Close Open Privacy Scan

bolt Snapshot: commit 71f5a52
science engine v3
schedule 2026-07-08T13:15:42.556299+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

Incomplete scan — only 104/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 1696 finding(s)

Dependency score: 0 (High risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

111 high 169 medium 1416 low
First-party packages: 4
Dependency packages: 26
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: ${process.env.VERCEL_URL}`a#бa@bapi.foursquare.comapi.github.comapi.linkedin.comapi.openai.comapi.todoist.comapi.trakt.tvbroken-redirect.example.comcircular.example.comdirect.example.comeu.posthog.comfinal.example.commasking.example.comredirector.example.comrelative-redirect.example.comstatus.langfuse.comwebhook-201.example.comwebhook-error.example.comwebhook-timeout.example.comwebhook.example.comтест

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:54 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:67 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:74 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:81 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/features/auth-credentials/server/signupApiHandler.ts:95 repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/api/auth/signup-verify.ts:12 repo/web/src/pages/api/auth/signup-verify.ts:96
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/enterprise-sso-required.tsx:84 repo/web/src/pages/auth/enterprise-sso-required.tsx:92
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-in.tsx:663 repo/web/src/pages/auth/sign-in.tsx:677
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:133 repo/web/src/pages/auth/sign-up.tsx:148
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:354 repo/web/src/pages/auth/sign-up.tsx:349
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/adminAccessWebhook.ts:47 repo/web/src/server/adminAccessWebhook.ts:57
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/auth.ts:1099 repo/web/src/server/auth.ts:1095
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56 repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:54 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:67 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:74 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:81 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/features/auth-credentials/server/signupApiHandler.ts:95 repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/api/auth/signup-verify.ts:12 repo/web/src/pages/api/auth/signup-verify.ts:96
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/enterprise-sso-required.tsx:84 repo/web/src/pages/auth/enterprise-sso-required.tsx:92
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-in.tsx:663 repo/web/src/pages/auth/sign-in.tsx:677
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:133 repo/web/src/pages/auth/sign-up.tsx:148
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:354 repo/web/src/pages/auth/sign-up.tsx:349
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/adminAccessWebhook.ts:47 repo/web/src/server/adminAccessWebhook.ts:57
high first-party (npm): web User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/auth.ts:1099 repo/web/src/server/auth.ts:1095
high first-party (npm): worker User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56 repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263
medium first-party (npm) Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:180 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
medium first-party (npm) Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:273 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
medium first-party (npm) Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:313 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
medium first-party (npm): web Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:180 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
medium first-party (npm): web Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:273 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
medium first-party (npm): web Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:313 repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
hub Dependency data flows (97)
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/core/lib/oauth/callback.js:83 pkgs/npm/[email protected]/core/lib/oauth/callback.js:86
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/core/lib/oauth/callback.js:83 pkgs/npm/[email protected]/core/lib/oauth/callback.js:103
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/providers/hubspot.js:32 pkgs/npm/[email protected]/providers/hubspot.js:33
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/providers/trakt.js:23 pkgs/npm/[email protected]/providers/trakt.js:21
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:87 pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:91
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:87 pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:111
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/providers/hubspot.ts:44 pkgs/npm/[email protected]/src/providers/hubspot.ts:46
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/providers/trakt.ts:35 pkgs/npm/[email protected]/src/providers/trakt.ts:33
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/react/index.tsx:50 pkgs/npm/[email protected]/src/react/index.tsx:252
high next-auth dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/react/index.tsx:50 pkgs/npm/[email protected]/src/react/index.tsx:314
high @ai-sdk/amazon-bedrock dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/bedrock-sigv4-fetch.ts:76 pkgs/npm/@[email protected]/src/bedrock-sigv4-fetch.ts:87
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:160
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:173
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:187
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:201
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:217
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:235
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:254
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:273
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:294
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:313
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:329
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:344
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:361
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:379
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:395
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:416
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:432
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:447
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:460
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:473
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:489
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:505
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:523
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:541
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:558
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:575
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:589
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:604
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:618
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:634
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:650
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:666
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:682
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:698
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:712
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:728
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:744
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:760
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:776
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:793
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:810
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:822
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:836
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:849
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:862
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:875
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:888
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:901
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:915
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:932
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:946
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:956
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:970
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:985
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:999
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1012
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1025
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1038
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1051
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1065
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1080
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1094
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1107
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1121
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1135
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1148
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1161
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1174
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1187
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1200
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1213
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1226
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:148 pkgs/npm/@[email protected]/src/client.ts:1239
high @team-plain/typescript-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/request.ts:31 pkgs/npm/@[email protected]/src/request.ts:39
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/assignThread.ts:5 pkgs/npm/@[email protected]/src/examples/assignThread.ts:13
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/assignThread.ts:5 pkgs/npm/@[email protected]/src/examples/assignThread.ts:16
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:4 pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:14
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:4 pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:16
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:4 pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:11
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:4 pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:15
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 pkgs/npm/@[email protected]/src/examples/threadFields.ts:19
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 pkgs/npm/@[email protected]/src/examples/threadFields.ts:22
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 pkgs/npm/@[email protected]/src/examples/threadFields.ts:36
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 pkgs/npm/@[email protected]/src/examples/threadFields.ts:39
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:4 pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:21
medium @team-plain/typescript-sdk tooling PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:4 pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:23

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #4e6878fcca75e05e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:54 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
      await this.post({
        url: this.config.userUrl,
        payload: { isLangfuse: true, ...parsed.data },
        context: { event: "upsertUser", userId: parsed.data.userId },
        expectJsonResponse: false,
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7a931a61c73dbe28 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:67 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207
      const response = await this.post({
        url: this.config.orgUrl,
        payload: {
          isLangfuse: true,
          type: "updateOrg" as const,
          langfuseDataRegion: this.config.dataRegion,
          // The Mulesoft updateOrg flow runs `numServices* > 0` comparisons
          // and 500s on null — always send 0
          numServicesAws: 0,
          numServicesGcp: 0,
          numServicesAzure: 0,
          ...parsed.data,
        },
        context: { event: "upsertOrg", orgId: parsed.data.orgId },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #17218584575f0f04 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:74 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "setUserRole" as const,
            ...parsed.data,
          },
          context: {
            event: "setUserRole",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7a5ee2f1d5692720 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:81 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "removeUser" as const,
            ...parsed.data,
          },
          context: {
            event: "removeUser",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #486aad08d37ab92e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116 · flow /tmp/closeopen-yihwgiie/repo/web/src/features/auth-credentials/server/signupApiHandler.ts:95 → /tmp/closeopen-yihwgiie/repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116
    await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
      method: "POST",
      body: JSON.stringify({
        name: body.name,
        email: body.email,
        referralSource: body.referralSource,
        cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
        userId: userId,
      }),
      headers: {
        "Content-Type": "application/json",
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0ad9424cb23a0ea1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/api/auth/signup-verify.ts:96 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/api/auth/signup-verify.ts:12 → /tmp/closeopen-yihwgiie/repo/web/src/pages/api/auth/signup-verify.ts:96
      await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
        method: "POST",
        body: JSON.stringify({
          name,
          email: normalizedEmail,
          cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
          userId: newUser.id,
        }),
        headers: {
          "Content-Type": "application/json",
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #38330c57728b5445 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/enterprise-sso-required.tsx:92 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/enterprise-sso-required.tsx:84 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/enterprise-sso-required.tsx:92
      const response = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3a368afbc7ee43c7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-in.tsx:677 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-in.tsx:663 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-in.tsx:677
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d446931d673df1b3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:148 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:133 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:148
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fc620bb0678d1965 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:349 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:354 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:349
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/signup-verify`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ email: values.email, name: values.name }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f08126cfd35d728f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/adminAccessWebhook.ts:57 · flow /tmp/closeopen-yihwgiie/repo/web/src/server/adminAccessWebhook.ts:47 → /tmp/closeopen-yihwgiie/repo/web/src/server/adminAccessWebhook.ts:57
    const response = await fetch(env.LANGFUSE_ADMIN_ACCESS_WEBHOOK, {
      method: "POST",
      body: JSON.stringify(payload),
      headers: {
        "Content-Type": "application/json",
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ccaf40b4417f5f0e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/auth.ts:1095 · flow /tmp/closeopen-yihwgiie/repo/web/src/server/auth.ts:1099 → /tmp/closeopen-yihwgiie/repo/web/src/server/auth.ts:1095
          await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
            method: "POST",
            body: JSON.stringify({
              name: user.name,
              email: user.email,
              cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
              userId: user.id,
              // referralSource: ...
            }),
            headers: {
              "Content-Type": "application/json",
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1b2558272a8fc42b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263 · flow /tmp/closeopen-yihwgiie/repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56 → /tmp/closeopen-yihwgiie/repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263
    const resp = await fetch(API_URL, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${ADMIN_API_KEY}`,
      },
      body: JSON.stringify({ keys }),
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #5d372edca2439eb1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/instrumentation-client.ts:1
import * as Sentry from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3cf9eb5f120aeb0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/next.config.mjs:6
import { withSentryConfig } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df6fbf8c5b511e74 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/error-page.tsx:7
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9fd00da7dddb992f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/layouts/app-layout/index.tsx:15
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ab2e271ec294a0e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/layouts/app-layout/index.tsx:133
      posthog.reset();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #642358c87857849d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/ui/resizable-image.tsx:9
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium pii_flow production #555bfedc11426849 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:180 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
      await this.post({
        url: this.config.userUrl,
        payload: { isLangfuse: true, ...parsed.data },
        context: { event: "upsertUser", userId: parsed.data.userId },
        expectJsonResponse: false,
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #6bd7b2a0e2b8cd60 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:273 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "setUserRole" as const,
            ...parsed.data,
          },
          context: {
            event: "setUserRole",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #352a4b3e5bf56a8e Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:313 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "removeUser" as const,
            ...parsed.data,
          },
          context: {
            event: "removeUser",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #a1d56f21c5048caf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/auth/lib/createProjectMembershipsOnSignup.ts:269
        posthog.capture({
          distinctId: user.id,
          event: "cloud_signup_complete",
          properties: {
            cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
            hasDemoAccess: demoProject !== undefined,
            hasDefaultOrg: defaultOrgs.length > 0,
            hasDefaultProject: defaultProjects.length > 0,
          },
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b24289103419e31 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/auth/lib/createProjectMembershipsOnSignup.ts:279
        await posthog.shutdown();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82cec99874dd9da9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:4
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2fc97c0adf8cd5c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:35
            posthog.setPersonProperties({
              [V4_BETA_ENABLED_POSTHOG_PROPERTY]: v4BetaEnabled,
            });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9786e0ddd3e4292f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:38
            posthog.register({
              [V4_BETA_ENABLED_POSTHOG_PROPERTY]: v4BetaEnabled,
            });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35d6371115eae7c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/ServerPosthog.ts:2
import { PostHog } from "posthog-node";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d52d86711e470817 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/usePostHogClientCapture.ts:1
import { type CaptureResult, type CaptureOptions } from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #41455ade6b3b9859 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/usePostHogClientCapture.ts:244
    return posthog.capture(eventName, properties, options);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35ac8b0ad9cde5ab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/telemetry/index.ts:252
    posthog.capture({
      distinctId: "docker:" + clientId,
      event: "telemetry",
      properties: {
        langfuseVersion: VERSION,
        userDomains: domains,
        totalProjects: totalProjects,
        traces: countTraces,
        scores: countScores,
        observations: countObservations,
        datasets: countDatasets,
        datasetItems: countDatasetItems,
        datasetRuns: countDatasetRuns,
        datasetRunItems: countDatasetRunItems,
        startTimeframe: startTimeframe?.toISOString(),
        endTimeframe: endTimeframe.toISOString(),
        eeLicenseKey: env.LANGFUSE_EE_LICENSE_KEY,
        langfuseCloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
        $set: {
          environment: process.env.NODE_ENV,
          userDomains: domains,
          docker: true,
          langfuseVersion: VERSION,
        },
      },
    });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b02d687c59e8d6d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/telemetry/index.ts:279
    await posthog.shutdown();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #584073552188bedf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:4
import { setUser } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a90b395628fb2fd3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:19
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #52ac7659d900984f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:90
  posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {
    api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || "https://eu.posthog.com",
    ui_host: "https://eu.posthog.com",
    // Enable debug mode in development
    loaded: (posthog) => {
      if (process.env.NODE_ENV === "development") posthog.debug();
    },
    session_recording: {
      maskCapturedNetworkRequestFn(request) {
        request.requestBody = request.requestBody ? "REDACTED" : undefined;
        request.responseBody = request.responseBody ? "REDACTED" : undefined;
        return request;
      },
    },
    autocapture: false,
    enable_heatmaps: false,
    persistence: "cookie",
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e036594ac730e847 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:95
      if (process.env.NODE_ENV === "development") posthog.debug();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #61a6685335526154 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:120
        posthog.capture("$pageview");

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b8e11bda4b9f039f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:193
        posthog.identify(sessionUser.id ?? undefined, {
          environment: process.env.NODE_ENV,
          email: sessionUser.email ?? undefined,
          name: sessionUser.name ?? undefined,
          featureFlags: sessionUser.featureFlags ?? undefined,
          projects:
            sessionUser.organizations.flatMap((org) =>
              org.projects.map((project) => ({
                ...project,
                organization: org,
              })),
            ) ?? undefined,
          LANGFUSE_CLOUD_REGION: region,
          [V4_BETA_ENABLED_POSTHOG_PROPERTY]:
            sessionUser.v4BetaEnabled ?? false,
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e11baa07dde2272d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:209
        posthog.register({
          [V4_BETA_ENABLED_POSTHOG_PROPERTY]:
            sessionUser.v4BetaEnabled ?? false,
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3007cf481ff80554 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:222
      posthog.unregister(V4_BETA_ENABLED_POSTHOG_PROPERTY);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5d28ab901d4a09a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/auth/enterprise-sso-required.tsx:21
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5099c7b0e3666abe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/auth/sign-in.tsx:41
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d873f3f3f8552b79 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/utils/api.ts:8
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4654708b5467ef4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:35
  const hadEvents = mixpanel.getBatchSize() > 0;

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ac34ad097cdf46d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:36
  await mixpanel.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #895bc96e0601c75e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:75
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4812cbf4ac0e214 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:110
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #001a4cc52259a610 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:145
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e6039f6f094d9cbe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:179
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #967e462aadf5afcc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:291
      bytes: mixpanel.getSerializedBytes(),

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0dc67c34907e3848 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:21
import { PostHog } from "posthog-node";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cc38b2683d3bd49c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:93
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending traces to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #55085842ba9586d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:105
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0de76015c2b9a98c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:107
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a82fc9d0c0f5ff92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:114
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #59bcd6794891c0ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:142
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending generations to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0a3eae7d7c3e59cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:154
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0506c7772007d44c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:156
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5c97b2bad19fc655 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:163
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8d4de50ec0cf8c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:191
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending scores to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e0352961d3dbab3c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:203
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db0809f3b22a732c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:205
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #10170d3aaa9bdcd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:212
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3732fe3e20a8d512 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:239
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending events to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb07953229111fc5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:251
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #78cbbbf33f30cb41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:253
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f1d1864c4ce995f7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:259
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 602 low-confidence finding(s)
low env_fs production #666b3786d0cf9bfa Filesystem access.
repo/.agents/skills/add-model-price/scripts/test-match-pattern.mjs:67
  const models = JSON.parse(await fs.readFile(defaultFile, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd7a9660eb96b446 Filesystem access.
repo/.agents/skills/add-model-price/scripts/validate-pricing-file.mjs:33
const raw = await fs.readFile(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a073a7237128a59 Filesystem access.
repo/.agents/skills/pnpm-upgrade-package/scripts/lib/workspace-utils.mjs:23
  return JSON.parse(readFileSync(path, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81cadb2d2eb21f5a Filesystem access.
repo/.agents/skills/pnpm-upgrade-package/scripts/lib/workspace-utils.mjs:68
  const raw = readFileSync(path, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d56794c851ee0886 Environment-variable access.
repo/packages/shared/scripts/seeder/cli-main.ts:62
const baseUrl = (process.env.NEXTAUTH_URL ?? "http://localhost:3000").replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb69ec83fccf3eb0 Environment-variable access.
repo/packages/shared/scripts/seeder/cli.ts:26
  (name) => process.env[name] === undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84420211e758daa Environment-variable access.
repo/packages/shared/scripts/seeder/cli.ts:43
    process.env.LANGFUSE_LOG_LEVEL = "error";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e18ee87f00fc0aa5 Environment-variable access.
repo/packages/shared/scripts/seeder/doctor.ts:52
  ].filter((name) => process.env[name] === undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff80118010e7d4f1 Environment-variable access.
repo/packages/shared/scripts/seeder/doctor.ts:315
  const endpoint = process.env.LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32c981e1cbdd59e6 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:1
import { readFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bfba43e3ff5a2e9 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:25
    readFileSync(path.join(utilsDir, "nested_json.json"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35d2537df51c24b0 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:28
    readFileSync(path.join(utilsDir, "chat_ml_json.json"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3663ee1b8fb5fdd9 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:31
    heavyMarkdown: readFileSync(path.join(utilsDir, "markdown.txt"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec2f1a12c0a7e987 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:11
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #734c7884d6a61490 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:89
  const fileBytes = fs.readFileSync(mediaFile.filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b756917a4ef283e1 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:161
  const fileBytes = fs.readFileSync(mediaFile.filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64e3155dcbf48ccf Filesystem access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:52
const inAppAgentSystemPrompt = readFileSync(
  IN_APP_AGENT_SYSTEM_PROMPT_PATH,
  "utf-8",
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e82bb75e8cb6766 Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:209
    secret: process.env.SEED_SECRET_KEY ?? "sk-lf-1234567890", // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a4590443ae8d3bc Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:273
      secret: process.env.SEED_SECRET_KEY ?? "sk-lf-asdfghjkl", // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02828372a0eee56c Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:306
    const OPENAI_API_KEY = process.env.OPENAI_API_KEY; // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efaf9b012c574c8d Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/framework-trace-loader.ts:1
import { readFileSync, readdirSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6e1753bd7170fe6 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/framework-trace-loader.ts:45
      const content = readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b42cb74070cdb05d Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:1
import { readFileSync, writeFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a23641bb1fd397b2 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:23
const baseData = JSON.parse(readFileSync(baseFile, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cedc6d57fb78abc Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:24
const detailedObs = JSON.parse(readFileSync(detailedFile, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aecfd17469a8e0b5 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:64
writeFileSync(outputFile, JSON.stringify(output, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13cd25ab52f0a78c Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:25
import { readFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f47c617fbdf62581 Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:61
        readFileSync(nestedJsonPath, "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d20b7d61b4f4343f Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:63
      const heavyMarkdownContent = readFileSync(heavyMarkdownPath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c9a0a159b189a58 Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:65
        readFileSync(chatMlJsonPath, "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7554c06f06c4b693 Environment-variable access.
repo/packages/shared/src/db.ts:34
  if (env.NODE_ENV === "development") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a435a7392caf4f0a Environment-variable access.
repo/packages/shared/src/db.ts:55
if (process.env.NODE_ENV === "development") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ea228aab9bd21a0 Environment-variable access.
repo/packages/shared/src/env.ts:522
  process.env.DOCKER_BUILD === "1" // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #babee49f42975467 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:12
const _override = process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06c8cd6ec1fd80a9 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:13
  ? new Date(process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #242e799c89e19bb3 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:25
const _exporterOverride = process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #018a2d425e2fe74b Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:26
  ? new Date(process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef8c694aacedf7ba Environment-variable access.
repo/packages/shared/src/server/clickhouse/client.ts:118
      (key) => process.env[key] === "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3730f718f9cc5b69 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:3
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7d5a08c595ee7bf Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:76
        ? fs.readFileSync(env.REDIS_TLS_CA_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fe3bf61d81ebe53 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:79
        ? fs.readFileSync(env.REDIS_TLS_CERT_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0ec75b98824ce94 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:82
        ? fs.readFileSync(env.REDIS_TLS_KEY_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c73f7cc0265305b Filesystem access.
repo/scripts/agents/sync-agent-shims.mjs:17
const config = JSON.parse(readFileSync(sourcePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adb12d3a858a68d2 Filesystem access.
repo/scripts/agents/sync-agent-shims.mjs:244
      const current = readFileSync(output.path, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #308b16f14930d5d9 Filesystem access.
repo/scripts/agents/sync-agent-shims.mjs:270
    writeFileSync(output.path, output.content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07d8aadd86e8eb0e Environment-variable access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:30
  Authorization: process.env.GITHUB_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1f093638261f0dc Environment-variable access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:31
    ? `Bearer ${process.env.GITHUB_TOKEN}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50ab006af4f67e8c Environment-variable access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:44
        !process.env.GITHUB_TOKEN &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ac559ce2f217ba78 Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/in-app-agent/sync-raw-skills.mjs:97
  const response = await fetch(sourceApiUrl, {
    headers: getGitHubHeaders(),
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #2051ff4aee1491b2 Environment-variable access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:104
        !process.env.GITHUB_TOKEN &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77880e79b3413ef1 Filesystem access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:212
        if (readFileSync(localPath, "utf8") !== content) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85346b619501e80a Filesystem access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:227
        readFileSync(resolve(generatedDir, generatedModuleName), "utf8") !==

