Aggregate Scores
Operational Health
Verify rate
% sessions passing verify on first try
75%
Rework cycles
Average review-fix iterations per session
0.2
Severity score
Weighted severity of review findings (1.0 = no findings)
0.39
Cost / session
Average LLM cost per session in USD
$10.93
Knowledge miss rate
Fraction of rework caused by missing retrieval context
1.00
Retrieval Quality
Retrieval metrics require LLM judge — run without --no-llm to enable.
Recurring Failures
No recurring failures detected across sessions.
Worst 0 Sessions
No session ranking available (requires retrieval metrics).
Per-Session Drill-Down
f47ac10b-58cc-4372-a567-0e02b2c3d479
Phases
session (gen 1)
— completed
WEB-44
Phases
triage (gen 1)
— completed
implement (gen 1)
— completed
verify (gen 1)
— completed
Findings
critical
Column names are interpolated directly into SQL without allowlist validation, enabling SQL injection via crafted filter column names
src/reports/query-builder.ts:45
Validate column names against an explicit allowlist derived from the table schema before interpolation
critical
ORDER BY clause accepts arbitrary expressions, allowing blind SQL injection through sort parameters
src/reports/query-builder.ts:78
Restrict ORDER BY to allowlisted column names and directions (ASC/DESC) only
major
No pagination limit cap allows clients to request unbounded result sets, risking OOM on large tables
src/reports/controller.ts:112
Enforce a maximum page size (e.g. 1000 rows) regardless of client request
minor
Test does not cover SQL injection vectors in column names
tests/reports/query-builder.test.ts:89
Add test cases with column names containing SQL metacharacters (semicolons, quotes, comments)
WEB-46
Phases
triage (gen 1)
— completed
implement (gen 1)
— completed
verify (gen 1)
— completed
Findings
minor
Heartbeat interval of 60s is too long for mobile clients that may lose connectivity
src/ws/server.ts:52
Reduce heartbeat interval to 30s and add configurable timeout
major
In-memory channel subscriptions will not survive process restarts in multi-instance deployments
src/ws/channels.ts:18
Consider using Redis pub/sub as backing store for channel subscriptions
minor
No connection limit per IP address could allow resource exhaustion
src/ws/server.ts:95
Add per-IP connection limit with configurable threshold
WEB-45
Phases
triage (gen 1)
— completed
implement (gen 1)
— failed
WEB-42
Phases
triage (gen 1)
— completed
implement (gen 1)
— completed
verify (gen 1)
— completed
Findings
minor
Token expiry error message could leak clock skew information
src/middleware/auth.ts:28
Use a generic 'Token expired' message without including the expiry timestamp
WEB-43
Phases
triage (gen 1)
— completed
implement (gen 2)
— completed
implement (gen 1)
— completed
verify (gen 2)
— completed
Findings
critical
Race condition in sliding window: read and decrement are not atomic, allowing burst requests to bypass the limit under concurrent load
src/middleware/rate-limit.ts:67
Use Redis MULTI/EXEC transaction or Lua script to make the check-and-decrement atomic
major
Default rate limit of 10000 requests/minute is too permissive for public endpoints
src/config/defaults.ts:15
Set default to 100 requests/minute with per-endpoint override capability
minor
Test uses real timers which makes the sliding window test flaky
tests/middleware/rate-limit.test.ts:34
Use Jest fake timers to control time advancement deterministically