-0283","AST-ISSUE-0284"]},{"file":"src/types/errorGuards.ts","issueCount":19,"issueIds":["AST-ISSUE-0014","AST-ISSUE-0015","AST-ISSUE-0016","AST-ISSUE-0017","AST-ISSUE-0120","AST-ISSUE-0137","AST-ISSUE-0138","AST-ISSUE-0139","AST-ISSUE-0237","AST-ISSUE-0238","AST-ISSUE-0239","AST-ISSUE-0240","AST-ISSUE-0241","AST-ISSUE-0242","AST-ISSUE-0243","AST-ISSUE-0244","AST-ISSUE-0245","AST-ISSUE-0246","AST-ISSUE-0247"]},{"file":"src/types/guards.ts","issueCount":14,"issueIds":["AST-ISSUE-0018","AST-ISSUE-0019","AST-ISSUE-0020","AST-ISSUE-0021","AST-ISSUE-0045","AST-ISSUE-0058","AST-ISSUE-0059","AST-ISSUE-0060","AST-ISSUE-0111","AST-ISSUE-0118","AST-ISSUE-0248","AST-ISSUE-0249","AST-ISSUE-0250","AST-ISSUE-0300"]},{"file":"src/types/responses.ts","issueCount":18,"issueIds":["AST-ISSUE-0022","AST-ISSUE-0023","AST-ISSUE-0063","AST-ISSUE-0064","AST-ISSUE-0065","AST-ISSUE-0066","AST-ISSUE-0067","AST-ISSUE-0112","AST-ISSUE-0147","AST-ISSUE-0148","AST-ISSUE-0149","AST-ISSUE-0150","AST-ISSUE-0200","AST-ISSUE-0201","AST-ISSUE-0257","AST-ISSUE-0258","AST-ISSUE-0259","AST-ISSUE-0260"]},{"file":"src/types/toolTypes.ts","issueCount":10,"issueIds":["AST-ISSUE-0024","AST-ISSUE-0068","AST-ISSUE-0113","AST-ISSUE-0151","AST-ISSUE-0152","AST-ISSUE-0163","AST-ISSUE-0194","AST-ISSUE-0202","AST-ISSUE-0261","AST-ISSUE-0262"]},{"file":"src/utils/circuitBreaker.ts","issueCount":16,"issueIds":["AST-ISSUE-0025","AST-ISSUE-0026","AST-ISSUE-0057","AST-ISSUE-0069","AST-ISSUE-0070","AST-ISSUE-0071","AST-ISSUE-0072","AST-ISSUE-0203","AST-ISSUE-0221","AST-ISSUE-0223","AST-ISSUE-0264","AST-ISSUE-0265","AST-ISSUE-0266","AST-ISSUE-0267","AST-ISSUE-0268","AST-ISSUE-0269"]},{"file":"src/utils/logEmoji.ts","issueCount":11,"issueIds":["AST-ISSUE-0027","AST-ISSUE-0028","AST-ISSUE-0029","AST-ISSUE-0073","AST-ISSUE-0114","AST-ISSUE-0153","AST-ISSUE-0164","AST-ISSUE-0195","AST-ISSUE-0272","AST-ISSUE-0273","AST-ISSUE-0274"]},{"file":"src/utils/logger.ts","issueCount":33,"issueIds":["AST-ISSUE-0030","AST-ISSUE-0031","AST-ISSUE-0032","AST-ISSUE-0033","AST-ISSUE-0034","AST-ISSUE-0074","AST-ISSUE-0075","AST-ISSUE-0076","AST-ISSUE-0077","AST-ISSUE-0078","AST-ISSUE-0103","AST-ISSUE-0104","AST-ISSUE-0154","AST-ISSUE-0171","AST-ISSUE-0172","AST-ISSUE-0173","AST-ISSUE-0174","AST-ISSUE-0180","AST-ISSUE-0187","AST-ISSUE-0189","AST-ISSUE-0211","AST-ISSUE-0216","AST-ISSUE-0217","AST-ISSUE-0218","AST-ISSUE-0219","AST-ISSUE-0225","AST-ISSUE-0226","AST-ISSUE-0275","AST-ISSUE-0276","AST-ISSUE-0277","AST-ISSUE-0278","AST-ISSUE-0279","AST-ISSUE-0307"]},{"file":"src/utils/responseFactory.ts","issueCount":14,"issueIds":["AST-ISSUE-0035","AST-ISSUE-0036","AST-ISSUE-0037","AST-ISSUE-0080","AST-ISSUE-0081","AST-ISSUE-0082","AST-ISSUE-0115","AST-ISSUE-0122","AST-ISSUE-0134","AST-ISSUE-0176","AST-ISSUE-0280","AST-ISSUE-0301","AST-ISSUE-0302","AST-ISSUE-0303