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31108c5a0a35a800 Filesystem access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:263
    writeFileSync(resolve(rawTargetDir, basename(name)), content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cd2a6f20c7aa3b7 Filesystem access.
repo/scripts/in-app-agent/sync-raw-skills.mjs:266
  writeFileSync(
    resolve(generatedDir, generatedModuleName),
    generatedModuleContent,
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c9e1039121d4e6f Filesystem access.
repo/scripts/scan-client-bundle.mjs:242
  const code = fs.readFileSync(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b358a043ce446e0 Environment-variable access.
repo/web/instrumentation-client.ts:4
  process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38f4c884680c98af Environment-variable access.
repo/web/instrumentation-client.ts:5
    ? ["EU", "US"].includes(process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a628a099515b5efd Environment-variable access.
repo/web/instrumentation-client.ts:9
  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #306c4db8d4db55cd Environment-variable access.
repo/web/instrumentation-client.ts:10
  environment: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4acdbce4a17c1be Environment-variable access.
repo/web/instrumentation-client.ts:11
  release: process.env.NEXT_PUBLIC_BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a54104f713d3fec7 Environment-variable access.
repo/web/instrumentation-client.ts:53
  tracesSampleRate: process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff0d55518952ddab Environment-variable access.
repo/web/instrumentation-client.ts:54
    ? Number(process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a873cca3121e15f4 Environment-variable access.
repo/web/instrumentation-client.ts:59
  replaysSessionSampleRate: process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6784e7dec82b421 Environment-variable access.
repo/web/instrumentation-client.ts:60
    ? Number(process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eacc390f45241759 Environment-variable access.
repo/web/next.config.mjs:66
  distDir: process.env.NEXT_DIST_DIR || ".next",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ffedab8ca70506b Environment-variable access.
repo/web/next.config.mjs:71
    ignoreBuildErrors: process.env.NEXT_IGNORE_BUILD_ERRORS === "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc2b7f75f0c2a4d Environment-variable access.
repo/web/next.config.mjs:257
  org: process.env.SENTRY_ORG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c5b72dc5c962640 Environment-variable access.
repo/web/next.config.mjs:258
  project: process.env.SENTRY_PROJECT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b405e2c3301475d3 Environment-variable access.
repo/web/next.config.mjs:263
  silent: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3397e606862f9f1e Environment-variable access.
repo/web/playwright.config.ts:16
    command: process.env.CI ? "npm run start" : "npm run dev",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f1ec6c42d9b8390 Environment-variable access.
repo/web/playwright.config.ts:18
    reuseExistingServer: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33568217abf4e8af Environment-variable access.
repo/web/src/__tests__/after-teardown.ts:9
  if (process.env.VITEST_SHARED_CONTEXT === "1") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0dd99412e9bc103 Environment-variable access.
repo/web/src/__tests__/server/code-eval-test-run-trpc.servertest.ts:6
  process.env.LANGFUSE_CODE_EVAL_DISPATCHER = "insecure-local";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40fe2b9d22007e87 Environment-variable access.
repo/web/src/__tests__/server/dataset-item-media-references.servertest.ts:242
    process.env.LANGFUSE_USE_AZURE_BLOB === "true" ? it : it.skip;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1359b0184c3ee6a6 Environment-variable access.
repo/web/src/__tests__/server/dataset-service.servertest.ts:34
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6db7a16c1975a5ab Environment-variable access.
repo/web/src/__tests__/server/dataset-service.servertest.ts:36
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1225c0e0c0252454 Environment-variable access.
repo/web/src/__tests__/server/datasets-api.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ae5b536562d30e9 Environment-variable access.
repo/web/src/__tests__/server/datasets-api.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37853d92a7920c16 Environment-variable access.
repo/web/src/__tests__/server/datasets-schema-validation.servertest.ts:20
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea81ee86666286ec Environment-variable access.
repo/web/src/__tests__/server/datasets-schema-validation.servertest.ts:22
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5730482f3fc8b212 Environment-variable access.
repo/web/src/__tests__/server/datasets-ui-table.servertest.ts:12
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2639462416363aa8 Environment-variable access.
repo/web/src/__tests__/server/datasets-ui-table.servertest.ts:14
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f314e0c0e92a1e4c Environment-variable access.
repo/web/src/__tests__/server/evals-trpc.servertest.ts:5
  process.env.LANGFUSE_CODE_EVAL_DISPATCHER = "insecure-local";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #720681cfd29b48d5 Environment-variable access.
repo/web/src/__tests__/server/evals-trpc.servertest.ts:6
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c6f560738bcf861 Environment-variable access.
repo/web/src/__tests__/server/experiments-versioning.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7d3414256f2a45b Environment-variable access.
repo/web/src/__tests__/server/experiments-versioning.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57000f957ee0db68 Environment-variable access.
repo/web/src/__tests__/server/mcp-public-api-tools.servertest.ts:1
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de97f781a420d2b0 Environment-variable access.
repo/web/src/__tests__/server/mcp-public-api-tools.servertest.ts:3
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8fff36e52908f5b2 Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:2
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3991c714e259356b Environment-variable access.
repo/web/src/__tests__/server/media.servertest.ts:29
    process.env.LANGFUSE_USE_AZURE_BLOB === "true" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #319a72a96d570d3e Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:72
  const fileBytesPNG = fs.readFileSync(imagePathPNG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #855fa168bf41d5e9 Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:89
  const fileBytesPDF = fs.readFileSync(imagePathPDF);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef3f07c1d35432c2 Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:49
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bdfe655b60ed64aa Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:52
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28200f0a84579256 Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:57
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83fcdf3543d4b1d5 Environment-variable access.
repo/web/src/__tests__/server/organizations-api.servertest.ts:67
  const ADMIN_API_KEY = process.env.ADMIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #767213a247382923 Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:49
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2da6c088c05d75ba Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:56
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aea7ec9c55cda51d Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:62
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb3ecca049d7777f Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:90
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eef93f0a76ab02aa Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:93
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc7026d30d9405f9 Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:98
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c064b9f633b9ec38 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-item-media-stateful-delete.servertest.ts:2
  process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ec4a9dc5d6b677a Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-item-media-stateful-delete.servertest.ts:4
  process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #348efa5d12dbb5ef Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-repository.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4cb22609b7807a19 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-repository.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6fde318c1ac3bf3e Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-stateful-upsert.servertest.ts:2
  process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #841ee4b75d7217d5 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-stateful-upsert.servertest.ts:4
  process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c62cfb72980ce9af Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:26
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44a74be1241b16b2 Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:27
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c4d0166b808b7e5 Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:30
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fd883c6463a07c8 Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:24
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f03fd5a5b6f796db Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:25
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99ab3abf86a1cf1d Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:28
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2966e36f231ffb3 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:25
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30c01fdf1a2ad164 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:26
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70b32f81f64dd1a5 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:29
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c1858e899709cbd8 Environment-variable access.
repo/web/src/__tests__/server/unit/blobStorageKey.servertest.ts:170
  const envPrefix = process.env.LANGFUSE_S3_EVENT_UPLOAD_PREFIX ?? "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d0551995bcc391d Environment-variable access.
repo/web/src/__tests__/server/unit/blobStorageKey.servertest.ts:252
  const envPrefix = process.env.LANGFUSE_S3_EVENT_UPLOAD_PREFIX ?? "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc1073ac8ec9e175 Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:11
  delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0ce73ed629e9e46 Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:12
  delete process.env.LANGFUSE_CODE_EVAL_DISPATCHER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3044a2733b1e631b Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:16
      delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77de3c60c57ac89f Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:18
      process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d3220cffb2230fe4 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:34
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d485b91a584cc7f Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:38
    delete process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ebd5b86eb4b4b49 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:58
      delete process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79e37ccbcc350e4f Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:62
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56f3dc3203e27af1 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:86
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c54aeb785f00c01e Environment-variable access.
repo/web/src/__tests__/vitest-test-db-setup.ts:26
  const databaseUrl = process.env.DATABASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe635fa8d3e27822 Environment-variable access.
repo/web/src/__tests__/vitest-test-db-setup.ts:30
    process.env.NODE_ENV !== "test"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03b10e8dab9ef644 Environment-variable access.
repo/web/src/components/table/peek/hooks/usePeekNavigation.ts:187
        const pathnameWithBasePath = `${process.env.NEXT_PUBLIC_BASE_PATH ?? ""}${pathnameWithQuery}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfe83b7a67f6bbeb Environment-variable access.
repo/web/src/components/ui/AdvancedJsonViewer/utils/debug.ts:8
const DEBUG = process.env.NODE_ENV === "development";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a4d79989a7093a9 Environment-variable access.
repo/web/src/ee/features/in-app-agent/server/agent.ts:154
    process.env.AWS_PROFILE ?? params.options.awsBedrock.profile;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #808942dafbd326f8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/ee/features/in-app-agent/server/agent.ts:731
        url: new URL(LANGFUSE_DOCS_MCP_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #0d898d68e48cad21 Filesystem access.
repo/web/src/ee/features/in-app-agent/server/agent.ts:1114
    const promptTemplate = await readFile(
      path.join(
        LOCAL_IN_APP_AGENT_SYSTEM_PROMPT_DIR,
        `${IN_APP_AGENT_SYSTEM_PROMPT_NAME}.txt`,
      ),
      "utf8",
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace21507da0e40d0 Environment-variable access.
repo/web/src/env.mjs:50
      process.env.NODE_ENV === "production"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddaf1cc5fe4446aa Environment-variable access.
repo/web/src/env.mjs:58
        process.env.VERCEL_URL && process.env.VERCEL_URL !== ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b319f64d051facc Environment-variable access.
repo/web/src/env.mjs:59
          ? process.env.VERCEL_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceb32ecd5e922c5e Environment-variable access.
repo/web/src/env.mjs:62
      process.env.VERCEL ? z.string().min(1) : z.url(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c544d961441b97f9 Environment-variable access.
repo/web/src/env.mjs:522
    SEED_SECRET_KEY: process.env.SEED_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #239d5d600f45153e Environment-variable access.
repo/web/src/env.mjs:523
    NEXT_PUBLIC_DEMO_PROJECT_ID: process.env.NEXT_PUBLIC_DEMO_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94bcbff74e34eba8 Environment-variable access.
repo/web/src/env.mjs:524
    NEXT_PUBLIC_DEMO_ORG_ID: process.env.NEXT_PUBLIC_DEMO_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #207ec3b2e03ce232 Environment-variable access.
repo/web/src/env.mjs:525
    DATABASE_URL: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5a3afbc7b609286 Environment-variable access.
repo/web/src/env.mjs:526
    NODE_ENV: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0c5dcb02cfa049 Environment-variable access.
repo/web/src/env.mjs:527
    BUILD_ID: process.env.BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecbbc721582b831e Environment-variable access.
repo/web/src/env.mjs:528
    NEXT_PUBLIC_BUILD_ID: process.env.NEXT_PUBLIC_BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2dcac41ffb232ea Environment-variable access.
repo/web/src/env.mjs:529
    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #930aa957ece6ed7b Environment-variable access.
repo/web/src/env.mjs:530
    NEXTAUTH_COOKIE_DOMAIN: process.env.NEXTAUTH_COOKIE_DOMAIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #141ad6fcf7b96298 Environment-variable access.
repo/web/src/env.mjs:531
    NEXTAUTH_URL: process.env.NEXTAUTH_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17d11c1ceb153594 Environment-variable access.
repo/web/src/env.mjs:532
    LANGFUSE_MCP_ALLOWED_HOSTS: process.env.LANGFUSE_MCP_ALLOWED_HOSTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f39ea11e3f37d107 Environment-variable access.
repo/web/src/env.mjs:534
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67e5de11a422566d Environment-variable access.
repo/web/src/env.mjs:536
      process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96bcf731a0a29b82 Environment-variable access.
repo/web/src/env.mjs:538
      process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5002aec22be7309 Environment-variable access.
repo/web/src/env.mjs:539
    NEXT_PUBLIC_SIGN_UP_DISABLED: process.env.NEXT_PUBLIC_SIGN_UP_DISABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40690973b9aba101 Environment-variable access.
repo/web/src/env.mjs:541
      process.env.LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2b91cda6c048d2a Environment-variable access.
repo/web/src/env.mjs:542
    AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e77f7f5aed3e8cd Environment-variable access.
repo/web/src/env.mjs:543
    AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #052398afad846564 Environment-variable access.
repo/web/src/env.mjs:544
    LANGFUSE_AWS_BEDROCK_REGION: process.env.LANGFUSE_AWS_BEDROCK_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c59b1a30759eceab Environment-variable access.
repo/web/src/env.mjs:546
      process.env.LANGFUSE_IN_APP_AGENT_AWS_PROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #550cb5882cda0b0f Environment-variable access.
repo/web/src/env.mjs:547
    LANGFUSE_TEAM_SLACK_WEBHOOK: process.env.LANGFUSE_TEAM_SLACK_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b36b83c8519e013 Environment-variable access.
repo/web/src/env.mjs:549
      process.env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4991c9d1f92fa0b9 Environment-variable access.
repo/web/src/env.mjs:550
    LANGFUSE_ADMIN_ACCESS_WEBHOOK: process.env.LANGFUSE_ADMIN_ACCESS_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5e60d114ab7bfd7 Environment-variable access.
repo/web/src/env.mjs:551
    MULESOFT_SFDC_USER_URL: process.env.MULESOFT_SFDC_USER_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93d2cb1c03f2abe0 Environment-variable access.
repo/web/src/env.mjs:552
    MULESOFT_SFDC_ORG_URL: process.env.MULESOFT_SFDC_ORG_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfc80723bb3738c3 Environment-variable access.
repo/web/src/env.mjs:553
    MULESOFT_SFDC_BASIC_AUTH_USER: process.env.MULESOFT_SFDC_BASIC_AUTH_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #776ab408f5672344 Environment-variable access.
repo/web/src/env.mjs:555
      process.env.MULESOFT_SFDC_BASIC_AUTH_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02e011a190bb65d2 Environment-variable access.
repo/web/src/env.mjs:557
      process.env.MULESOFT_SFDC_DEFAULT_COMPANY_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ef0e60aa7e4b486 Environment-variable access.
repo/web/src/env.mjs:559
      process.env.MULESOFT_SFDC_REQUEST_TIMEOUT_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98322351a725cf5a Environment-variable access.
repo/web/src/env.mjs:560
    SALT: process.env.SALT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a26a32b1ab37a85 Environment-variable access.
repo/web/src/env.mjs:561
    LANGFUSE_CSP_ENFORCE_HTTPS: process.env.LANGFUSE_CSP_ENFORCE_HTTPS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c6e40cee66d51cd Environment-variable access.
repo/web/src/env.mjs:562
    TELEMETRY_ENABLED: process.env.TELEMETRY_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d6c4ede6fcb0a53 Environment-variable access.
repo/web/src/env.mjs:564
    LANGFUSE_DEFAULT_ORG_ID: process.env.LANGFUSE_DEFAULT_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c472fe882c17d34 Environment-variable access.
repo/web/src/env.mjs:565
    LANGFUSE_DEFAULT_ORG_ROLE: process.env.LANGFUSE_DEFAULT_ORG_ROLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85f6081c57d52af5 Environment-variable access.
repo/web/src/env.mjs:566
    LANGFUSE_DEFAULT_PROJECT_ID: process.env.LANGFUSE_DEFAULT_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14b7ff974bf0cbab Environment-variable access.
repo/web/src/env.mjs:567
    LANGFUSE_DEFAULT_PROJECT_ROLE: process.env.LANGFUSE_DEFAULT_PROJECT_ROLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1172db3504051a9d Environment-variable access.
repo/web/src/env.mjs:569
    AUTH_GOOGLE_CLIENT_ID: process.env.AUTH_GOOGLE_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c02346ded2ce6946 Environment-variable access.
repo/web/src/env.mjs:570
    AUTH_GOOGLE_CLIENT_SECRET: process.env.AUTH_GOOGLE_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41a5001fc1169b61 Environment-variable access.
repo/web/src/env.mjs:571
    AUTH_GOOGLE_ALLOWED_DOMAINS: process.env.AUTH_GOOGLE_ALLOWED_DOMAINS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57f1d3cbd024b010 Environment-variable access.
repo/web/src/env.mjs:573
      process.env.AUTH_GOOGLE_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7e308428b59729 Environment-variable access.
repo/web/src/env.mjs:574
    AUTH_GOOGLE_CLIENT_AUTH_METHOD: process.env.AUTH_GOOGLE_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f0335ce1c5f64df Environment-variable access.
repo/web/src/env.mjs:575
    AUTH_GOOGLE_CHECKS: process.env.AUTH_GOOGLE_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6edaa79402399cf7 Environment-variable access.
repo/web/src/env.mjs:577
      process.env.AUTH_GOOGLE_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83519476cf605d53 Environment-variable access.
repo/web/src/env.mjs:578
    AUTH_GITHUB_CLIENT_ID: process.env.AUTH_GITHUB_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50f2b4f8e1bfe369 Environment-variable access.
repo/web/src/env.mjs:579
    AUTH_GITHUB_CLIENT_SECRET: process.env.AUTH_GITHUB_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d7ae4f0e16ba34d Environment-variable access.
repo/web/src/env.mjs:581
      process.env.AUTH_GITHUB_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3760b563135b2552 Environment-variable access.
repo/web/src/env.mjs:582
    AUTH_GITHUB_CLIENT_AUTH_METHOD: process.env.AUTH_GITHUB_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c015d478162f6e3c Environment-variable access.
repo/web/src/env.mjs:583
    AUTH_GITHUB_CHECKS: process.env.AUTH_GITHUB_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cb9e680585ee54 Environment-variable access.
repo/web/src/env.mjs:585
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57aa24a8947f54c7 Environment-variable access.
repo/web/src/env.mjs:587
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96e3399826c15626 Environment-variable access.
repo/web/src/env.mjs:589
      process.env.AUTH_GITHUB_ENTERPRISE_BASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0821a6a28a10bc9d Environment-variable access.
repo/web/src/env.mjs:591
      process.env.AUTH_GITHUB_ENTERPRISE_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5040db5dc18f16c3 Environment-variable access.
repo/web/src/env.mjs:593
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcbed8677049f154 Environment-variable access.
repo/web/src/env.mjs:594
    AUTH_GITHUB_ENTERPRISE_CHECKS: process.env.AUTH_GITHUB_ENTERPRISE_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2afa5334eff49b25 Environment-variable access.
repo/web/src/env.mjs:595
    AUTH_GITLAB_ISSUER: process.env.AUTH_GITLAB_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e59a3e80b5960b9 Environment-variable access.
repo/web/src/env.mjs:596
    AUTH_GITLAB_CLIENT_ID: process.env.AUTH_GITLAB_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eec1270f046e5ecd Environment-variable access.
repo/web/src/env.mjs:597
    AUTH_GITLAB_CLIENT_SECRET: process.env.AUTH_GITLAB_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #280ebfff8268c706 Environment-variable access.
repo/web/src/env.mjs:599
      process.env.AUTH_GITLAB_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc3cab43cfeb3b9b Environment-variable access.
repo/web/src/env.mjs:600
    AUTH_GITLAB_CLIENT_AUTH_METHOD: process.env.AUTH_GITLAB_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #021d54ec57208dc6 Environment-variable access.
repo/web/src/env.mjs:601
    AUTH_GITLAB_CHECKS: process.env.AUTH_GITLAB_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c92660419735f48 Environment-variable access.
repo/web/src/env.mjs:603
      process.env.AUTH_GITLAB_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c14fca08fa8ef9ef Environment-variable access.
repo/web/src/env.mjs:604
    AUTH_GITLAB_URL: process.env.AUTH_GITLAB_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47533041cd597355 Environment-variable access.
repo/web/src/env.mjs:605
    AUTH_AZURE_AD_CLIENT_ID: process.env.AUTH_AZURE_AD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #670b563dbd36d5c3 Environment-variable access.
repo/web/src/env.mjs:606
    AUTH_AZURE_AD_CLIENT_SECRET: process.env.AUTH_AZURE_AD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7425acd5c4eb99a Environment-variable access.
repo/web/src/env.mjs:607
    AUTH_AZURE_AD_TENANT_ID: process.env.AUTH_AZURE_AD_TENANT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4927d07e42712e64 Environment-variable access.
repo/web/src/env.mjs:609
      process.env.AUTH_AZURE_AD_ALLOW_ACCOUNT_LINKING ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0c787762c8b32a8 Environment-variable access.
repo/web/src/env.mjs:610
      process.env.AUTH_AZURE_ALLOW_ACCOUNT_LINKING, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #934e1cda49040e18 Environment-variable access.
repo/web/src/env.mjs:612
      process.env.AUTH_AZURE_AD_CLIENT_AUTH_METHOD ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42d37ce8349009d7 Environment-variable access.
repo/web/src/env.mjs:613
      process.env.AUTH_AZURE_CLIENT_AUTH_METHOD, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #342a9af4e2ae76af Environment-variable access.
repo/web/src/env.mjs:615
      process.env.AUTH_AZURE_AD_CHECKS ?? process.env.AUTH_AZURE_CHECKS, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6baa487490176c17 Environment-variable access.
repo/web/src/env.mjs:617
      process.env.AUTH_AZURE_AD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c45f57e2eb73133 Environment-variable access.
repo/web/src/env.mjs:618
    AUTH_OKTA_CLIENT_ID: process.env.AUTH_OKTA_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af404be58c9bc23f Environment-variable access.
repo/web/src/env.mjs:619
    AUTH_OKTA_CLIENT_SECRET: process.env.AUTH_OKTA_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #074a320d9bdd3098 Environment-variable access.
repo/web/src/env.mjs:620
    AUTH_OKTA_ISSUER: process.env.AUTH_OKTA_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc1e6681ad7e7333 Environment-variable access.
repo/web/src/env.mjs:622
      process.env.AUTH_OKTA_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb1e652c18805993 Environment-variable access.
repo/web/src/env.mjs:623
    AUTH_OKTA_CLIENT_AUTH_METHOD: process.env.AUTH_OKTA_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6324226bed0cc0f6 Environment-variable access.
repo/web/src/env.mjs:624
    AUTH_OKTA_CHECKS: process.env.AUTH_OKTA_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e30d67982ea7d95b Environment-variable access.
repo/web/src/env.mjs:626
      process.env.AUTH_OKTA_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0d99d2db5742a55 Environment-variable access.
repo/web/src/env.mjs:627
    AUTH_AUTHENTIK_CLIENT_ID: process.env.AUTH_AUTHENTIK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c20000145efa9688 Environment-variable access.
repo/web/src/env.mjs:628
    AUTH_AUTHENTIK_CLIENT_SECRET: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3d2fb29f2e2f400 Environment-variable access.
repo/web/src/env.mjs:629
    AUTH_AUTHENTIK_ISSUER: process.env.AUTH_AUTHENTIK_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b69e6b73814ef2d Environment-variable access.
repo/web/src/env.mjs:631
      process.env.AUTH_AUTHENTIK_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8ac7dc50585c397 Environment-variable access.
repo/web/src/env.mjs:633
      process.env.AUTH_AUTHENTIK_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #affd4d6689b441d8 Environment-variable access.
repo/web/src/env.mjs:634
    AUTH_AUTHENTIK_CHECKS: process.env.AUTH_AUTHENTIK_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #669cb187c984a9f5 Environment-variable access.
repo/web/src/env.mjs:636
      process.env.AUTH_AUTHENTIK_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9de788b7156b68f7 Environment-variable access.
repo/web/src/env.mjs:638
      process.env.AUTH_AUTHENTIK_AUTHORIZATION_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2581f26890ed4605 Environment-variable access.
repo/web/src/env.mjs:639
    AUTH_ONELOGIN_CLIENT_ID: process.env.AUTH_ONELOGIN_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1cfcccefbc3e5a2 Environment-variable access.
repo/web/src/env.mjs:640
    AUTH_ONELOGIN_CLIENT_SECRET: process.env.AUTH_ONELOGIN_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ec2e59dbc292fcf Environment-variable access.
repo/web/src/env.mjs:641
    AUTH_ONELOGIN_ISSUER: process.env.AUTH_ONELOGIN_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb39fc7c0bfc1d48 Environment-variable access.
repo/web/src/env.mjs:643
      process.env.AUTH_ONELOGIN_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02e3bab2e2117dd7 Environment-variable access.
repo/web/src/env.mjs:645
      process.env.AUTH_ONELOGIN_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #679d390c001b0b52 Environment-variable access.
repo/web/src/env.mjs:646
    AUTH_ONELOGIN_CHECKS: process.env.AUTH_ONELOGIN_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b28e5dd567f882b9 Environment-variable access.
repo/web/src/env.mjs:648
      process.env.AUTH_ONELOGIN_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9dd73b5642ef86b Environment-variable access.
repo/web/src/env.mjs:649
    AUTH_AUTH0_CLIENT_ID: process.env.AUTH_AUTH0_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83a9788d1df24156 Environment-variable access.
repo/web/src/env.mjs:650
    AUTH_AUTH0_CLIENT_SECRET: process.env.AUTH_AUTH0_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #674f352a096860f2 Environment-variable access.
repo/web/src/env.mjs:651
    AUTH_AUTH0_ISSUER: process.env.AUTH_AUTH0_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9785e3b2b950015 Environment-variable access.
repo/web/src/env.mjs:653
      process.env.AUTH_AUTH0_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b2d25423a96a33b Environment-variable access.
repo/web/src/env.mjs:654
    AUTH_AUTH0_CLIENT_AUTH_METHOD: process.env.AUTH_AUTH0_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46d1e2c465d933d1 Environment-variable access.
repo/web/src/env.mjs:655
    AUTH_AUTH0_CHECKS: process.env.AUTH_AUTH0_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #629d90c0b93090c9 Environment-variable access.
repo/web/src/env.mjs:657
      process.env.AUTH_AUTH0_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1147d8d76bea217 Environment-variable access.
repo/web/src/env.mjs:659
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45220fa9a54e395c Environment-variable access.
repo/web/src/env.mjs:661
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea9e715c8bc69614 Environment-variable access.
repo/web/src/env.mjs:662
    AUTH_CLICKHOUSE_CLOUD_ISSUER: process.env.AUTH_CLICKHOUSE_CLOUD_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0a20f1e0debe65b Environment-variable access.
repo/web/src/env.mjs:664
      process.env.AUTH_CLICKHOUSE_CLOUD_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3057656c0da48b6 Environment-variable access.
repo/web/src/env.mjs:666
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bbc4e2f546e6e4a Environment-variable access.
repo/web/src/env.mjs:667
    AUTH_CLICKHOUSE_CLOUD_CHECKS: process.env.AUTH_CLICKHOUSE_CLOUD_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cfa1e9cf7780149 Environment-variable access.
repo/web/src/env.mjs:669
      process.env.AUTH_CLICKHOUSE_CLOUD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32da32141a1f00fa Environment-variable access.
repo/web/src/env.mjs:670
    AUTH_COGNITO_CLIENT_ID: process.env.AUTH_COGNITO_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ba3929510b87419 Environment-variable access.
repo/web/src/env.mjs:671
    AUTH_COGNITO_CLIENT_SECRET: process.env.AUTH_COGNITO_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2af8755bfc26aa6f Environment-variable access.
repo/web/src/env.mjs:672
    AUTH_COGNITO_ISSUER: process.env.AUTH_COGNITO_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea45b6e1db73ece4 Environment-variable access.
repo/web/src/env.mjs:674
      process.env.AUTH_COGNITO_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d904d45d9434afa9 Environment-variable access.
repo/web/src/env.mjs:676
      process.env.AUTH_COGNITO_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ea2f5cd8b9be721 Environment-variable access.
repo/web/src/env.mjs:677
    AUTH_COGNITO_CHECKS: process.env.AUTH_COGNITO_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dd7c2256dcb5e11 Environment-variable access.
repo/web/src/env.mjs:679
      process.env.AUTH_COGNITO_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ec5b5f042f120f1 Environment-variable access.
repo/web/src/env.mjs:680
    AUTH_KEYCLOAK_CLIENT_ID: process.env.AUTH_KEYCLOAK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a0deb668235d1f2 Environment-variable access.
repo/web/src/env.mjs:681
    AUTH_KEYCLOAK_CLIENT_SECRET: process.env.AUTH_KEYCLOAK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46b7306c22371956 Environment-variable access.
repo/web/src/env.mjs:682
    AUTH_KEYCLOAK_ISSUER: process.env.AUTH_KEYCLOAK_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bc012107bb6e1bf Environment-variable access.
repo/web/src/env.mjs:684
      process.env.AUTH_KEYCLOAK_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #478cc044a0c26f84 Environment-variable access.
repo/web/src/env.mjs:686
      process.env.AUTH_KEYCLOAK_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e26fbf39c4ca4267 Environment-variable access.
repo/web/src/env.mjs:687
    AUTH_KEYCLOAK_CHECKS: process.env.AUTH_KEYCLOAK_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3245dc9da121acea Environment-variable access.
repo/web/src/env.mjs:689
      process.env.AUTH_KEYCLOAK_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #840f62cd16cd4ad2 Environment-variable access.
repo/web/src/env.mjs:690
    AUTH_KEYCLOAK_SCOPE: process.env.AUTH_KEYCLOAK_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45ce39a6f48ff0f0 Environment-variable access.
repo/web/src/env.mjs:691
    AUTH_KEYCLOAK_ID_TOKEN: process.env.AUTH_KEYCLOAK_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c69f13d8dcc1b8b6 Environment-variable access.
repo/web/src/env.mjs:692
    AUTH_KEYCLOAK_NAME: process.env.AUTH_KEYCLOAK_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be362476a987ae8 Environment-variable access.
repo/web/src/env.mjs:693
    AUTH_JUMPCLOUD_CLIENT_ID: process.env.AUTH_JUMPCLOUD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e0fdec20a9de1e1 Environment-variable access.
repo/web/src/env.mjs:694
    AUTH_JUMPCLOUD_CLIENT_SECRET: process.env.AUTH_JUMPCLOUD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b492be2aab31a12 Environment-variable access.
repo/web/src/env.mjs:695
    AUTH_JUMPCLOUD_ISSUER: process.env.AUTH_JUMPCLOUD_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d45c72838b3b019b Environment-variable access.
repo/web/src/env.mjs:697
      process.env.AUTH_JUMPCLOUD_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee928b4ccea8c222 Environment-variable access.
repo/web/src/env.mjs:699
      process.env.AUTH_JUMPCLOUD_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfb105a635e73777 Environment-variable access.
repo/web/src/env.mjs:700
    AUTH_JUMPCLOUD_CHECKS: process.env.AUTH_JUMPCLOUD_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd0c3b8dcb1e4a2b Environment-variable access.
repo/web/src/env.mjs:702
      process.env.AUTH_JUMPCLOUD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b79be2559814cf1 Environment-variable access.
repo/web/src/env.mjs:703
    AUTH_JUMPCLOUD_SCOPE: process.env.AUTH_JUMPCLOUD_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d7e8d6e96dbc65c Environment-variable access.
repo/web/src/env.mjs:704
    AUTH_CUSTOM_CLIENT_ID: process.env.AUTH_CUSTOM_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dad9d8d43679e6a Environment-variable access.
repo/web/src/env.mjs:705
    AUTH_CUSTOM_CLIENT_SECRET: process.env.AUTH_CUSTOM_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b812c1cc40034ba Environment-variable access.
repo/web/src/env.mjs:706
    AUTH_CUSTOM_ISSUER: process.env.AUTH_CUSTOM_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6f33a7f39f1ebfd Environment-variable access.
repo/web/src/env.mjs:707
    AUTH_CUSTOM_NAME: process.env.AUTH_CUSTOM_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #235cedd281959e48 Environment-variable access.
repo/web/src/env.mjs:708
    AUTH_CUSTOM_SCOPE: process.env.AUTH_CUSTOM_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c4eac6b7fc47358 Environment-variable access.
repo/web/src/env.mjs:709
    AUTH_CUSTOM_CLIENT_AUTH_METHOD: process.env.AUTH_CUSTOM_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1696c86cd9ba52a0 Environment-variable access.
repo/web/src/env.mjs:710
    AUTH_CUSTOM_CHECKS: process.env.AUTH_CUSTOM_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96a18e8f15b0337d Environment-variable access.
repo/web/src/env.mjs:712
      process.env.AUTH_CUSTOM_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ed132f8992cc8e5 Environment-variable access.
repo/web/src/env.mjs:714
      process.env.AUTH_CUSTOM_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #355da736e4921c42 Environment-variable access.
repo/web/src/env.mjs:715
    AUTH_CUSTOM_ID_TOKEN: process.env.AUTH_CUSTOM_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfd450dc034e8e3e Environment-variable access.
repo/web/src/env.mjs:716
    AUTH_WORKOS_CLIENT_ID: process.env.AUTH_WORKOS_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02f9527ad33e8efe Environment-variable access.
repo/web/src/env.mjs:717
    AUTH_WORKOS_CLIENT_SECRET: process.env.AUTH_WORKOS_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f57cf2c806600fe Environment-variable access.
repo/web/src/env.mjs:719
      process.env.AUTH_WORKOS_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2cfcff6d35190d8 Environment-variable access.
repo/web/src/env.mjs:720
    AUTH_WORKOS_ORGANIZATION_ID: process.env.AUTH_WORKOS_ORGANIZATION_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a176974aa3824a2 Environment-variable access.
repo/web/src/env.mjs:721
    AUTH_WORKOS_CONNECTION_ID: process.env.AUTH_WORKOS_CONNECTION_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7636ce4b8da68f8 Environment-variable access.
repo/web/src/env.mjs:722
    AUTH_WORDPRESS_CLIENT_ID: process.env.AUTH_WORDPRESS_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c69dda0b28532754 Environment-variable access.
repo/web/src/env.mjs:723
    AUTH_WORDPRESS_CLIENT_SECRET: process.env.AUTH_WORDPRESS_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #158929ace67d9790 Environment-variable access.
repo/web/src/env.mjs:725
      process.env.AUTH_WORDPRESS_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd22b4b9f72809cc Environment-variable access.
repo/web/src/env.mjs:727
      process.env.AUTH_WORDPRESS_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f128c5b5479f1539 Environment-variable access.
repo/web/src/env.mjs:728
    AUTH_WORDPRESS_CHECKS: process.env.AUTH_WORDPRESS_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c367e246fbb13849 Environment-variable access.
repo/web/src/env.mjs:730
      process.env.AUTH_WORDPRESS_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f4a891468919912 Environment-variable access.
repo/web/src/env.mjs:731
    AUTH_IGNORE_ACCOUNT_FIELDS: process.env.AUTH_IGNORE_ACCOUNT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cad956a3c74b79e4 Environment-variable access.
repo/web/src/env.mjs:733
      process.env.AUTH_DOMAINS_WITH_SSO_ENFORCEMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8716cca21e2002b Environment-variable access.
repo/web/src/env.mjs:734
    AUTH_DISABLE_USERNAME_PASSWORD: process.env.AUTH_DISABLE_USERNAME_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19c34daa4cdd3e6a Environment-variable access.
repo/web/src/env.mjs:735
    AUTH_DISABLE_SIGNUP: process.env.AUTH_DISABLE_SIGNUP,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de63f513c3ef3845 Environment-variable access.
repo/web/src/env.mjs:737
      process.env.AUTH_EMAIL_VERIFICATION_REQUIRED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77ba2b11f8156937 Environment-variable access.
repo/web/src/env.mjs:738
    AUTH_SESSION_MAX_AGE: process.env.AUTH_SESSION_MAX_AGE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00c4c83e9649e57b Environment-variable access.
repo/web/src/env.mjs:739
    AUTH_HTTP_PROXY: process.env.AUTH_HTTP_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #546b59b5191dadee Environment-variable access.
repo/web/src/env.mjs:740
    AUTH_HTTPS_PROXY: process.env.AUTH_HTTPS_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49c57eae540aa863 Environment-variable access.
repo/web/src/env.mjs:741
    AUTH_SSO_TIMEOUT: process.env.AUTH_SSO_TIMEOUT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #914dd65a44dd2d11 Environment-variable access.
repo/web/src/env.mjs:743
    EMAIL_FROM_ADDRESS: process.env.EMAIL_FROM_ADDRESS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caed3830810be0f3 Environment-variable access.
repo/web/src/env.mjs:744
    SMTP_CONNECTION_URL: process.env.SMTP_CONNECTION_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e38ecc8ea9290b9 Environment-variable access.
repo/web/src/env.mjs:746
    OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a582cb56696386fd Environment-variable access.
repo/web/src/env.mjs:747
    OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #070512d0096f2e4d Environment-variable access.
repo/web/src/env.mjs:748
    OTEL_TRACE_SAMPLING_RATIO: process.env.OTEL_TRACE_SAMPLING_RATIO,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed4a8d84c020548f Environment-variable access.
repo/web/src/env.mjs:751
      process.env.LANGFUSE_INGESTION_MASKING_PROPAGATED_HEADERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8379fde82b3596d4 Environment-variable access.
repo/web/src/env.mjs:755
      process.env.LANGFUSE_S3_MEDIA_MAX_CONTENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5948af0fc75e7b23 Environment-variable access.
repo/web/src/env.mjs:757
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_BUCKET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #771afc2236e57684 Environment-variable access.
repo/web/src/env.mjs:759
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_PREFIX,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #701982ca5f827479 Environment-variable access.
repo/web/src/env.mjs:761
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8c7aa7b47d44c84 Environment-variable access.
repo/web/src/env.mjs:763
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0954c8c0c9a1c1f1 Environment-variable access.
repo/web/src/env.mjs:765
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53472e1dfcb33c42 Environment-variable access.
repo/web/src/env.mjs:767
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fb2a922cc5e5d93 Environment-variable access.
repo/web/src/env.mjs:769
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a988a79b6d26a1a1 Environment-variable access.
repo/web/src/env.mjs:771
      process.env.LANGFUSE_S3_MEDIA_DOWNLOAD_URL_EXPIRY_SECONDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d31c99b048a453eb Environment-variable access.
repo/web/src/env.mjs:772
    LANGFUSE_S3_MEDIA_UPLOAD_SSE: process.env.LANGFUSE_S3_MEDIA_UPLOAD_SSE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fced5ea8ea0b42c Environment-variable access.
repo/web/src/env.mjs:774
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_SSE_KMS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cceaff98b254b35 Environment-variable access.
repo/web/src/env.mjs:776
    NEXT_PUBLIC_POSTHOG_KEY: process.env.NEXT_PUBLIC_POSTHOG_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed989cd41e2c3b6 Environment-variable access.
repo/web/src/env.mjs:777
    NEXT_PUBLIC_POSTHOG_HOST: process.env.NEXT_PUBLIC_POSTHOG_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #981ab5787eaffa4e Environment-variable access.
repo/web/src/env.mjs:779
    NEXT_PUBLIC_PLAIN_APP_ID: process.env.NEXT_PUBLIC_PLAIN_APP_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4c43bdd5f24d178 Environment-variable access.
repo/web/src/env.mjs:780
    PLAIN_AUTHENTICATION_SECRET: process.env.PLAIN_AUTHENTICATION_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #513ea34d164b7625 Environment-variable access.
repo/web/src/env.mjs:781
    PLAIN_CARDS_API_TOKEN: process.env.PLAIN_CARDS_API_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57ac24133e82aea1 Environment-variable access.
repo/web/src/env.mjs:782
    PYLON_API_KEY: process.env.PYLON_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #996a0d1f63feb28e Environment-variable access.
repo/web/src/env.mjs:784
    CLICKHOUSE_URL: process.env.CLICKHOUSE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04ff756eef6dc8d Environment-variable access.
repo/web/src/env.mjs:785
    CLICKHOUSE_CLUSTER_NAME: process.env.CLICKHOUSE_CLUSTER_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab2388a4bb934c9c Environment-variable access.
repo/web/src/env.mjs:786
    CLICKHOUSE_DB: process.env.CLICKHOUSE_DB,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #891ab452613801c5 Environment-variable access.
repo/web/src/env.mjs:787
    CLICKHOUSE_USER: process.env.CLICKHOUSE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d88f01f44e381994 Environment-variable access.
repo/web/src/env.mjs:788
    CLICKHOUSE_PASSWORD: process.env.CLICKHOUSE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b89055852189bda7 Environment-variable access.
repo/web/src/env.mjs:789
    CLICKHOUSE_CLUSTER_ENABLED: process.env.CLICKHOUSE_CLUSTER_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c49a01dabab8e1dd Environment-variable access.
repo/web/src/env.mjs:791
    LANGFUSE_UI_API_HOST: process.env.LANGFUSE_UI_API_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #661f89aa1372bddc Environment-variable access.
repo/web/src/env.mjs:792
    LANGFUSE_UI_DOCUMENTATION_HREF: process.env.LANGFUSE_UI_DOCUMENTATION_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7db1ad744ca8fc3 Environment-variable access.
repo/web/src/env.mjs:793
    LANGFUSE_UI_SUPPORT_HREF: process.env.LANGFUSE_UI_SUPPORT_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6f2e4628b207bd1 Environment-variable access.
repo/web/src/env.mjs:794
    LANGFUSE_UI_FEEDBACK_HREF: process.env.LANGFUSE_UI_FEEDBACK_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8d25287fed27e15 Environment-variable access.
repo/web/src/env.mjs:796
      process.env.LANGFUSE_UI_LOGO_LIGHT_MODE_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #096c0e4514311c2d Environment-variable access.
repo/web/src/env.mjs:798
      process.env.LANGFUSE_UI_LOGO_DARK_MODE_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aab323437bcd7ce2 Environment-variable access.
repo/web/src/env.mjs:800
      process.env.LANGFUSE_UI_DEFAULT_MODEL_ADAPTER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a023f1f736d719e Environment-variable access.
repo/web/src/env.mjs:802
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_OPENAI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ade4e0d0c91f1024 Environment-variable access.
repo/web/src/env.mjs:804
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_ANTHROPIC,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #659ea6e49cdc2280 Environment-variable access.
repo/web/src/env.mjs:806
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_AZURE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3eee9aec0a5668e Environment-variable access.
repo/web/src/env.mjs:808
      process.env.LANGFUSE_UI_VISIBLE_PRODUCT_MODULES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15406bae6e076080 Environment-variable access.
repo/web/src/env.mjs:810
      process.env.LANGFUSE_UI_HIDDEN_PRODUCT_MODULES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1cabc669d6e9a3b Environment-variable access.
repo/web/src/env.mjs:813
      process.env.NEXT_PUBLIC_LANGFUSE_PLAYGROUND_STREAMING_ENABLED_DEFAULT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b55d8825b2a1a26 Environment-variable access.
repo/web/src/env.mjs:815
    LANGFUSE_EE_LICENSE_KEY: process.env.LANGFUSE_EE_LICENSE_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b734213977e9c08 Environment-variable access.
repo/web/src/env.mjs:816
    ADMIN_API_KEY: process.env.ADMIN_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8950f2c4ed1a6e48 Environment-variable access.
repo/web/src/env.mjs:817
    ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1a6830099abda7b Environment-variable access.
repo/web/src/env.mjs:819
    LANGFUSE_CACHE_API_KEY_ENABLED: process.env.LANGFUSE_CACHE_API_KEY_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #288425583531d50b Environment-variable access.
repo/web/src/env.mjs:821
      process.env.LANGFUSE_CACHE_API_KEY_TTL_SECONDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a72648aba6c129bf Environment-variable access.
repo/web/src/env.mjs:823
      process.env.LANGFUSE_ALLOWED_ORGANIZATION_CREATORS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddbbac7ee15636e4 Environment-variable access.
repo/web/src/env.mjs:824
    STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #617f8b88f399617c Environment-variable access.
repo/web/src/env.mjs:825
    STRIPE_WEBHOOK_SIGNING_SECRET: process.env.STRIPE_WEBHOOK_SIGNING_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a60331bd1b64a78e Environment-variable access.
repo/web/src/env.mjs:826
    SENTRY_AUTH_TOKEN: process.env.SENTRY_AUTH_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51fa0285c8d3f2e8 Environment-variable access.
repo/web/src/env.mjs:827
    SENTRY_CSP_REPORT_URI: process.env.SENTRY_CSP_REPORT_URI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd5a2534f1320521 Environment-variable access.
repo/web/src/env.mjs:828
    LANGFUSE_RATE_LIMITS_ENABLED: process.env.LANGFUSE_RATE_LIMITS_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5e59e79c50dbf83 Environment-variable access.
repo/web/src/env.mjs:830
    LANGFUSE_INIT_ORG_ID: process.env.LANGFUSE_INIT_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ae03d332f0ef1a6 Environment-variable access.
repo/web/src/env.mjs:831
    LANGFUSE_INIT_ORG_NAME: process.env.LANGFUSE_INIT_ORG_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ceb4f813100fc76 Environment-variable access.
repo/web/src/env.mjs:832
    LANGFUSE_INIT_ORG_CLOUD_PLAN: process.env.LANGFUSE_INIT_ORG_CLOUD_PLAN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f31c25920108362 Environment-variable access.
repo/web/src/env.mjs:833
    LANGFUSE_INIT_PROJECT_ID: process.env.LANGFUSE_INIT_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #490f523166312b73 Environment-variable access.
repo/web/src/env.mjs:834
    LANGFUSE_INIT_PROJECT_NAME: process.env.LANGFUSE_INIT_PROJECT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6300fdf81735255d Environment-variable access.
repo/web/src/env.mjs:836
      process.env.LANGFUSE_INIT_PROJECT_RETENTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3db4b842f67bddee Environment-variable access.
repo/web/src/env.mjs:838
      process.env.LANGFUSE_INIT_PROJECT_PUBLIC_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82f90df8ad78e8e0 Environment-variable access.
repo/web/src/env.mjs:840
      process.env.LANGFUSE_INIT_PROJECT_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85ec0992d020dbbd Environment-variable access.
repo/web/src/env.mjs:841
    LANGFUSE_INIT_USER_EMAIL: process.env.LANGFUSE_INIT_USER_EMAIL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfb37da404ef9554 Environment-variable access.
repo/web/src/env.mjs:842
    LANGFUSE_INIT_USER_NAME: process.env.LANGFUSE_INIT_USER_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f703041b5b1f465 Environment-variable access.
repo/web/src/env.mjs:843
    LANGFUSE_INIT_USER_PASSWORD: process.env.LANGFUSE_INIT_USER_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e52a2723a3513599 Environment-variable access.
repo/web/src/env.mjs:844
    NEXT_PUBLIC_BASE_PATH: process.env.NEXT_PUBLIC_BASE_PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #939a54fc67d65b07 Environment-variable access.
repo/web/src/env.mjs:846
      process.env.LANGFUSE_MAX_HISTORIC_EVAL_CREATION_LIMIT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3d95d987a625b23 Environment-variable access.
repo/web/src/env.mjs:847
    SLACK_CLIENT_ID: process.env.SLACK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae94c567b37a0f7a Environment-variable access.
repo/web/src/env.mjs:848
    SLACK_CLIENT_SECRET: process.env.SLACK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #563de82e2d6bc6fb Environment-variable access.
repo/web/src/env.mjs:849
    SLACK_STATE_SECRET: process.env.SLACK_STATE_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #881a75cc5a8866af Environment-variable access.
repo/web/src/env.mjs:852
    LANGFUSE_AWS_BEDROCK_MODEL: process.env.LANGFUSE_AWS_BEDROCK_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6ef3413cc66a9aa Environment-variable access.
repo/web/src/env.mjs:854
      process.env.LANGFUSE_AWS_BEDROCK_SMALL_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7193b78ddfd911db Environment-variable access.
repo/web/src/env.mjs:857
    LANGFUSE_AI_FEATURES_HOST: process.env.LANGFUSE_AI_FEATURES_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfe79310a08354a7 Environment-variable access.
repo/web/src/env.mjs:861
      process.env.LANGFUSE_SKIP_FINAL_FOR_OTEL_PROJECTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f1d91df146b3360 Environment-variable access.
repo/web/src/env.mjs:865
      process.env.LANGFUSE_AI_FEATURES_PUBLIC_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a10568606b24004 Environment-variable access.
repo/web/src/env.mjs:867
      process.env.LANGFUSE_AI_FEATURES_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #195f77a5fcbb5089 Environment-variable access.
repo/web/src/env.mjs:869
      process.env.LANGFUSE_AI_FEATURES_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b9dd7b6c1c38e0d Environment-variable access.
repo/web/src/env.mjs:872
      process.env.LANGFUSE_API_TRACES_DEFAULT_DATE_RANGE_DAYS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cb5f5c55c161da7 Environment-variable access.
repo/web/src/env.mjs:874
      process.env.LANGFUSE_API_TRACES_REJECT_NO_DATE_RANGE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4af7dc136fe4caff Environment-variable access.
repo/web/src/env.mjs:876
      process.env.LANGFUSE_API_TRACES_DEFAULT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbf08a236774d80c Environment-variable access.
repo/web/src/env.mjs:878
      process.env.LANGFUSE_API_TRACEBYID_DEFAULT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9bf375505ca818d Environment-variable access.
repo/web/src/env.mjs:880
      process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aefb2dcaa5f04cd7 Environment-variable access.
repo/web/src/env.mjs:882
      process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a9e4b37a70510e0 Environment-variable access.
repo/web/src/env.mjs:885
      process.env.LANGFUSE_DISABLE_LEGACY_TRACING_IO_SEARCH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab92f3a48abbbd7e Environment-variable access.
repo/web/src/env.mjs:887
      process.env.LANGFUSE_OBSERVATIONS_V2_SUBQUERY_REWRITE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16500eab3789cabc Environment-variable access.
repo/web/src/env.mjs:889
      process.env.LANGFUSE_OBSERVATIONS_V2_SHADOW_QUERY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2ffda3729960fa3 Environment-variable access.
repo/web/src/env.mjs:891
      process.env.LANGFUSE_OBSERVATIONS_V2_SHADOW_QUERY_SAMPLE_RATE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86d8df71e7f564dd Environment-variable access.
repo/web/src/env.mjs:893
      process.env.LANGFUSE_BLOCKED_USERIDS_CHATCOMPLETION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00a2036a82641264 Environment-variable access.
repo/web/src/env.mjs:897
  skipValidation: process.env.DOCKER_BUILD === "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #752e77c9f8f5433a Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/cloud-status-notification/server/cloud-status-router.ts:49
        const response = await fetch(
          "https://status.langfuse.com/api/v1/summary",
        );

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #1d3e62e9f514abb8 Environment-variable access.
repo/web/src/features/entitlements/server/getPlan.ts:12
  if (process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07556821149220cf Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:52
      process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION === "true" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e3c9ae5caa19e20 Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:53
      process.env.NODE_ENV === "test" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1acaa79011340482 Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:54
      process.env.DATABASE_URL?.includes("langfuse_test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c058e0efbe828ec Filesystem access.
repo/web/src/features/evals/utils/code-eval-template-starter-examples.clienttest.ts:22
      module: readFileSync(
        require.resolve("@astral-sh/ruff-wasm-web/ruff_wasm_bg.wasm"),
      ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ffcf6fa1f6f2de5 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:6
  const originalRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67976853a665fc72 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:18
    process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = "US";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8ea821da679a1e0 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:22
    process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7bb146f69064b02 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.ts:52
  if (process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION === "DEV") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce638b2523bae6d1 Environment-variable access.
repo/web/src/features/experiments/components/table/ExperimentsTable.tsx:859
                    const fullUrl = `${process.env.NEXT_PUBLIC_BASE_PATH ?? ""}${experimentUrl}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df4e6c78f29af768 Environment-variable access.
repo/web/src/features/mcp/server/security.ts:57
      process.env.PORT ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfc1a3887c47be19 Environment-variable access.
repo/web/src/features/posthog-analytics/ServerPosthog.ts:22
      if (process.env.NODE_ENV === "development") this.posthog.debug();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #a27c8335f9a5d5ef Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/support-chat/pylon/pylonClient.ts:65
  const res = await fetch(`${PYLON_API_BASE}/issues`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${apiKey}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify(body),
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #dfd270b549ebeb52 Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/support-chat/pylon/pylonClient.ts:117
  const res = await fetch(`${PYLON_API_BASE}/attachments`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${apiKey}`,
    },
    body: formData,
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ac8e0763d37bfa39 Environment-variable access.
repo/web/src/features/telemetry/index.ts:23
    if (process.env.NODE_ENV !== "production") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #193254a7aa9e6a96 Environment-variable access.
repo/web/src/features/telemetry/index.ts:33
    if (process.env.CI) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed6d772a1daa9464 Environment-variable access.
repo/web/src/features/telemetry/index.ts:271
          environment: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1c68cf05917b34a Environment-variable access.
repo/web/src/instrumentation.ts:6
    process.env.NEXT_PUBLIC_LANGFUSE_RUN_NEXT_INIT !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a17fdff087446a8 Environment-variable access.
repo/web/src/instrumentation.ts:7
      ? process.env.NEXT_PUBLIC_LANGFUSE_RUN_NEXT_INIT === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f9cc20c0550e4e4 Environment-variable access.
repo/web/src/instrumentation.ts:10
  if (process.env.NEXT_RUNTIME === "nodejs" && isInitLoadingEnabled) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2efe4f427126a7c4 Environment-variable access.
repo/web/src/pages/_app.tsx:87
  process.env.NEXT_PUBLIC_POSTHOG_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f2a43c6767e334 Environment-variable access.
repo/web/src/pages/_app.tsx:88
  process.env.NEXT_PUBLIC_POSTHOG_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ae97be16e9b9aba Environment-variable access.
repo/web/src/pages/_app.tsx:90
  posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c8531a1a8ff1c63 Environment-variable access.
repo/web/src/pages/_app.tsx:91
    api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || "https://eu.posthog.com",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #189452626166ebe1 Environment-variable access.
repo/web/src/pages/_app.tsx:95
      if (process.env.NODE_ENV === "development") posthog.debug();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #821bcf9fb2b593cf Environment-variable access.
repo/web/src/pages/_app.tsx:194
          environment: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0aa2fb911594cee Environment-variable access.
repo/web/src/pages/_app.tsx:246
  process.env.NEXT_RUNTIME === "nodejs" &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #454e5761e36ac2c4 Environment-variable access.
repo/web/src/pages/_app.tsx:247
  process.env.NEXT_MANUAL_SIG_HANDLE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3848fbf1acfdec0c Environment-variable access.
repo/web/src/server/utils/cookies.ts:13
  env.NEXTAUTH_URL.startsWith("https://") || process.env.VERCEL === "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d78c32d6462be4b8 Environment-variable access.
repo/web/src/utils/api.ts:36
      : process.env.VERCEL_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8db5bf6c52bdd239 Environment-variable access.
repo/web/src/utils/api.ts:37
        ? `https://${process.env.VERCEL_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab09c81f578a0191 Environment-variable access.
repo/web/src/utils/api.ts:38
        : `http://localhost:${process.env.PORT ?? 3000}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03bfd49dca384988 Environment-variable access.
repo/web/src/utils/api.ts:163
        !!process.env.NEXT_PUBLIC_BUILD_ID &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fd11df0b27944f3 Environment-variable access.
repo/web/src/utils/api.ts:164
        buildId !== process.env.NEXT_PUBLIC_BUILD_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1518bc3d01f3c12a Environment-variable access.
repo/web/src/utils/api.ts:308
          enabled: () => process.env.NODE_ENV === "development",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a1648f28a094484 Environment-variable access.
repo/web/src/utils/api.ts:382
      enabled: () => process.env.NODE_ENV === "development",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04eed6cdab46292d Environment-variable access.
repo/web/src/utils/shutdown.ts:29
  Boolean(process.env.NEXT_MANUAL_SIG_HANDLE) && globalThis.sigtermReceived;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f835243c28acd972 Environment-variable access.
repo/worker/src/__tests__/batchAction.test.ts:41
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcc277ce187890ee Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:30
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #931e2298cc7d9159 Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:32
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c066ae36726de29 Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:35
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e12ef5f4413aad93 Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:13
  const cloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f286b6de4b37c415 Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:14
  delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d11d98bbbc8ffd0c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:67
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #887f12590c3b585c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:106
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80abdf0fcd357f5c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:108
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe6a8d3810ae5247 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:22
  delete process.env.REDIS_CLUSTER_NODES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b451aa117865cf5b Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:23
  delete process.env.REDIS_SENTINEL_NODES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ebff3d671f383626 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:24
  delete process.env.REDIS_SENTINEL_MASTER_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b94b0973da6d770 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:25
  delete process.env.REDIS_SENTINEL_USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75a6a8a60ace20d2 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:26
  delete process.env.REDIS_SENTINEL_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #885a0c9daab4475a Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:38
    process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c2e9406dd528922 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:100
    delete process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57292b7d9826a63f Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:115
    process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de498862c75912c3 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:139
    process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e233e4efe2d7ec95 Filesystem access.
repo/worker/src/__tests__/chatml/framework-traces/download_traces.js:225
    fs.writeFileSync(path.join(__dirname, fileName), content, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b98748a6d9f27e7 Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:2
import { readFileSync, existsSync, writeFileSync, readdirSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03e4d20f1c25f52c Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:535
      const traceContent = readFileSync(traceFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6507d4bb1bc60516 Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:544
        writeFileSync(expectedFilePath, JSON.stringify({}, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2bf9ddabc160051b Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:549
      const expectedContent = readFileSync(expectedFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67a8681a5b7cb43a Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:636
    const expectedContent = readFileSync(expectedFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4038acb23e84adb Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:640
    writeFileSync(expectedFilePath, JSON.stringify({}, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67a222c4812e19af Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:646
  writeFileSync(expectedFilePath, JSON.stringify(expected, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a36166f6950ab50b Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:8
const originalEnv = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #62a05f28df71bf35 Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:12
  process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dedb43c3fb029f88 Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:18
  process.env.ENCRYPTION_KEY = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e1848d5e85388a4 Environment-variable access.
repo/worker/src/__tests__/evalService.filtering.test.ts:21
let OPENAI_API_KEY = process.env.OPENAI_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6746acc7d18d23c9 Environment-variable access.
repo/worker/src/__tests__/evalService.filtering.test.ts:25
  OPENAI_API_KEY || process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbf27b3902f7a37f Environment-variable access.
repo/worker/src/__tests__/evalService.test.ts:52
let OPENAI_API_KEY = process.env.OPENAI_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #215ab195ee49296c Environment-variable access.
repo/worker/src/__tests__/evalService.test.ts:56
  OPENAI_API_KEY || process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb1a0e841a1219e8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:30
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c7a073c8217bcc7 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:31
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58a1cb255e3d47ba Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:32
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9bd1abd85152ad38 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:33
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7c58c82cb1184a2 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:34
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7822c104dd3b093 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:78
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1a5515e56f7e6c7 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:79
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce13c97851ef0cd5 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:80
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9da66ea9282acac8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:81
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8f00a187651d60e Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:82
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7752b1f2a80b3c2b Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:98
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f7b4d19750315bd Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:99
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d2b955130c166c3 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:114
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #376ea7f536c993e8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:116
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2fe15eea074264a Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:28
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #271f197a87124980 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:29
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ef222884f36d95d Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:30
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3bf975ab9d9f7fb3 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:31
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7a5e7f9e0539eab Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:32
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c28d1bee0b9752f8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:74
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55c832541810a579 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:75
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5868dbba73ac9d4 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:97
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84c9140d412c5bee Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:99
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #793c91d8a7c4c7c9 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:236
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #11b1a7463e16ee3c Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:237
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2d64ebd71114d92 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:264
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7604a173c71e16d0 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:266
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #4e135ac8c4345141 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:86
      http.post("https://masking.example.com/success", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        return HttpResponse.json(maskedSpanData, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3f5570f8db940886 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:97
      http.post("https://masking.example.com/echo", async ({ request }) => {
        const body = await request.json();
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body,
        });
        return HttpResponse.json(body, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2e1ff12e728637aa Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:109
      http.post("https://masking.example.com/error", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        return HttpResponse.json(
          { error: "Internal Server Error" },
          { status: 500 },
        );
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2eb1720af58ac188 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:123
      http.post("https://masking.example.com/timeout", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        // Delay longer than the timeout
        await delay(5000);
        return HttpResponse.json(maskedSpanData, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #ca4580127eb83adb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:246
      if (!process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8ecca4fb72f4b7a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:275
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a7931f2b9353271 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:303
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f046499c3f334dd8 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:330
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #876540a7711cc9f0 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:356
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82121c5edd4da4c3 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:372
      if (!process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a244678ffcdb4139 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:402
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25eb9f32b801e33b Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:432
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cf2fe4ebb63eccf Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:460
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e12c872ca4ada1e Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:487
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7267e0838edbf553 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:502
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #613a539e492da643 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:509
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39941161ba70f9af Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:516
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2e6ccdbdfa61eaf Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:540
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6a8f92e58d2c5b32 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:545
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5153749eb9e24461 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:546
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc3af9ad62b9ba1d Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:569
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b5104be2b4bd772 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:574
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31e49252ba43b02b Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:575
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1b54cde8da595c9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:597
        model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cabe1bf62c96f6eb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:602
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19a3c5df01beac57 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:603
        baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35d663535ff9b8a4 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:623
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0dd0b0b1a025d340 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:629
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd5c54e715727887 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:630
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7282c80994083753 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:646
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_ACCESS_KEY_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dbb2048572f7098a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:653
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_SECRET_ACCESS_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8e9e0f62e0d7bff Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:660
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f260c39bc82c09a5 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:672
        accessKeyId: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_ACCESS_KEY_ID!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c85802dfdd04dcb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:674
          process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_SECRET_ACCESS_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #22777416d3fa7401 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:680
        region: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d068edbd3333f81 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:806
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad56df649f003749 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:813
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f531ec8e74d31e41 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:825
        apiKey: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_API_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7fb6fbe1e8b036a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:830
      region: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #005c372837342852 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:905
      if (!process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75dcc3b868bbf723 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:934
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c1516f0fca3f1888 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:968
              process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #631349498add87fb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1011
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #227fc0975f14ab3a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1039
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f10dde56743d332d Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1066
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63db481113e53967 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1100
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bddb664401aedb01 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1137
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f67de35c126bb5b9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1153
      if (!process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e442405835495df9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1184
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60379330242c654e Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1217
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cdd88d29d6d8a431 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1247
          process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #49905079f7749cc7 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1277
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #517e4008cf7bf4d0 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1315
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56bb2b77834a3181 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:24
  process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f9aaeb030a8c997 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:28
    process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de29303b94c41c7e Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:47
      delete process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f22caf9d6f885af6 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:49
      process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #35878d3443bfd88b Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/monitorWorkerIntegration.test.ts:287
      http.post("https://webhook.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #32a608940ba8aa51 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/network.ts:44
  return http.post("https://api.openai.com/v1/chat/completions", async () => {
    logger.info("openai handler");
    return response;
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #abf3a8916355aa81 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:6
  process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b197a18577238ad Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:326
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #581a71f7ba522308 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:327
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9b65a4608aee1f1f Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:354
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3806eac1f5ab935e Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:362
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #997806be4ec9ef89 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:363
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad97aa4b7392dfc8 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:388
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #493d24b29aba45cb Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:396
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe2478fd029330a9 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:397
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73d7cd8d4120a58c Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:420
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #373c4aa1f789a997 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:428
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc93f35000b8aafd Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:429
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e30b980867a3afc Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:462
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #264f2687bcfaccdb Environment-variable access.
repo/worker/src/__tests__/usageThresholdCacheInvalidation.test.ts:15
  process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c905550cef5b647 Environment-variable access.
repo/worker/src/__tests__/usageThresholdCacheInvalidation.test.ts:19
const SALT = process.env.SALT || "test-salt-for-hashing";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #7d507385c2c4d033 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:206
        http.post("https://redirector.example.com/step1", () => {
          step1Called = true;
          return new Response(null, {
            status: 302,
            headers: { Location: "https://final.example.com/webhook" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #8c146ad5aeb5ca1f Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:213
        http.post("https://final.example.com/webhook", () => {
          step2Called = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #ebc6eeb2f96415a2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:244
        http.post("https://redirector.example.com/step1", () => {
          callOrder.push("step1");
          return new Response(null, {
            status: 302,
            headers: { Location: "https://redirector.example.com/step2" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3be8bf55e099ebc0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:251
        http.post("https://redirector.example.com/step2", () => {
          callOrder.push("step2");
          return new Response(null, {
            status: 302,
            headers: { Location: "https://redirector.example.com/step3" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #c720d16e730e8c0c Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:258
        http.post("https://redirector.example.com/step3", () => {
          callOrder.push("step3");
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #5c600c5259c41d5b Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:288
        http.post("https://direct.example.com/webhook", () => {
          called = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #4b19e571fb622291 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:318
        http.post("https://relative-redirect.example.com/start", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "/final" }, // Relative URL
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #54ea9f6613861dab Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:324
        http.post("https://relative-redirect.example.com/final", () => {
          finalCalled = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #b3df7e1ef7fdf4c7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:396
        http.post("https://circular.example.com/a", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "https://circular.example.com/b" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f0059c20e640e6cc Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:402
        http.post("https://circular.example.com/b", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "https://circular.example.com/a" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2b699cb7340eb808 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:431
        http.post("https://broken-redirect.example.com/hook", () => {
          // Return 302 without Location header
          return new Response(null, { status: 302 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #c5c30ae23920b622 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:48
      http.post("https://webhook.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #8412954dfc848338 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:59
      http.post("https://webhook-error.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json(
          { error: "Internal Server Error" },
          { status: 500 },
        );
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #09e4f2c1a10f7f56 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:73
      http.post("https://webhook-201.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 201 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #1d1b8991b61e8822 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:84
      http.post("https://webhook-timeout.example.com/*", () => {
        return HttpResponse.error();
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #a051f74942631c1d Environment-variable access.
repo/worker/src/env.ts:612
  process.env.DOCKER_BUILD === "1" // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfe7c839ae13472e Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:9
const endpoint = process.env.LANGFUSE_CODE_EVAL_AWS_LAMBDA_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96232ad14e62fedc Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:13
process.env.AWS_ACCESS_KEY_ID ??= "test";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c812234e5a7faaf Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:14
process.env.AWS_SECRET_ACCESS_KEY ??= "test";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #313151e18ab43a9f Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:15
process.env.AWS_REGION ??= "us-east-1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1aca58b7639d4694 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:32
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ee80718a841ca54 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:133
  const oldData = JSON.parse(fs.readFileSync(inputPath, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #165baa64d990eba7 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:149
  fs.writeFileSync(outputPath, JSON.stringify(newModels, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8dd481377544ae3b Filesystem access.
repo/worker/src/scripts/createDefaultModelPricesJson.ts:68
    await fs.writeFile(EXPORT_PATH, JSON.stringify(modelPrices, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3922d048d7bf0a15 Filesystem access.
repo/worker/src/scripts/refillQueueEvent/index.ts:3
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0d864258389adcf Filesystem access.
repo/worker/src/scripts/refillQueueEvent/index.ts:67
  const fileContent = fs.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd33b6986c477ea8 Filesystem access.
repo/worker/src/scripts/replayIngestionEvents/s3-ingestion-event-replay.ts:13
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a3eb210733d3f00 Environment-variable access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56
const LANGFUSE_HOST = process.env.LANGFUSE_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ea8984debbc0dda Environment-variable access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:57
const ADMIN_API_KEY = process.env.ADMIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5d937db4e6f6064 Filesystem access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:79
  const content = readFileSync(CHECKPOINT_FILE, "utf-8").trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7df07cf10bb43706 Filesystem access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:85
  writeFileSync(CHECKPOINT_FILE, String(offset), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da6880e23b337c53 Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:254
    await writeFile(outPath, failedObservationList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad60c80f34c37e7b Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:269
    await writeFile(outPath, failedTraceList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46c86a78d66e8031 Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:282
    await writeFile(outPath, failedScoreList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d3a15ac4d0e9384 Environment-variable access.
repo/worker/src/utils/hostId.ts:14
    process.env.ECS_CONTAINER_METADATA_URI_V4 ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c97ffc86dde92ae9 Environment-variable access.
repo/worker/src/utils/hostId.ts:15
    process.env.ECS_CONTAINER_METADATA_URI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccd8decd23cbe107 Environment-variable access.
repo/worker/src/utils/hostId.ts:22
  const envHost = process.env.HOSTNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a03def7bfcee5b2 Environment-variable access.
repo/worker/vitest.config.ts:10
    reporters: process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f98f22eef4b1a8b7 Environment-variable access.
repo/worker/vitest.config.ts:13
    silent: process.env.CI ? "passed-only" : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2687a3fc9d6643e3 Environment-variable access.
repo/worker/vitest.config.ts:14
    retry: process.env.CI ? 3 : 0,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7f98e08b5cc9dd5 Environment-variable access.
repo/worker/vitest.config.ts:18
    slowTestThreshold: process.env.CI ? 2_000 : 300,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): web