"]},{"file":"src/validation/toolCallSchema.ts","issueCount":11,"issueIds":["AST-ISSUE-0043","AST-ISSUE-0160","AST-ISSUE-0161","AST-ISSUE-0181","AST-ISSUE-0209","AST-ISSUE-0294","AST-ISSUE-0295","AST-ISSUE-0296","AST-ISSUE-0297","AST-ISSUE-0298","AST-ISSUE-0299"]},{"file":"src/mcpCache.ts","issueCount":5,"issueIds":["AST-ISSUE-0044","AST-ISSUE-0188","AST-ISSUE-0190","AST-ISSUE-0210","AST-ISSUE-0227"]},{"file":"src/utils/asyncTimeout.ts","issueCount":3,"issueIds":["AST-ISSUE-0046","AST-ISSUE-0186","AST-ISSUE-0263"]},{"file":"src/utils/colors.ts","issueCount":4,"issueIds":["AST-ISSUE-0047","AST-ISSUE-0124","AST-ISSUE-0270","AST-ISSUE-0271"]},{"file":"src/utils/errorQueue.ts","issueCount":2,"issueIds":["AST-ISSUE-0048","AST-ISSUE-0204"]},{"file":"src/utils/responseBuilder.ts","issueCount":6,"issueIds":["AST-ISSUE-0049","AST-ISSUE-0102","AST-ISSUE-0136","AST-ISSUE-0205","AST-ISSUE-0214","AST-ISSUE-0215"]},{"file":"src/validation/httpPreprocess.ts","issueCount":10,"issueIds":["AST-ISSUE-0050","AST-ISSUE-0088","AST-ISSUE-0286","AST-ISSUE-0287","AST-ISSUE-0288","AST-ISSUE-0289","AST-ISSUE-0290","AST-ISSUE-0291","AST-ISSUE-0292","AST-ISSUE-0293"]},{"file":"src/validation/index.ts","issueCount":3,"issueIds":["AST-ISSUE-0051","AST-ISSUE-0175","AST-ISSUE-0212"]},{"file":"src/validation/schemas.ts","issueCount":15,"issueIds":["AST-ISSUE-0053","AST-ISSUE-0054","AST-ISSUE-0089","AST-ISSUE-0090","AST-ISSUE-0091","AST-ISSUE-0092","AST-ISSUE-0093","AST-ISSUE-0094","AST-ISSUE-0095","AST-ISSUE-0096","AST-ISSUE-0097","AST-ISSUE-0098","AST-ISSUE-0099","AST-ISSUE-0100","AST-ISSUE-0101"]},{"file":"src/routes/tools.ts","issueCount":10,"issueIds":["AST-ISSUE-0055","AST-ISSUE-0056","AST-ISSUE-0117","AST-ISSUE-0130","AST-ISSUE-0131","AST-ISSUE-0132","AST-ISSUE-0183","AST-ISSUE-0197","AST-ISSUE-0220","AST-ISSUE-0305"]},{"file":"src/types/mcp.ts","issueCount":18,"issueIds":["AST-ISSUE-0061","AST-ISSUE-0062","AST-ISSUE-0140","AST-ISSUE-0141","AST-ISSUE-0142","AST-ISSUE-0143","AST-ISSUE-0144","AST-ISSUE-0145","AST-ISSUE-0146","AST-ISSUE-0198","AST-ISSUE-0199","AST-ISSUE-0251","AST-ISSUE-0252","AST-ISSUE-0253","AST-ISSUE-0254","AST-ISSUE-0255","AST-ISSUE-0256","AST-ISSUE-0306"]},{"file":"src/utils/resilience.ts","issueCount":3,"issueIds":["AST-ISSUE-0079","AST-ISSUE-0121","AST-ISSUE-0155"]},{"file":"src/middleware/queryParser.ts","issueCount":4,"issueIds":["AST-ISSUE-0105","AST-ISSUE-0135","AST-ISSUE-0224","AST-ISSUE-0304"]},{"file":"src/routes/lsp.ts","issueCount":3,"issueIds":["AST-ISSUE-0108","AST-ISSUE-0168","AST-ISSUE-0233"]},{"file":"src/utils/routeFactory.ts","issueCount":4,"issueIds":["AST-ISSUE-0116","AST-ISSUE-0133","AST-ISSUE-0159","AST-ISSUE-0285"]},{"file":"src/index.ts","issueCount":2,"issueIds":["AST-ISSUE-0125","AST-ISSUE-0165"]},{"file":"src/middleware/errorHandler.ts","issueCount":3,"issueIds":["AST-ISSUE-0127","AST-ISSUE-0228","AST-ISSUE-0229"]},{"file":"src/routes/prompts.ts","issueCount":1,"issueIds":["AST-ISSUE-0129"]},{"file":"src/middleware/logger.ts","issueCount":4,"issueIds":["AST-ISSUE-0179","AST-ISSUE-0182","AST-ISSUE-0213","AST-ISSUE-0230"]}]},"analysisSummary":{"graphSignals":[{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}}],"astSignals":[{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}}],"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]}},"strongestGraphSignal":{"kind":"structural-chokepoint","lens":"graph","title":"Structural chokepoint","summary":"src/utils/responseBuilder.ts concentrates dependency pressure (articulation point, 1 bridge edge(s), on critical path, high complexity risk (109)).","confidence":"high","score":53,"files":["src/utils/responseBuilder.ts"],"categories":["broker-module","bridge-module"],"evidence":{"score":53,"reasons":["articulation point","1 bridge edge(s)","on critical path","high complexity risk (109)"]}},"strongestAstSignal":{"kind":"hidden-initialization","lens":"ast","title":"Hidden initialization logic","summary":"src/server-init.ts performs import-time work that matches the reported side-effect risk.","confidence":"medium","score":75,"files":["src/server-init.ts"],"categories":["import-side-effect-risk"],"evidence":{"totalEffects":2,"highestRisk":"process-handler"}},"combinedSignals":[{"kind":"combined-interpretation","lens":"hybrid","title":"Combined interpretation","summary":"Structural chokepoint and Hidden initialization logic both appear in this scan, so use a hybrid investigation instead of a single-lens conclusion.","confidence":"medium","score":64,"files":["src/utils/responseBuilder.ts","src/server-init.ts"],"categories":["broker-module","bridge-module","import-side-effect-risk"],"evidence":{"graphKind":"structural-chokepoint","astKind":"hidden-initialization","sharedFile":null}}],"recommendedValidation":{"summary":"navigate to the awaited call to check if parallelization is safe","tools":["localSearchCode","lspGotoDefinition"]},"investigationPrompts":["Inspect src/utils/responseBuilder.ts first and validate the graph claim with localSearchCode plus LSP navigation.","Use file-inventory.json for src/server-init.ts to explain why the code shape matches the finding.","Use a hybrid investigation before proposing a refactor because the signals do not fully align yet.","Cross-check the top hotspot src/utils/logger.ts with the strongest architecture finding before editing code."],"parseErrors":[],"outputFiles":{"summary":"summary.json","architecture":"architecture.json","codeQuality":"code-quality.json","deadCode":"dead-code.json","fileInventory":"file-inventory.json","findings":"findings.json","security":"security.json","graph":"graph.md","astTrees":"ast-trees.txt","summaryMd":"summary.md"}}