npm first-party
high pii_flow production #4e6878fcca75e05e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:54 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
      await this.post({
        url: this.config.userUrl,
        payload: { isLangfuse: true, ...parsed.data },
        context: { event: "upsertUser", userId: parsed.data.userId },
        expectJsonResponse: false,
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7a931a61c73dbe28 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:67 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:207
      const response = await this.post({
        url: this.config.orgUrl,
        payload: {
          isLangfuse: true,
          type: "updateOrg" as const,
          langfuseDataRegion: this.config.dataRegion,
          // The Mulesoft updateOrg flow runs `numServices* > 0` comparisons
          // and 500s on null — always send 0
          numServicesAws: 0,
          numServicesGcp: 0,
          numServicesAzure: 0,
          ...parsed.data,
        },
        context: { event: "upsertOrg", orgId: parsed.data.orgId },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #17218584575f0f04 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:74 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "setUserRole" as const,
            ...parsed.data,
          },
          context: {
            event: "setUserRole",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7a5ee2f1d5692720 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:81 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "removeUser" as const,
            ...parsed.data,
          },
          context: {
            event: "removeUser",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #486aad08d37ab92e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116 · flow /tmp/closeopen-yihwgiie/repo/web/src/features/auth-credentials/server/signupApiHandler.ts:95 → /tmp/closeopen-yihwgiie/repo/web/src/features/auth-credentials/server/signupApiHandler.ts:116
    await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
      method: "POST",
      body: JSON.stringify({
        name: body.name,
        email: body.email,
        referralSource: body.referralSource,
        cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
        userId: userId,
      }),
      headers: {
        "Content-Type": "application/json",
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0ad9424cb23a0ea1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/api/auth/signup-verify.ts:96 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/api/auth/signup-verify.ts:12 → /tmp/closeopen-yihwgiie/repo/web/src/pages/api/auth/signup-verify.ts:96
      await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
        method: "POST",
        body: JSON.stringify({
          name,
          email: normalizedEmail,
          cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
          userId: newUser.id,
        }),
        headers: {
          "Content-Type": "application/json",
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #38330c57728b5445 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/enterprise-sso-required.tsx:92 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/enterprise-sso-required.tsx:84 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/enterprise-sso-required.tsx:92
      const response = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3a368afbc7ee43c7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-in.tsx:677 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-in.tsx:663 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-in.tsx:677
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d446931d673df1b3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:148 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:133 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:148
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/check-sso`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ domain }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fc620bb0678d1965 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/pages/auth/sign-up.tsx:349 · flow /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:354 → /tmp/closeopen-yihwgiie/repo/web/src/pages/auth/sign-up.tsx:349
      const res = await fetch(
        `${env.NEXT_PUBLIC_BASE_PATH ?? ""}/api/auth/signup-verify`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ email: values.email, name: values.name }),
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f08126cfd35d728f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/adminAccessWebhook.ts:57 · flow /tmp/closeopen-yihwgiie/repo/web/src/server/adminAccessWebhook.ts:47 → /tmp/closeopen-yihwgiie/repo/web/src/server/adminAccessWebhook.ts:57
    const response = await fetch(env.LANGFUSE_ADMIN_ACCESS_WEBHOOK, {
      method: "POST",
      body: JSON.stringify(payload),
      headers: {
        "Content-Type": "application/json",
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ccaf40b4417f5f0e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/web/src/server/auth.ts:1095 · flow /tmp/closeopen-yihwgiie/repo/web/src/server/auth.ts:1099 → /tmp/closeopen-yihwgiie/repo/web/src/server/auth.ts:1095
          await fetch(env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK, {
            method: "POST",
            body: JSON.stringify({
              name: user.name,
              email: user.email,
              cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
              userId: user.id,
              // referralSource: ...
            }),
            headers: {
              "Content-Type": "application/json",
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #5d372edca2439eb1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/instrumentation-client.ts:1
import * as Sentry from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3cf9eb5f120aeb0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/next.config.mjs:6
import { withSentryConfig } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df6fbf8c5b511e74 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/error-page.tsx:7
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9fd00da7dddb992f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/layouts/app-layout/index.tsx:15
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ab2e271ec294a0e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/layouts/app-layout/index.tsx:133
      posthog.reset();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #642358c87857849d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/components/ui/resizable-image.tsx:9
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium pii_flow production #555bfedc11426849 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:180 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:177
      await this.post({
        url: this.config.userUrl,
        payload: { isLangfuse: true, ...parsed.data },
        context: { event: "upsertUser", userId: parsed.data.userId },
        expectJsonResponse: false,
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #6bd7b2a0e2b8cd60 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:273 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:263
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "setUserRole" as const,
            ...parsed.data,
          },
          context: {
            event: "setUserRole",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #352a4b3e5bf56a8e Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303 · flow /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:313 → /tmp/closeopen-yihwgiie/repo/web/src/ee/features/sfdc-sync/server/sfdcService.ts:303
        await this.post({
          url: this.config.orgUrl,
          payload: {
            isLangfuse: true,
            type: "removeUser" as const,
            ...parsed.data,
          },
          context: {
            event: "removeUser",
            orgId: parsed.data.orgId,
            userId: parsed.data.userId,
          },
          expectJsonResponse: false,
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #a1d56f21c5048caf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/auth/lib/createProjectMembershipsOnSignup.ts:269
        posthog.capture({
          distinctId: user.id,
          event: "cloud_signup_complete",
          properties: {
            cloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
            hasDemoAccess: demoProject !== undefined,
            hasDefaultOrg: defaultOrgs.length > 0,
            hasDefaultProject: defaultProjects.length > 0,
          },
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b24289103419e31 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/auth/lib/createProjectMembershipsOnSignup.ts:279
        await posthog.shutdown();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82cec99874dd9da9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:4
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2fc97c0adf8cd5c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:35
            posthog.setPersonProperties({
              [V4_BETA_ENABLED_POSTHOG_PROPERTY]: v4BetaEnabled,
            });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9786e0ddd3e4292f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/events/hooks/useV4Beta.ts:38
            posthog.register({
              [V4_BETA_ENABLED_POSTHOG_PROPERTY]: v4BetaEnabled,
            });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35d6371115eae7c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/ServerPosthog.ts:2
import { PostHog } from "posthog-node";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d52d86711e470817 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/usePostHogClientCapture.ts:1
import { type CaptureResult, type CaptureOptions } from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #41455ade6b3b9859 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/posthog-analytics/usePostHogClientCapture.ts:244
    return posthog.capture(eventName, properties, options);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35ac8b0ad9cde5ab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/telemetry/index.ts:252
    posthog.capture({
      distinctId: "docker:" + clientId,
      event: "telemetry",
      properties: {
        langfuseVersion: VERSION,
        userDomains: domains,
        totalProjects: totalProjects,
        traces: countTraces,
        scores: countScores,
        observations: countObservations,
        datasets: countDatasets,
        datasetItems: countDatasetItems,
        datasetRuns: countDatasetRuns,
        datasetRunItems: countDatasetRunItems,
        startTimeframe: startTimeframe?.toISOString(),
        endTimeframe: endTimeframe.toISOString(),
        eeLicenseKey: env.LANGFUSE_EE_LICENSE_KEY,
        langfuseCloudRegion: env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,
        $set: {
          environment: process.env.NODE_ENV,
          userDomains: domains,
          docker: true,
          langfuseVersion: VERSION,
        },
      },
    });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b02d687c59e8d6d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/features/telemetry/index.ts:279
    await posthog.shutdown();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #584073552188bedf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:4
import { setUser } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a90b395628fb2fd3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:19
import posthog from "posthog-js";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #52ac7659d900984f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:90
  posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {
    api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || "https://eu.posthog.com",
    ui_host: "https://eu.posthog.com",
    // Enable debug mode in development
    loaded: (posthog) => {
      if (process.env.NODE_ENV === "development") posthog.debug();
    },
    session_recording: {
      maskCapturedNetworkRequestFn(request) {
        request.requestBody = request.requestBody ? "REDACTED" : undefined;
        request.responseBody = request.responseBody ? "REDACTED" : undefined;
        return request;
      },
    },
    autocapture: false,
    enable_heatmaps: false,
    persistence: "cookie",
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e036594ac730e847 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:95
      if (process.env.NODE_ENV === "development") posthog.debug();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #61a6685335526154 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:120
        posthog.capture("$pageview");

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b8e11bda4b9f039f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:193
        posthog.identify(sessionUser.id ?? undefined, {
          environment: process.env.NODE_ENV,
          email: sessionUser.email ?? undefined,
          name: sessionUser.name ?? undefined,
          featureFlags: sessionUser.featureFlags ?? undefined,
          projects:
            sessionUser.organizations.flatMap((org) =>
              org.projects.map((project) => ({
                ...project,
                organization: org,
              })),
            ) ?? undefined,
          LANGFUSE_CLOUD_REGION: region,
          [V4_BETA_ENABLED_POSTHOG_PROPERTY]:
            sessionUser.v4BetaEnabled ?? false,
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e11baa07dde2272d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:209
        posthog.register({
          [V4_BETA_ENABLED_POSTHOG_PROPERTY]:
            sessionUser.v4BetaEnabled ?? false,
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3007cf481ff80554 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/_app.tsx:222
      posthog.unregister(V4_BETA_ENABLED_POSTHOG_PROPERTY);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5d28ab901d4a09a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/auth/enterprise-sso-required.tsx:21
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5099c7b0e3666abe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/pages/auth/sign-in.tsx:41
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d873f3f3f8552b79 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/web/src/utils/api.ts:8
import { captureException } from "@sentry/nextjs";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 372 low-confidence finding(s)
low env_fs production #5b358a043ce446e0 Environment-variable access.
repo/web/instrumentation-client.ts:4
  process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38f4c884680c98af Environment-variable access.
repo/web/instrumentation-client.ts:5
    ? ["EU", "US"].includes(process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a628a099515b5efd Environment-variable access.
repo/web/instrumentation-client.ts:9
  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #306c4db8d4db55cd Environment-variable access.
repo/web/instrumentation-client.ts:10
  environment: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4acdbce4a17c1be Environment-variable access.
repo/web/instrumentation-client.ts:11
  release: process.env.NEXT_PUBLIC_BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a54104f713d3fec7 Environment-variable access.
repo/web/instrumentation-client.ts:53
  tracesSampleRate: process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff0d55518952ddab Environment-variable access.
repo/web/instrumentation-client.ts:54
    ? Number(process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a873cca3121e15f4 Environment-variable access.
repo/web/instrumentation-client.ts:59
  replaysSessionSampleRate: process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6784e7dec82b421 Environment-variable access.
repo/web/instrumentation-client.ts:60
    ? Number(process.env.NEXT_PUBLIC_LANGFUSE_TRACING_SAMPLE_RATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eacc390f45241759 Environment-variable access.
repo/web/next.config.mjs:66
  distDir: process.env.NEXT_DIST_DIR || ".next",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ffedab8ca70506b Environment-variable access.
repo/web/next.config.mjs:71
    ignoreBuildErrors: process.env.NEXT_IGNORE_BUILD_ERRORS === "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc2b7f75f0c2a4d Environment-variable access.
repo/web/next.config.mjs:257
  org: process.env.SENTRY_ORG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c5b72dc5c962640 Environment-variable access.
repo/web/next.config.mjs:258
  project: process.env.SENTRY_PROJECT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b405e2c3301475d3 Environment-variable access.
repo/web/next.config.mjs:263
  silent: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3397e606862f9f1e Environment-variable access.
repo/web/playwright.config.ts:16
    command: process.env.CI ? "npm run start" : "npm run dev",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f1ec6c42d9b8390 Environment-variable access.
repo/web/playwright.config.ts:18
    reuseExistingServer: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33568217abf4e8af Environment-variable access.
repo/web/src/__tests__/after-teardown.ts:9
  if (process.env.VITEST_SHARED_CONTEXT === "1") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0dd99412e9bc103 Environment-variable access.
repo/web/src/__tests__/server/code-eval-test-run-trpc.servertest.ts:6
  process.env.LANGFUSE_CODE_EVAL_DISPATCHER = "insecure-local";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40fe2b9d22007e87 Environment-variable access.
repo/web/src/__tests__/server/dataset-item-media-references.servertest.ts:242
    process.env.LANGFUSE_USE_AZURE_BLOB === "true" ? it : it.skip;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1359b0184c3ee6a6 Environment-variable access.
repo/web/src/__tests__/server/dataset-service.servertest.ts:34
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6db7a16c1975a5ab Environment-variable access.
repo/web/src/__tests__/server/dataset-service.servertest.ts:36
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1225c0e0c0252454 Environment-variable access.
repo/web/src/__tests__/server/datasets-api.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ae5b536562d30e9 Environment-variable access.
repo/web/src/__tests__/server/datasets-api.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37853d92a7920c16 Environment-variable access.
repo/web/src/__tests__/server/datasets-schema-validation.servertest.ts:20
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea81ee86666286ec Environment-variable access.
repo/web/src/__tests__/server/datasets-schema-validation.servertest.ts:22
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5730482f3fc8b212 Environment-variable access.
repo/web/src/__tests__/server/datasets-ui-table.servertest.ts:12
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2639462416363aa8 Environment-variable access.
repo/web/src/__tests__/server/datasets-ui-table.servertest.ts:14
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f314e0c0e92a1e4c Environment-variable access.
repo/web/src/__tests__/server/evals-trpc.servertest.ts:5
  process.env.LANGFUSE_CODE_EVAL_DISPATCHER = "insecure-local";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #720681cfd29b48d5 Environment-variable access.
repo/web/src/__tests__/server/evals-trpc.servertest.ts:6
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c6f560738bcf861 Environment-variable access.
repo/web/src/__tests__/server/experiments-versioning.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7d3414256f2a45b Environment-variable access.
repo/web/src/__tests__/server/experiments-versioning.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57000f957ee0db68 Environment-variable access.
repo/web/src/__tests__/server/mcp-public-api-tools.servertest.ts:1
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de97f781a420d2b0 Environment-variable access.
repo/web/src/__tests__/server/mcp-public-api-tools.servertest.ts:3
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8fff36e52908f5b2 Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:2
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3991c714e259356b Environment-variable access.
repo/web/src/__tests__/server/media.servertest.ts:29
    process.env.LANGFUSE_USE_AZURE_BLOB === "true" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #319a72a96d570d3e Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:72
  const fileBytesPNG = fs.readFileSync(imagePathPNG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #855fa168bf41d5e9 Filesystem access.
repo/web/src/__tests__/server/media.servertest.ts:89
  const fileBytesPDF = fs.readFileSync(imagePathPDF);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef3f07c1d35432c2 Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:49
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bdfe655b60ed64aa Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:52
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28200f0a84579256 Environment-variable access.
repo/web/src/__tests__/server/mixpanel-integration.servertest.ts:57
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83fcdf3543d4b1d5 Environment-variable access.
repo/web/src/__tests__/server/organizations-api.servertest.ts:67
  const ADMIN_API_KEY = process.env.ADMIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #767213a247382923 Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:49
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2da6c088c05d75ba Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:56
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aea7ec9c55cda51d Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:62
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb3ecca049d7777f Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:90
  const originalEncryptionKey = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eef93f0a76ab02aa Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:93
    process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc7026d30d9405f9 Environment-variable access.
repo/web/src/__tests__/server/posthog-integration.servertest.ts:98
    process.env.ENCRYPTION_KEY = originalEncryptionKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c064b9f633b9ec38 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-item-media-stateful-delete.servertest.ts:2
  process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ec4a9dc5d6b677a Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-item-media-stateful-delete.servertest.ts:4
  process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #348efa5d12dbb5ef Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-repository.servertest.ts:2
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4cb22609b7807a19 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-repository.servertest.ts:4
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6fde318c1ac3bf3e Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-stateful-upsert.servertest.ts:2
  process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #841ee4b75d7217d5 Environment-variable access.
repo/web/src/__tests__/server/repositories/dataset-items-stateful-upsert.servertest.ts:4
  process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c62cfb72980ce9af Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:26
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44a74be1241b16b2 Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:27
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c4d0166b808b7e5 Environment-variable access.
repo/web/src/__tests__/server/scores-trpc-events-only.servertest.ts:30
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fd883c6463a07c8 Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:24
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f03fd5a5b6f796db Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:25
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99ab3abf86a1cf1d Environment-variable access.
repo/web/src/__tests__/server/sessions-trpc-events-only.servertest.ts:28
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2966e36f231ffb3 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:25
    process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30c01fdf1a2ad164 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:26
  process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE = "events_only";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70b32f81f64dd1a5 Environment-variable access.
repo/web/src/__tests__/server/traces-trpc-events-only.servertest.ts:29
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c1858e899709cbd8 Environment-variable access.
repo/web/src/__tests__/server/unit/blobStorageKey.servertest.ts:170
  const envPrefix = process.env.LANGFUSE_S3_EVENT_UPLOAD_PREFIX ?? "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d0551995bcc391d Environment-variable access.
repo/web/src/__tests__/server/unit/blobStorageKey.servertest.ts:252
  const envPrefix = process.env.LANGFUSE_S3_EVENT_UPLOAD_PREFIX ?? "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc1073ac8ec9e175 Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:11
  delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0ce73ed629e9e46 Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:12
  delete process.env.LANGFUSE_CODE_EVAL_DISPATCHER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3044a2733b1e631b Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:16
      delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77de3c60c57ac89f Environment-variable access.
repo/web/src/__tests__/server/unit/code-eval-capabilities.servertest.ts:18
      process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d3220cffb2230fe4 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:34
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d485b91a584cc7f Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:38
    delete process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ebd5b86eb4b4b49 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:58
      delete process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79e37ccbcc350e4f Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:62
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56f3dc3203e27af1 Environment-variable access.
repo/web/src/__tests__/server/unit/evaluator-preflight.servertest.ts:86
    process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c54aeb785f00c01e Environment-variable access.
repo/web/src/__tests__/vitest-test-db-setup.ts:26
  const databaseUrl = process.env.DATABASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe635fa8d3e27822 Environment-variable access.
repo/web/src/__tests__/vitest-test-db-setup.ts:30
    process.env.NODE_ENV !== "test"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03b10e8dab9ef644 Environment-variable access.
repo/web/src/components/table/peek/hooks/usePeekNavigation.ts:187
        const pathnameWithBasePath = `${process.env.NEXT_PUBLIC_BASE_PATH ?? ""}${pathnameWithQuery}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfe83b7a67f6bbeb Environment-variable access.
repo/web/src/components/ui/AdvancedJsonViewer/utils/debug.ts:8
const DEBUG = process.env.NODE_ENV === "development";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a4d79989a7093a9 Environment-variable access.
repo/web/src/ee/features/in-app-agent/server/agent.ts:154
    process.env.AWS_PROFILE ?? params.options.awsBedrock.profile;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #808942dafbd326f8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/ee/features/in-app-agent/server/agent.ts:731
        url: new URL(LANGFUSE_DOCS_MCP_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #0d898d68e48cad21 Filesystem access.
repo/web/src/ee/features/in-app-agent/server/agent.ts:1114
    const promptTemplate = await readFile(
      path.join(
        LOCAL_IN_APP_AGENT_SYSTEM_PROMPT_DIR,
        `${IN_APP_AGENT_SYSTEM_PROMPT_NAME}.txt`,
      ),
      "utf8",
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace21507da0e40d0 Environment-variable access.
repo/web/src/env.mjs:50
      process.env.NODE_ENV === "production"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddaf1cc5fe4446aa Environment-variable access.
repo/web/src/env.mjs:58
        process.env.VERCEL_URL && process.env.VERCEL_URL !== ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b319f64d051facc Environment-variable access.
repo/web/src/env.mjs:59
          ? process.env.VERCEL_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceb32ecd5e922c5e Environment-variable access.
repo/web/src/env.mjs:62
      process.env.VERCEL ? z.string().min(1) : z.url(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c544d961441b97f9 Environment-variable access.
repo/web/src/env.mjs:522
    SEED_SECRET_KEY: process.env.SEED_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #239d5d600f45153e Environment-variable access.
repo/web/src/env.mjs:523
    NEXT_PUBLIC_DEMO_PROJECT_ID: process.env.NEXT_PUBLIC_DEMO_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94bcbff74e34eba8 Environment-variable access.
repo/web/src/env.mjs:524
    NEXT_PUBLIC_DEMO_ORG_ID: process.env.NEXT_PUBLIC_DEMO_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #207ec3b2e03ce232 Environment-variable access.
repo/web/src/env.mjs:525
    DATABASE_URL: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5a3afbc7b609286 Environment-variable access.
repo/web/src/env.mjs:526
    NODE_ENV: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0c5dcb02cfa049 Environment-variable access.
repo/web/src/env.mjs:527
    BUILD_ID: process.env.BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecbbc721582b831e Environment-variable access.
repo/web/src/env.mjs:528
    NEXT_PUBLIC_BUILD_ID: process.env.NEXT_PUBLIC_BUILD_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2dcac41ffb232ea Environment-variable access.
repo/web/src/env.mjs:529
    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #930aa957ece6ed7b Environment-variable access.
repo/web/src/env.mjs:530
    NEXTAUTH_COOKIE_DOMAIN: process.env.NEXTAUTH_COOKIE_DOMAIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #141ad6fcf7b96298 Environment-variable access.
repo/web/src/env.mjs:531
    NEXTAUTH_URL: process.env.NEXTAUTH_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17d11c1ceb153594 Environment-variable access.
repo/web/src/env.mjs:532
    LANGFUSE_MCP_ALLOWED_HOSTS: process.env.LANGFUSE_MCP_ALLOWED_HOSTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f39ea11e3f37d107 Environment-variable access.
repo/web/src/env.mjs:534
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67e5de11a422566d Environment-variable access.
repo/web/src/env.mjs:536
      process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96bcf731a0a29b82 Environment-variable access.
repo/web/src/env.mjs:538
      process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5002aec22be7309 Environment-variable access.
repo/web/src/env.mjs:539
    NEXT_PUBLIC_SIGN_UP_DISABLED: process.env.NEXT_PUBLIC_SIGN_UP_DISABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40690973b9aba101 Environment-variable access.
repo/web/src/env.mjs:541
      process.env.LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2b91cda6c048d2a Environment-variable access.
repo/web/src/env.mjs:542
    AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e77f7f5aed3e8cd Environment-variable access.
repo/web/src/env.mjs:543
    AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #052398afad846564 Environment-variable access.
repo/web/src/env.mjs:544
    LANGFUSE_AWS_BEDROCK_REGION: process.env.LANGFUSE_AWS_BEDROCK_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c59b1a30759eceab Environment-variable access.
repo/web/src/env.mjs:546
      process.env.LANGFUSE_IN_APP_AGENT_AWS_PROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #550cb5882cda0b0f Environment-variable access.
repo/web/src/env.mjs:547
    LANGFUSE_TEAM_SLACK_WEBHOOK: process.env.LANGFUSE_TEAM_SLACK_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b36b83c8519e013 Environment-variable access.
repo/web/src/env.mjs:549
      process.env.LANGFUSE_NEW_USER_SIGNUP_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4991c9d1f92fa0b9 Environment-variable access.
repo/web/src/env.mjs:550
    LANGFUSE_ADMIN_ACCESS_WEBHOOK: process.env.LANGFUSE_ADMIN_ACCESS_WEBHOOK,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5e60d114ab7bfd7 Environment-variable access.
repo/web/src/env.mjs:551
    MULESOFT_SFDC_USER_URL: process.env.MULESOFT_SFDC_USER_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93d2cb1c03f2abe0 Environment-variable access.
repo/web/src/env.mjs:552
    MULESOFT_SFDC_ORG_URL: process.env.MULESOFT_SFDC_ORG_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfc80723bb3738c3 Environment-variable access.
repo/web/src/env.mjs:553
    MULESOFT_SFDC_BASIC_AUTH_USER: process.env.MULESOFT_SFDC_BASIC_AUTH_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #776ab408f5672344 Environment-variable access.
repo/web/src/env.mjs:555
      process.env.MULESOFT_SFDC_BASIC_AUTH_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02e011a190bb65d2 Environment-variable access.
repo/web/src/env.mjs:557
      process.env.MULESOFT_SFDC_DEFAULT_COMPANY_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ef0e60aa7e4b486 Environment-variable access.
repo/web/src/env.mjs:559
      process.env.MULESOFT_SFDC_REQUEST_TIMEOUT_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98322351a725cf5a Environment-variable access.
repo/web/src/env.mjs:560
    SALT: process.env.SALT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a26a32b1ab37a85 Environment-variable access.
repo/web/src/env.mjs:561
    LANGFUSE_CSP_ENFORCE_HTTPS: process.env.LANGFUSE_CSP_ENFORCE_HTTPS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c6e40cee66d51cd Environment-variable access.
repo/web/src/env.mjs:562
    TELEMETRY_ENABLED: process.env.TELEMETRY_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d6c4ede6fcb0a53 Environment-variable access.
repo/web/src/env.mjs:564
    LANGFUSE_DEFAULT_ORG_ID: process.env.LANGFUSE_DEFAULT_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c472fe882c17d34 Environment-variable access.
repo/web/src/env.mjs:565
    LANGFUSE_DEFAULT_ORG_ROLE: process.env.LANGFUSE_DEFAULT_ORG_ROLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85f6081c57d52af5 Environment-variable access.
repo/web/src/env.mjs:566
    LANGFUSE_DEFAULT_PROJECT_ID: process.env.LANGFUSE_DEFAULT_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14b7ff974bf0cbab Environment-variable access.
repo/web/src/env.mjs:567
    LANGFUSE_DEFAULT_PROJECT_ROLE: process.env.LANGFUSE_DEFAULT_PROJECT_ROLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1172db3504051a9d Environment-variable access.
repo/web/src/env.mjs:569
    AUTH_GOOGLE_CLIENT_ID: process.env.AUTH_GOOGLE_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c02346ded2ce6946 Environment-variable access.
repo/web/src/env.mjs:570
    AUTH_GOOGLE_CLIENT_SECRET: process.env.AUTH_GOOGLE_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41a5001fc1169b61 Environment-variable access.
repo/web/src/env.mjs:571
    AUTH_GOOGLE_ALLOWED_DOMAINS: process.env.AUTH_GOOGLE_ALLOWED_DOMAINS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57f1d3cbd024b010 Environment-variable access.
repo/web/src/env.mjs:573
      process.env.AUTH_GOOGLE_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7e308428b59729 Environment-variable access.
repo/web/src/env.mjs:574
    AUTH_GOOGLE_CLIENT_AUTH_METHOD: process.env.AUTH_GOOGLE_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f0335ce1c5f64df Environment-variable access.
repo/web/src/env.mjs:575
    AUTH_GOOGLE_CHECKS: process.env.AUTH_GOOGLE_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6edaa79402399cf7 Environment-variable access.
repo/web/src/env.mjs:577
      process.env.AUTH_GOOGLE_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83519476cf605d53 Environment-variable access.
repo/web/src/env.mjs:578
    AUTH_GITHUB_CLIENT_ID: process.env.AUTH_GITHUB_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50f2b4f8e1bfe369 Environment-variable access.
repo/web/src/env.mjs:579
    AUTH_GITHUB_CLIENT_SECRET: process.env.AUTH_GITHUB_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d7ae4f0e16ba34d Environment-variable access.
repo/web/src/env.mjs:581
      process.env.AUTH_GITHUB_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3760b563135b2552 Environment-variable access.
repo/web/src/env.mjs:582
    AUTH_GITHUB_CLIENT_AUTH_METHOD: process.env.AUTH_GITHUB_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c015d478162f6e3c Environment-variable access.
repo/web/src/env.mjs:583
    AUTH_GITHUB_CHECKS: process.env.AUTH_GITHUB_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cb9e680585ee54 Environment-variable access.
repo/web/src/env.mjs:585
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57aa24a8947f54c7 Environment-variable access.
repo/web/src/env.mjs:587
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96e3399826c15626 Environment-variable access.
repo/web/src/env.mjs:589
      process.env.AUTH_GITHUB_ENTERPRISE_BASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0821a6a28a10bc9d Environment-variable access.
repo/web/src/env.mjs:591
      process.env.AUTH_GITHUB_ENTERPRISE_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5040db5dc18f16c3 Environment-variable access.
repo/web/src/env.mjs:593
      process.env.AUTH_GITHUB_ENTERPRISE_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcbed8677049f154 Environment-variable access.
repo/web/src/env.mjs:594
    AUTH_GITHUB_ENTERPRISE_CHECKS: process.env.AUTH_GITHUB_ENTERPRISE_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2afa5334eff49b25 Environment-variable access.
repo/web/src/env.mjs:595
    AUTH_GITLAB_ISSUER: process.env.AUTH_GITLAB_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e59a3e80b5960b9 Environment-variable access.
repo/web/src/env.mjs:596
    AUTH_GITLAB_CLIENT_ID: process.env.AUTH_GITLAB_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eec1270f046e5ecd Environment-variable access.
repo/web/src/env.mjs:597
    AUTH_GITLAB_CLIENT_SECRET: process.env.AUTH_GITLAB_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #280ebfff8268c706 Environment-variable access.
repo/web/src/env.mjs:599
      process.env.AUTH_GITLAB_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc3cab43cfeb3b9b Environment-variable access.
repo/web/src/env.mjs:600
    AUTH_GITLAB_CLIENT_AUTH_METHOD: process.env.AUTH_GITLAB_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #021d54ec57208dc6 Environment-variable access.
repo/web/src/env.mjs:601
    AUTH_GITLAB_CHECKS: process.env.AUTH_GITLAB_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c92660419735f48 Environment-variable access.
repo/web/src/env.mjs:603
      process.env.AUTH_GITLAB_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c14fca08fa8ef9ef Environment-variable access.
repo/web/src/env.mjs:604
    AUTH_GITLAB_URL: process.env.AUTH_GITLAB_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47533041cd597355 Environment-variable access.
repo/web/src/env.mjs:605
    AUTH_AZURE_AD_CLIENT_ID: process.env.AUTH_AZURE_AD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #670b563dbd36d5c3 Environment-variable access.
repo/web/src/env.mjs:606
    AUTH_AZURE_AD_CLIENT_SECRET: process.env.AUTH_AZURE_AD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7425acd5c4eb99a Environment-variable access.
repo/web/src/env.mjs:607
    AUTH_AZURE_AD_TENANT_ID: process.env.AUTH_AZURE_AD_TENANT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4927d07e42712e64 Environment-variable access.
repo/web/src/env.mjs:609
      process.env.AUTH_AZURE_AD_ALLOW_ACCOUNT_LINKING ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0c787762c8b32a8 Environment-variable access.
repo/web/src/env.mjs:610
      process.env.AUTH_AZURE_ALLOW_ACCOUNT_LINKING, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #934e1cda49040e18 Environment-variable access.
repo/web/src/env.mjs:612
      process.env.AUTH_AZURE_AD_CLIENT_AUTH_METHOD ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42d37ce8349009d7 Environment-variable access.
repo/web/src/env.mjs:613
      process.env.AUTH_AZURE_CLIENT_AUTH_METHOD, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #342a9af4e2ae76af Environment-variable access.
repo/web/src/env.mjs:615
      process.env.AUTH_AZURE_AD_CHECKS ?? process.env.AUTH_AZURE_CHECKS, // fallback on old env var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6baa487490176c17 Environment-variable access.
repo/web/src/env.mjs:617
      process.env.AUTH_AZURE_AD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c45f57e2eb73133 Environment-variable access.
repo/web/src/env.mjs:618
    AUTH_OKTA_CLIENT_ID: process.env.AUTH_OKTA_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af404be58c9bc23f Environment-variable access.
repo/web/src/env.mjs:619
    AUTH_OKTA_CLIENT_SECRET: process.env.AUTH_OKTA_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #074a320d9bdd3098 Environment-variable access.
repo/web/src/env.mjs:620
    AUTH_OKTA_ISSUER: process.env.AUTH_OKTA_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc1e6681ad7e7333 Environment-variable access.
repo/web/src/env.mjs:622
      process.env.AUTH_OKTA_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb1e652c18805993 Environment-variable access.
repo/web/src/env.mjs:623
    AUTH_OKTA_CLIENT_AUTH_METHOD: process.env.AUTH_OKTA_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6324226bed0cc0f6 Environment-variable access.
repo/web/src/env.mjs:624
    AUTH_OKTA_CHECKS: process.env.AUTH_OKTA_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e30d67982ea7d95b Environment-variable access.
repo/web/src/env.mjs:626
      process.env.AUTH_OKTA_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0d99d2db5742a55 Environment-variable access.
repo/web/src/env.mjs:627
    AUTH_AUTHENTIK_CLIENT_ID: process.env.AUTH_AUTHENTIK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c20000145efa9688 Environment-variable access.
repo/web/src/env.mjs:628
    AUTH_AUTHENTIK_CLIENT_SECRET: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3d2fb29f2e2f400 Environment-variable access.
repo/web/src/env.mjs:629
    AUTH_AUTHENTIK_ISSUER: process.env.AUTH_AUTHENTIK_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b69e6b73814ef2d Environment-variable access.
repo/web/src/env.mjs:631
      process.env.AUTH_AUTHENTIK_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8ac7dc50585c397 Environment-variable access.
repo/web/src/env.mjs:633
      process.env.AUTH_AUTHENTIK_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #affd4d6689b441d8 Environment-variable access.
repo/web/src/env.mjs:634
    AUTH_AUTHENTIK_CHECKS: process.env.AUTH_AUTHENTIK_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #669cb187c984a9f5 Environment-variable access.
repo/web/src/env.mjs:636
      process.env.AUTH_AUTHENTIK_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9de788b7156b68f7 Environment-variable access.
repo/web/src/env.mjs:638
      process.env.AUTH_AUTHENTIK_AUTHORIZATION_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2581f26890ed4605 Environment-variable access.
repo/web/src/env.mjs:639
    AUTH_ONELOGIN_CLIENT_ID: process.env.AUTH_ONELOGIN_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1cfcccefbc3e5a2 Environment-variable access.
repo/web/src/env.mjs:640
    AUTH_ONELOGIN_CLIENT_SECRET: process.env.AUTH_ONELOGIN_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ec2e59dbc292fcf Environment-variable access.
repo/web/src/env.mjs:641
    AUTH_ONELOGIN_ISSUER: process.env.AUTH_ONELOGIN_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb39fc7c0bfc1d48 Environment-variable access.
repo/web/src/env.mjs:643
      process.env.AUTH_ONELOGIN_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02e3bab2e2117dd7 Environment-variable access.
repo/web/src/env.mjs:645
      process.env.AUTH_ONELOGIN_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #679d390c001b0b52 Environment-variable access.
repo/web/src/env.mjs:646
    AUTH_ONELOGIN_CHECKS: process.env.AUTH_ONELOGIN_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b28e5dd567f882b9 Environment-variable access.
repo/web/src/env.mjs:648
      process.env.AUTH_ONELOGIN_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9dd73b5642ef86b Environment-variable access.
repo/web/src/env.mjs:649
    AUTH_AUTH0_CLIENT_ID: process.env.AUTH_AUTH0_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83a9788d1df24156 Environment-variable access.
repo/web/src/env.mjs:650
    AUTH_AUTH0_CLIENT_SECRET: process.env.AUTH_AUTH0_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #674f352a096860f2 Environment-variable access.
repo/web/src/env.mjs:651
    AUTH_AUTH0_ISSUER: process.env.AUTH_AUTH0_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9785e3b2b950015 Environment-variable access.
repo/web/src/env.mjs:653
      process.env.AUTH_AUTH0_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b2d25423a96a33b Environment-variable access.
repo/web/src/env.mjs:654
    AUTH_AUTH0_CLIENT_AUTH_METHOD: process.env.AUTH_AUTH0_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46d1e2c465d933d1 Environment-variable access.
repo/web/src/env.mjs:655
    AUTH_AUTH0_CHECKS: process.env.AUTH_AUTH0_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #629d90c0b93090c9 Environment-variable access.
repo/web/src/env.mjs:657
      process.env.AUTH_AUTH0_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1147d8d76bea217 Environment-variable access.
repo/web/src/env.mjs:659
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45220fa9a54e395c Environment-variable access.
repo/web/src/env.mjs:661
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea9e715c8bc69614 Environment-variable access.
repo/web/src/env.mjs:662
    AUTH_CLICKHOUSE_CLOUD_ISSUER: process.env.AUTH_CLICKHOUSE_CLOUD_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0a20f1e0debe65b Environment-variable access.
repo/web/src/env.mjs:664
      process.env.AUTH_CLICKHOUSE_CLOUD_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3057656c0da48b6 Environment-variable access.
repo/web/src/env.mjs:666
      process.env.AUTH_CLICKHOUSE_CLOUD_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bbc4e2f546e6e4a Environment-variable access.
repo/web/src/env.mjs:667
    AUTH_CLICKHOUSE_CLOUD_CHECKS: process.env.AUTH_CLICKHOUSE_CLOUD_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cfa1e9cf7780149 Environment-variable access.
repo/web/src/env.mjs:669
      process.env.AUTH_CLICKHOUSE_CLOUD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32da32141a1f00fa Environment-variable access.
repo/web/src/env.mjs:670
    AUTH_COGNITO_CLIENT_ID: process.env.AUTH_COGNITO_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ba3929510b87419 Environment-variable access.
repo/web/src/env.mjs:671
    AUTH_COGNITO_CLIENT_SECRET: process.env.AUTH_COGNITO_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2af8755bfc26aa6f Environment-variable access.
repo/web/src/env.mjs:672
    AUTH_COGNITO_ISSUER: process.env.AUTH_COGNITO_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea45b6e1db73ece4 Environment-variable access.
repo/web/src/env.mjs:674
      process.env.AUTH_COGNITO_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d904d45d9434afa9 Environment-variable access.
repo/web/src/env.mjs:676
      process.env.AUTH_COGNITO_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ea2f5cd8b9be721 Environment-variable access.
repo/web/src/env.mjs:677
    AUTH_COGNITO_CHECKS: process.env.AUTH_COGNITO_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dd7c2256dcb5e11 Environment-variable access.
repo/web/src/env.mjs:679
      process.env.AUTH_COGNITO_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ec5b5f042f120f1 Environment-variable access.
repo/web/src/env.mjs:680
    AUTH_KEYCLOAK_CLIENT_ID: process.env.AUTH_KEYCLOAK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a0deb668235d1f2 Environment-variable access.
repo/web/src/env.mjs:681
    AUTH_KEYCLOAK_CLIENT_SECRET: process.env.AUTH_KEYCLOAK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46b7306c22371956 Environment-variable access.
repo/web/src/env.mjs:682
    AUTH_KEYCLOAK_ISSUER: process.env.AUTH_KEYCLOAK_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bc012107bb6e1bf Environment-variable access.
repo/web/src/env.mjs:684
      process.env.AUTH_KEYCLOAK_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #478cc044a0c26f84 Environment-variable access.
repo/web/src/env.mjs:686
      process.env.AUTH_KEYCLOAK_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e26fbf39c4ca4267 Environment-variable access.
repo/web/src/env.mjs:687
    AUTH_KEYCLOAK_CHECKS: process.env.AUTH_KEYCLOAK_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3245dc9da121acea Environment-variable access.
repo/web/src/env.mjs:689
      process.env.AUTH_KEYCLOAK_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #840f62cd16cd4ad2 Environment-variable access.
repo/web/src/env.mjs:690
    AUTH_KEYCLOAK_SCOPE: process.env.AUTH_KEYCLOAK_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45ce39a6f48ff0f0 Environment-variable access.
repo/web/src/env.mjs:691
    AUTH_KEYCLOAK_ID_TOKEN: process.env.AUTH_KEYCLOAK_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c69f13d8dcc1b8b6 Environment-variable access.
repo/web/src/env.mjs:692
    AUTH_KEYCLOAK_NAME: process.env.AUTH_KEYCLOAK_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be362476a987ae8 Environment-variable access.
repo/web/src/env.mjs:693
    AUTH_JUMPCLOUD_CLIENT_ID: process.env.AUTH_JUMPCLOUD_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e0fdec20a9de1e1 Environment-variable access.
repo/web/src/env.mjs:694
    AUTH_JUMPCLOUD_CLIENT_SECRET: process.env.AUTH_JUMPCLOUD_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b492be2aab31a12 Environment-variable access.
repo/web/src/env.mjs:695
    AUTH_JUMPCLOUD_ISSUER: process.env.AUTH_JUMPCLOUD_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d45c72838b3b019b Environment-variable access.
repo/web/src/env.mjs:697
      process.env.AUTH_JUMPCLOUD_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee928b4ccea8c222 Environment-variable access.
repo/web/src/env.mjs:699
      process.env.AUTH_JUMPCLOUD_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfb105a635e73777 Environment-variable access.
repo/web/src/env.mjs:700
    AUTH_JUMPCLOUD_CHECKS: process.env.AUTH_JUMPCLOUD_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd0c3b8dcb1e4a2b Environment-variable access.
repo/web/src/env.mjs:702
      process.env.AUTH_JUMPCLOUD_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b79be2559814cf1 Environment-variable access.
repo/web/src/env.mjs:703
    AUTH_JUMPCLOUD_SCOPE: process.env.AUTH_JUMPCLOUD_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d7e8d6e96dbc65c Environment-variable access.
repo/web/src/env.mjs:704
    AUTH_CUSTOM_CLIENT_ID: process.env.AUTH_CUSTOM_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dad9d8d43679e6a Environment-variable access.
repo/web/src/env.mjs:705
    AUTH_CUSTOM_CLIENT_SECRET: process.env.AUTH_CUSTOM_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b812c1cc40034ba Environment-variable access.
repo/web/src/env.mjs:706
    AUTH_CUSTOM_ISSUER: process.env.AUTH_CUSTOM_ISSUER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6f33a7f39f1ebfd Environment-variable access.
repo/web/src/env.mjs:707
    AUTH_CUSTOM_NAME: process.env.AUTH_CUSTOM_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #235cedd281959e48 Environment-variable access.
repo/web/src/env.mjs:708
    AUTH_CUSTOM_SCOPE: process.env.AUTH_CUSTOM_SCOPE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c4eac6b7fc47358 Environment-variable access.
repo/web/src/env.mjs:709
    AUTH_CUSTOM_CLIENT_AUTH_METHOD: process.env.AUTH_CUSTOM_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1696c86cd9ba52a0 Environment-variable access.
repo/web/src/env.mjs:710
    AUTH_CUSTOM_CHECKS: process.env.AUTH_CUSTOM_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96a18e8f15b0337d Environment-variable access.
repo/web/src/env.mjs:712
      process.env.AUTH_CUSTOM_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ed132f8992cc8e5 Environment-variable access.
repo/web/src/env.mjs:714
      process.env.AUTH_CUSTOM_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #355da736e4921c42 Environment-variable access.
repo/web/src/env.mjs:715
    AUTH_CUSTOM_ID_TOKEN: process.env.AUTH_CUSTOM_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfd450dc034e8e3e Environment-variable access.
repo/web/src/env.mjs:716
    AUTH_WORKOS_CLIENT_ID: process.env.AUTH_WORKOS_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02f9527ad33e8efe Environment-variable access.
repo/web/src/env.mjs:717
    AUTH_WORKOS_CLIENT_SECRET: process.env.AUTH_WORKOS_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f57cf2c806600fe Environment-variable access.
repo/web/src/env.mjs:719
      process.env.AUTH_WORKOS_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2cfcff6d35190d8 Environment-variable access.
repo/web/src/env.mjs:720
    AUTH_WORKOS_ORGANIZATION_ID: process.env.AUTH_WORKOS_ORGANIZATION_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a176974aa3824a2 Environment-variable access.
repo/web/src/env.mjs:721
    AUTH_WORKOS_CONNECTION_ID: process.env.AUTH_WORKOS_CONNECTION_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7636ce4b8da68f8 Environment-variable access.
repo/web/src/env.mjs:722
    AUTH_WORDPRESS_CLIENT_ID: process.env.AUTH_WORDPRESS_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c69dda0b28532754 Environment-variable access.
repo/web/src/env.mjs:723
    AUTH_WORDPRESS_CLIENT_SECRET: process.env.AUTH_WORDPRESS_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #158929ace67d9790 Environment-variable access.
repo/web/src/env.mjs:725
      process.env.AUTH_WORDPRESS_ALLOW_ACCOUNT_LINKING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd22b4b9f72809cc Environment-variable access.
repo/web/src/env.mjs:727
      process.env.AUTH_WORDPRESS_CLIENT_AUTH_METHOD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f128c5b5479f1539 Environment-variable access.
repo/web/src/env.mjs:728
    AUTH_WORDPRESS_CHECKS: process.env.AUTH_WORDPRESS_CHECKS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c367e246fbb13849 Environment-variable access.
repo/web/src/env.mjs:730
      process.env.AUTH_WORDPRESS_ID_TOKEN_SIGNED_RESPONSE_ALG,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f4a891468919912 Environment-variable access.
repo/web/src/env.mjs:731
    AUTH_IGNORE_ACCOUNT_FIELDS: process.env.AUTH_IGNORE_ACCOUNT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cad956a3c74b79e4 Environment-variable access.
repo/web/src/env.mjs:733
      process.env.AUTH_DOMAINS_WITH_SSO_ENFORCEMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8716cca21e2002b Environment-variable access.
repo/web/src/env.mjs:734
    AUTH_DISABLE_USERNAME_PASSWORD: process.env.AUTH_DISABLE_USERNAME_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19c34daa4cdd3e6a Environment-variable access.
repo/web/src/env.mjs:735
    AUTH_DISABLE_SIGNUP: process.env.AUTH_DISABLE_SIGNUP,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de63f513c3ef3845 Environment-variable access.
repo/web/src/env.mjs:737
      process.env.AUTH_EMAIL_VERIFICATION_REQUIRED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77ba2b11f8156937 Environment-variable access.
repo/web/src/env.mjs:738
    AUTH_SESSION_MAX_AGE: process.env.AUTH_SESSION_MAX_AGE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00c4c83e9649e57b Environment-variable access.
repo/web/src/env.mjs:739
    AUTH_HTTP_PROXY: process.env.AUTH_HTTP_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #546b59b5191dadee Environment-variable access.
repo/web/src/env.mjs:740
    AUTH_HTTPS_PROXY: process.env.AUTH_HTTPS_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49c57eae540aa863 Environment-variable access.
repo/web/src/env.mjs:741
    AUTH_SSO_TIMEOUT: process.env.AUTH_SSO_TIMEOUT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #914dd65a44dd2d11 Environment-variable access.
repo/web/src/env.mjs:743
    EMAIL_FROM_ADDRESS: process.env.EMAIL_FROM_ADDRESS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caed3830810be0f3 Environment-variable access.
repo/web/src/env.mjs:744
    SMTP_CONNECTION_URL: process.env.SMTP_CONNECTION_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e38ecc8ea9290b9 Environment-variable access.
repo/web/src/env.mjs:746
    OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a582cb56696386fd Environment-variable access.
repo/web/src/env.mjs:747
    OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #070512d0096f2e4d Environment-variable access.
repo/web/src/env.mjs:748
    OTEL_TRACE_SAMPLING_RATIO: process.env.OTEL_TRACE_SAMPLING_RATIO,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed4a8d84c020548f Environment-variable access.
repo/web/src/env.mjs:751
      process.env.LANGFUSE_INGESTION_MASKING_PROPAGATED_HEADERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8379fde82b3596d4 Environment-variable access.
repo/web/src/env.mjs:755
      process.env.LANGFUSE_S3_MEDIA_MAX_CONTENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5948af0fc75e7b23 Environment-variable access.
repo/web/src/env.mjs:757
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_BUCKET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #771afc2236e57684 Environment-variable access.
repo/web/src/env.mjs:759
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_PREFIX,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #701982ca5f827479 Environment-variable access.
repo/web/src/env.mjs:761
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8c7aa7b47d44c84 Environment-variable access.
repo/web/src/env.mjs:763
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0954c8c0c9a1c1f1 Environment-variable access.
repo/web/src/env.mjs:765
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53472e1dfcb33c42 Environment-variable access.
repo/web/src/env.mjs:767
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fb2a922cc5e5d93 Environment-variable access.
repo/web/src/env.mjs:769
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a988a79b6d26a1a1 Environment-variable access.
repo/web/src/env.mjs:771
      process.env.LANGFUSE_S3_MEDIA_DOWNLOAD_URL_EXPIRY_SECONDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d31c99b048a453eb Environment-variable access.
repo/web/src/env.mjs:772
    LANGFUSE_S3_MEDIA_UPLOAD_SSE: process.env.LANGFUSE_S3_MEDIA_UPLOAD_SSE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fced5ea8ea0b42c Environment-variable access.
repo/web/src/env.mjs:774
      process.env.LANGFUSE_S3_MEDIA_UPLOAD_SSE_KMS_KEY_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cceaff98b254b35 Environment-variable access.
repo/web/src/env.mjs:776
    NEXT_PUBLIC_POSTHOG_KEY: process.env.NEXT_PUBLIC_POSTHOG_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed989cd41e2c3b6 Environment-variable access.
repo/web/src/env.mjs:777
    NEXT_PUBLIC_POSTHOG_HOST: process.env.NEXT_PUBLIC_POSTHOG_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #981ab5787eaffa4e Environment-variable access.
repo/web/src/env.mjs:779
    NEXT_PUBLIC_PLAIN_APP_ID: process.env.NEXT_PUBLIC_PLAIN_APP_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4c43bdd5f24d178 Environment-variable access.
repo/web/src/env.mjs:780
    PLAIN_AUTHENTICATION_SECRET: process.env.PLAIN_AUTHENTICATION_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #513ea34d164b7625 Environment-variable access.
repo/web/src/env.mjs:781
    PLAIN_CARDS_API_TOKEN: process.env.PLAIN_CARDS_API_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57ac24133e82aea1 Environment-variable access.
repo/web/src/env.mjs:782
    PYLON_API_KEY: process.env.PYLON_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #996a0d1f63feb28e Environment-variable access.
repo/web/src/env.mjs:784
    CLICKHOUSE_URL: process.env.CLICKHOUSE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04ff756eef6dc8d Environment-variable access.
repo/web/src/env.mjs:785
    CLICKHOUSE_CLUSTER_NAME: process.env.CLICKHOUSE_CLUSTER_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab2388a4bb934c9c Environment-variable access.
repo/web/src/env.mjs:786
    CLICKHOUSE_DB: process.env.CLICKHOUSE_DB,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #891ab452613801c5 Environment-variable access.
repo/web/src/env.mjs:787
    CLICKHOUSE_USER: process.env.CLICKHOUSE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d88f01f44e381994 Environment-variable access.
repo/web/src/env.mjs:788
    CLICKHOUSE_PASSWORD: process.env.CLICKHOUSE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b89055852189bda7 Environment-variable access.
repo/web/src/env.mjs:789
    CLICKHOUSE_CLUSTER_ENABLED: process.env.CLICKHOUSE_CLUSTER_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c49a01dabab8e1dd Environment-variable access.
repo/web/src/env.mjs:791
    LANGFUSE_UI_API_HOST: process.env.LANGFUSE_UI_API_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #661f89aa1372bddc Environment-variable access.
repo/web/src/env.mjs:792
    LANGFUSE_UI_DOCUMENTATION_HREF: process.env.LANGFUSE_UI_DOCUMENTATION_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7db1ad744ca8fc3 Environment-variable access.
repo/web/src/env.mjs:793
    LANGFUSE_UI_SUPPORT_HREF: process.env.LANGFUSE_UI_SUPPORT_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6f2e4628b207bd1 Environment-variable access.
repo/web/src/env.mjs:794
    LANGFUSE_UI_FEEDBACK_HREF: process.env.LANGFUSE_UI_FEEDBACK_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8d25287fed27e15 Environment-variable access.
repo/web/src/env.mjs:796
      process.env.LANGFUSE_UI_LOGO_LIGHT_MODE_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #096c0e4514311c2d Environment-variable access.
repo/web/src/env.mjs:798
      process.env.LANGFUSE_UI_LOGO_DARK_MODE_HREF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aab323437bcd7ce2 Environment-variable access.
repo/web/src/env.mjs:800
      process.env.LANGFUSE_UI_DEFAULT_MODEL_ADAPTER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a023f1f736d719e Environment-variable access.
repo/web/src/env.mjs:802
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_OPENAI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ade4e0d0c91f1024 Environment-variable access.
repo/web/src/env.mjs:804
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_ANTHROPIC,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #659ea6e49cdc2280 Environment-variable access.
repo/web/src/env.mjs:806
      process.env.LANGFUSE_UI_DEFAULT_BASE_URL_AZURE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3eee9aec0a5668e Environment-variable access.
repo/web/src/env.mjs:808
      process.env.LANGFUSE_UI_VISIBLE_PRODUCT_MODULES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15406bae6e076080 Environment-variable access.
repo/web/src/env.mjs:810
      process.env.LANGFUSE_UI_HIDDEN_PRODUCT_MODULES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1cabc669d6e9a3b Environment-variable access.
repo/web/src/env.mjs:813
      process.env.NEXT_PUBLIC_LANGFUSE_PLAYGROUND_STREAMING_ENABLED_DEFAULT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b55d8825b2a1a26 Environment-variable access.
repo/web/src/env.mjs:815
    LANGFUSE_EE_LICENSE_KEY: process.env.LANGFUSE_EE_LICENSE_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b734213977e9c08 Environment-variable access.
repo/web/src/env.mjs:816
    ADMIN_API_KEY: process.env.ADMIN_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8950f2c4ed1a6e48 Environment-variable access.
repo/web/src/env.mjs:817
    ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1a6830099abda7b Environment-variable access.
repo/web/src/env.mjs:819
    LANGFUSE_CACHE_API_KEY_ENABLED: process.env.LANGFUSE_CACHE_API_KEY_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #288425583531d50b Environment-variable access.
repo/web/src/env.mjs:821
      process.env.LANGFUSE_CACHE_API_KEY_TTL_SECONDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a72648aba6c129bf Environment-variable access.
repo/web/src/env.mjs:823
      process.env.LANGFUSE_ALLOWED_ORGANIZATION_CREATORS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddbbac7ee15636e4 Environment-variable access.
repo/web/src/env.mjs:824
    STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #617f8b88f399617c Environment-variable access.
repo/web/src/env.mjs:825
    STRIPE_WEBHOOK_SIGNING_SECRET: process.env.STRIPE_WEBHOOK_SIGNING_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a60331bd1b64a78e Environment-variable access.
repo/web/src/env.mjs:826
    SENTRY_AUTH_TOKEN: process.env.SENTRY_AUTH_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51fa0285c8d3f2e8 Environment-variable access.
repo/web/src/env.mjs:827
    SENTRY_CSP_REPORT_URI: process.env.SENTRY_CSP_REPORT_URI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd5a2534f1320521 Environment-variable access.
repo/web/src/env.mjs:828
    LANGFUSE_RATE_LIMITS_ENABLED: process.env.LANGFUSE_RATE_LIMITS_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5e59e79c50dbf83 Environment-variable access.
repo/web/src/env.mjs:830
    LANGFUSE_INIT_ORG_ID: process.env.LANGFUSE_INIT_ORG_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ae03d332f0ef1a6 Environment-variable access.
repo/web/src/env.mjs:831
    LANGFUSE_INIT_ORG_NAME: process.env.LANGFUSE_INIT_ORG_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ceb4f813100fc76 Environment-variable access.
repo/web/src/env.mjs:832
    LANGFUSE_INIT_ORG_CLOUD_PLAN: process.env.LANGFUSE_INIT_ORG_CLOUD_PLAN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f31c25920108362 Environment-variable access.
repo/web/src/env.mjs:833
    LANGFUSE_INIT_PROJECT_ID: process.env.LANGFUSE_INIT_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #490f523166312b73 Environment-variable access.
repo/web/src/env.mjs:834
    LANGFUSE_INIT_PROJECT_NAME: process.env.LANGFUSE_INIT_PROJECT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6300fdf81735255d Environment-variable access.
repo/web/src/env.mjs:836
      process.env.LANGFUSE_INIT_PROJECT_RETENTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3db4b842f67bddee Environment-variable access.
repo/web/src/env.mjs:838
      process.env.LANGFUSE_INIT_PROJECT_PUBLIC_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82f90df8ad78e8e0 Environment-variable access.
repo/web/src/env.mjs:840
      process.env.LANGFUSE_INIT_PROJECT_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85ec0992d020dbbd Environment-variable access.
repo/web/src/env.mjs:841
    LANGFUSE_INIT_USER_EMAIL: process.env.LANGFUSE_INIT_USER_EMAIL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfb37da404ef9554 Environment-variable access.
repo/web/src/env.mjs:842
    LANGFUSE_INIT_USER_NAME: process.env.LANGFUSE_INIT_USER_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f703041b5b1f465 Environment-variable access.
repo/web/src/env.mjs:843
    LANGFUSE_INIT_USER_PASSWORD: process.env.LANGFUSE_INIT_USER_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e52a2723a3513599 Environment-variable access.
repo/web/src/env.mjs:844
    NEXT_PUBLIC_BASE_PATH: process.env.NEXT_PUBLIC_BASE_PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #939a54fc67d65b07 Environment-variable access.
repo/web/src/env.mjs:846
      process.env.LANGFUSE_MAX_HISTORIC_EVAL_CREATION_LIMIT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3d95d987a625b23 Environment-variable access.
repo/web/src/env.mjs:847
    SLACK_CLIENT_ID: process.env.SLACK_CLIENT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae94c567b37a0f7a Environment-variable access.
repo/web/src/env.mjs:848
    SLACK_CLIENT_SECRET: process.env.SLACK_CLIENT_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #563de82e2d6bc6fb Environment-variable access.
repo/web/src/env.mjs:849
    SLACK_STATE_SECRET: process.env.SLACK_STATE_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #881a75cc5a8866af Environment-variable access.
repo/web/src/env.mjs:852
    LANGFUSE_AWS_BEDROCK_MODEL: process.env.LANGFUSE_AWS_BEDROCK_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6ef3413cc66a9aa Environment-variable access.
repo/web/src/env.mjs:854
      process.env.LANGFUSE_AWS_BEDROCK_SMALL_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7193b78ddfd911db Environment-variable access.
repo/web/src/env.mjs:857
    LANGFUSE_AI_FEATURES_HOST: process.env.LANGFUSE_AI_FEATURES_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfe79310a08354a7 Environment-variable access.
repo/web/src/env.mjs:861
      process.env.LANGFUSE_SKIP_FINAL_FOR_OTEL_PROJECTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f1d91df146b3360 Environment-variable access.
repo/web/src/env.mjs:865
      process.env.LANGFUSE_AI_FEATURES_PUBLIC_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a10568606b24004 Environment-variable access.
repo/web/src/env.mjs:867
      process.env.LANGFUSE_AI_FEATURES_SECRET_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #195f77a5fcbb5089 Environment-variable access.
repo/web/src/env.mjs:869
      process.env.LANGFUSE_AI_FEATURES_PROJECT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b9dd7b6c1c38e0d Environment-variable access.
repo/web/src/env.mjs:872
      process.env.LANGFUSE_API_TRACES_DEFAULT_DATE_RANGE_DAYS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cb5f5c55c161da7 Environment-variable access.
repo/web/src/env.mjs:874
      process.env.LANGFUSE_API_TRACES_REJECT_NO_DATE_RANGE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4af7dc136fe4caff Environment-variable access.
repo/web/src/env.mjs:876
      process.env.LANGFUSE_API_TRACES_DEFAULT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbf08a236774d80c Environment-variable access.
repo/web/src/env.mjs:878
      process.env.LANGFUSE_API_TRACEBYID_DEFAULT_FIELDS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9bf375505ca818d Environment-variable access.
repo/web/src/env.mjs:880
      process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aefb2dcaa5f04cd7 Environment-variable access.
repo/web/src/env.mjs:882
      process.env.LANGFUSE_MIGRATION_V4_WRITE_MODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a9e4b37a70510e0 Environment-variable access.
repo/web/src/env.mjs:885
      process.env.LANGFUSE_DISABLE_LEGACY_TRACING_IO_SEARCH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab92f3a48abbbd7e Environment-variable access.
repo/web/src/env.mjs:887
      process.env.LANGFUSE_OBSERVATIONS_V2_SUBQUERY_REWRITE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16500eab3789cabc Environment-variable access.
repo/web/src/env.mjs:889
      process.env.LANGFUSE_OBSERVATIONS_V2_SHADOW_QUERY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2ffda3729960fa3 Environment-variable access.
repo/web/src/env.mjs:891
      process.env.LANGFUSE_OBSERVATIONS_V2_SHADOW_QUERY_SAMPLE_RATE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86d8df71e7f564dd Environment-variable access.
repo/web/src/env.mjs:893
      process.env.LANGFUSE_BLOCKED_USERIDS_CHATCOMPLETION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00a2036a82641264 Environment-variable access.
repo/web/src/env.mjs:897
  skipValidation: process.env.DOCKER_BUILD === "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #752e77c9f8f5433a Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/cloud-status-notification/server/cloud-status-router.ts:49
        const response = await fetch(
          "https://status.langfuse.com/api/v1/summary",
        );

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #1d3e62e9f514abb8 Environment-variable access.
repo/web/src/features/entitlements/server/getPlan.ts:12
  if (process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07556821149220cf Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:52
      process.env.LANGFUSE_SKIP_EVALUATOR_MODEL_CALL_VALIDATION === "true" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e3c9ae5caa19e20 Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:53
      process.env.NODE_ENV === "test" ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1acaa79011340482 Environment-variable access.
repo/web/src/features/evals/server/evaluator-preflight.ts:54
      process.env.DATABASE_URL?.includes("langfuse_test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c058e0efbe828ec Filesystem access.
repo/web/src/features/evals/utils/code-eval-template-starter-examples.clienttest.ts:22
      module: readFileSync(
        require.resolve("@astral-sh/ruff-wasm-web/ruff_wasm_bg.wasm"),
      ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ffcf6fa1f6f2de5 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:6
  const originalRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67976853a665fc72 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:18
    process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = "US";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8ea821da679a1e0 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.clienttest.ts:22
    process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7bb146f69064b02 Environment-variable access.
repo/web/src/features/events/lib/v4Rollout.ts:52
  if (process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION === "DEV") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce638b2523bae6d1 Environment-variable access.
repo/web/src/features/experiments/components/table/ExperimentsTable.tsx:859
                    const fullUrl = `${process.env.NEXT_PUBLIC_BASE_PATH ?? ""}${experimentUrl}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df4e6c78f29af768 Environment-variable access.
repo/web/src/features/mcp/server/security.ts:57
      process.env.PORT ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfc1a3887c47be19 Environment-variable access.
repo/web/src/features/posthog-analytics/ServerPosthog.ts:22
      if (process.env.NODE_ENV === "development") this.posthog.debug();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #a27c8335f9a5d5ef Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/support-chat/pylon/pylonClient.ts:65
  const res = await fetch(`${PYLON_API_BASE}/issues`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${apiKey}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify(body),
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #dfd270b549ebeb52 Hardcoded external endpoint. Review what data is sent to this destination.
repo/web/src/features/support-chat/pylon/pylonClient.ts:117
  const res = await fetch(`${PYLON_API_BASE}/attachments`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${apiKey}`,
    },
    body: formData,
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ac8e0763d37bfa39 Environment-variable access.
repo/web/src/features/telemetry/index.ts:23
    if (process.env.NODE_ENV !== "production") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #193254a7aa9e6a96 Environment-variable access.
repo/web/src/features/telemetry/index.ts:33
    if (process.env.CI) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed6d772a1daa9464 Environment-variable access.
repo/web/src/features/telemetry/index.ts:271
          environment: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1c68cf05917b34a Environment-variable access.
repo/web/src/instrumentation.ts:6
    process.env.NEXT_PUBLIC_LANGFUSE_RUN_NEXT_INIT !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a17fdff087446a8 Environment-variable access.
repo/web/src/instrumentation.ts:7
      ? process.env.NEXT_PUBLIC_LANGFUSE_RUN_NEXT_INIT === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f9cc20c0550e4e4 Environment-variable access.
repo/web/src/instrumentation.ts:10
  if (process.env.NEXT_RUNTIME === "nodejs" && isInitLoadingEnabled) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2efe4f427126a7c4 Environment-variable access.
repo/web/src/pages/_app.tsx:87
  process.env.NEXT_PUBLIC_POSTHOG_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f2a43c6767e334 Environment-variable access.
repo/web/src/pages/_app.tsx:88
  process.env.NEXT_PUBLIC_POSTHOG_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ae97be16e9b9aba Environment-variable access.
repo/web/src/pages/_app.tsx:90
  posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c8531a1a8ff1c63 Environment-variable access.
repo/web/src/pages/_app.tsx:91
    api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || "https://eu.posthog.com",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #189452626166ebe1 Environment-variable access.
repo/web/src/pages/_app.tsx:95
      if (process.env.NODE_ENV === "development") posthog.debug();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #821bcf9fb2b593cf Environment-variable access.
repo/web/src/pages/_app.tsx:194
          environment: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0aa2fb911594cee Environment-variable access.
repo/web/src/pages/_app.tsx:246
  process.env.NEXT_RUNTIME === "nodejs" &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #454e5761e36ac2c4 Environment-variable access.
repo/web/src/pages/_app.tsx:247
  process.env.NEXT_MANUAL_SIG_HANDLE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3848fbf1acfdec0c Environment-variable access.
repo/web/src/server/utils/cookies.ts:13
  env.NEXTAUTH_URL.startsWith("https://") || process.env.VERCEL === "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d78c32d6462be4b8 Environment-variable access.
repo/web/src/utils/api.ts:36
      : process.env.VERCEL_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8db5bf6c52bdd239 Environment-variable access.
repo/web/src/utils/api.ts:37
        ? `https://${process.env.VERCEL_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab09c81f578a0191 Environment-variable access.
repo/web/src/utils/api.ts:38
        : `http://localhost:${process.env.PORT ?? 3000}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03bfd49dca384988 Environment-variable access.
repo/web/src/utils/api.ts:163
        !!process.env.NEXT_PUBLIC_BUILD_ID &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fd11df0b27944f3 Environment-variable access.
repo/web/src/utils/api.ts:164
        buildId !== process.env.NEXT_PUBLIC_BUILD_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1518bc3d01f3c12a Environment-variable access.
repo/web/src/utils/api.ts:308
          enabled: () => process.env.NODE_ENV === "development",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a1648f28a094484 Environment-variable access.
repo/web/src/utils/api.ts:382
      enabled: () => process.env.NODE_ENV === "development",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04eed6cdab46292d Environment-variable access.
repo/web/src/utils/shutdown.ts:29
  Boolean(process.env.NEXT_MANUAL_SIG_HANDLE) && globalThis.sigtermReceived;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): worker

npm first-party
high pii_flow production #1b2558272a8fc42b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263 · flow /tmp/closeopen-yihwgiie/repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56 → /tmp/closeopen-yihwgiie/repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:263
    const resp = await fetch(API_URL, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${ADMIN_API_KEY}`,
      },
      body: JSON.stringify({ keys }),
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #a4654708b5467ef4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:35
  const hadEvents = mixpanel.getBatchSize() > 0;

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ac34ad097cdf46d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:36
  await mixpanel.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #895bc96e0601c75e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:75
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4812cbf4ac0e214 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:110
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #001a4cc52259a610 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:145
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e6039f6f094d9cbe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:179
    mixpanel.addEvent(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #967e462aadf5afcc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/mixpanel/handleMixpanelIntegrationProjectJob.ts:291
      bytes: mixpanel.getSerializedBytes(),

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0dc67c34907e3848 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:21
import { PostHog } from "posthog-node";

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cc38b2683d3bd49c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:93
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending traces to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #55085842ba9586d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:105
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0de76015c2b9a98c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:107
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a82fc9d0c0f5ff92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:114
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #59bcd6794891c0ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:142
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending generations to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0a3eae7d7c3e59cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:154
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0506c7772007d44c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:156
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5c97b2bad19fc655 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:163
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8d4de50ec0cf8c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:191
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending scores to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e0352961d3dbab3c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:203
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db0809f3b22a732c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:205
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #10170d3aaa9bdcd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:212
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3732fe3e20a8d512 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:239
  posthog.on("error", (error) => {
    logger.error(
      `[POSTHOG] Error sending events to PostHog for project ${config.projectId}: ${error}`,
    );
    sendError = error instanceof Error ? error : new Error(String(error));
  });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb07953229111fc5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:251
    posthog.capture(event);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #78cbbbf33f30cb41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:253
      await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f1d1864c4ce995f7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/worker/src/features/posthog/handlePostHogIntegrationProjectJob.ts:259
  await posthog.flush();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 175 low-confidence finding(s)
low env_fs test-only #f835243c28acd972 Environment-variable access.
repo/worker/src/__tests__/batchAction.test.ts:41
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcc277ce187890ee Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:30
process.env.LANGFUSE_DATASET_SERVICE_READ_FROM_VERSIONED_IMPLEMENTATION =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #931e2298cc7d9159 Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:32
process.env.LANGFUSE_DATASET_SERVICE_WRITE_TO_VERSIONED_IMPLEMENTATION = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c066ae36726de29 Environment-variable access.
repo/worker/src/__tests__/batchExport.test.ts:35
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e12ef5f4413aad93 Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:13
  const cloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f286b6de4b37c415 Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:14
  delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d11d98bbbc8ffd0c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:67
  process.env.LANGFUSE_MIGRATION_V4_ALLOW_PREVIEW_OPT_IN === "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #887f12590c3b585c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:106
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80abdf0fcd357f5c Environment-variable access.
repo/worker/src/__tests__/blobStorageIntegrationProcessing.test.ts:108
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe6a8d3810ae5247 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:22
  delete process.env.REDIS_CLUSTER_NODES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b451aa117865cf5b Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:23
  delete process.env.REDIS_SENTINEL_NODES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ebff3d671f383626 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:24
  delete process.env.REDIS_SENTINEL_MASTER_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b94b0973da6d770 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:25
  delete process.env.REDIS_SENTINEL_USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75a6a8a60ace20d2 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:26
  delete process.env.REDIS_SENTINEL_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #885a0c9daab4475a Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:38
    process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c2e9406dd528922 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:100
    delete process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57292b7d9826a63f Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:115
    process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de498862c75912c3 Environment-variable access.
repo/worker/src/__tests__/bullmqVersionCheckOptions.test.ts:139
    process.env.LANGFUSE_BULLMQ_SKIP_REDIS_VERSION_CHECK = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e233e4efe2d7ec95 Filesystem access.
repo/worker/src/__tests__/chatml/framework-traces/download_traces.js:225
    fs.writeFileSync(path.join(__dirname, fileName), content, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b98748a6d9f27e7 Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:2
import { readFileSync, existsSync, writeFileSync, readdirSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03e4d20f1c25f52c Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:535
      const traceContent = readFileSync(traceFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6507d4bb1bc60516 Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:544
        writeFileSync(expectedFilePath, JSON.stringify({}, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2bf9ddabc160051b Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:549
      const expectedContent = readFileSync(expectedFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67a8681a5b7cb43a Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:636
    const expectedContent = readFileSync(expectedFilePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4038acb23e84adb Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:640
    writeFileSync(expectedFilePath, JSON.stringify({}, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67a222c4812e19af Filesystem access.
repo/worker/src/__tests__/chatml/integration.test.ts:646
  writeFileSync(expectedFilePath, JSON.stringify(expected, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a36166f6950ab50b Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:8
const originalEnv = process.env.ENCRYPTION_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #62a05f28df71bf35 Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:12
  process.env.ENCRYPTION_KEY =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dedb43c3fb029f88 Environment-variable access.
repo/worker/src/__tests__/encryption.test.ts:18
  process.env.ENCRYPTION_KEY = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e1848d5e85388a4 Environment-variable access.
repo/worker/src/__tests__/evalService.filtering.test.ts:21
let OPENAI_API_KEY = process.env.OPENAI_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6746acc7d18d23c9 Environment-variable access.
repo/worker/src/__tests__/evalService.filtering.test.ts:25
  OPENAI_API_KEY || process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbf27b3902f7a37f Environment-variable access.
repo/worker/src/__tests__/evalService.test.ts:52
let OPENAI_API_KEY = process.env.OPENAI_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #215ab195ee49296c Environment-variable access.
repo/worker/src/__tests__/evalService.test.ts:56
  OPENAI_API_KEY || process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb1a0e841a1219e8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:30
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c7a073c8217bcc7 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:31
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58a1cb255e3d47ba Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:32
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9bd1abd85152ad38 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:33
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7c58c82cb1184a2 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionErrors.test.ts:34
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7822c104dd3b093 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:78
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1a5515e56f7e6c7 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:79
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce13c97851ef0cd5 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:80
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9da66ea9282acac8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:81
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8f00a187651d60e Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:82
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7752b1f2a80b3c2b Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:98
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f7b4d19750315bd Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:99
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d2b955130c166c3 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:114
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #376ea7f536c993e8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionReasoning.test.ts:116
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2fe15eea074264a Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:28
process.env.CLICKHOUSE_URL ??= "http://localhost:8123";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #271f197a87124980 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:29
process.env.CLICKHOUSE_USER ??= "default";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ef222884f36d95d Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:30
process.env.CLICKHOUSE_PASSWORD ??= "password";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3bf975ab9d9f7fb3 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:31
process.env.LANGFUSE_S3_EVENT_UPLOAD_BUCKET ??= "test-bucket";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7a5e7f9e0539eab Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:32
process.env.ENCRYPTION_KEY ??=

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c28d1bee0b9752f8 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:74
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55c832541810a579 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:75
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5868dbba73ac9d4 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:97
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84c9140d412c5bee Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:99
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #793c91d8a7c4c7c9 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:236
    originalCloudRegion = process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #11b1a7463e16ee3c Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:237
    delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2d64ebd71114d92 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:264
      delete process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7604a173c71e16d0 Environment-variable access.
repo/worker/src/__tests__/fetchLLMCompletionTimeout.test.ts:266
      process.env.NEXT_PUBLIC_LANGFUSE_CLOUD_REGION = originalCloudRegion;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #4e135ac8c4345141 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:86
      http.post("https://masking.example.com/success", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        return HttpResponse.json(maskedSpanData, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3f5570f8db940886 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:97
      http.post("https://masking.example.com/echo", async ({ request }) => {
        const body = await request.json();
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body,
        });
        return HttpResponse.json(body, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2e1ff12e728637aa Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:109
      http.post("https://masking.example.com/error", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        return HttpResponse.json(
          { error: "Internal Server Error" },
          { status: 500 },
        );
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2eb1720af58ac188 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/ingestionMasking.test.ts:123
      http.post("https://masking.example.com/timeout", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: await request.json(),
        });
        // Delay longer than the timeout
        await delay(5000);
        return HttpResponse.json(maskedSpanData, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #ca4580127eb83adb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:246
      if (!process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8ecca4fb72f4b7a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:275
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a7931f2b9353271 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:303
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f046499c3f334dd8 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:330
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #876540a7711cc9f0 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:356
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_OPENAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82121c5edd4da4c3 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:372
      if (!process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a244678ffcdb4139 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:402
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25eb9f32b801e33b Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:432
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cf2fe4ebb63eccf Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:460
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e12c872ca4ada1e Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:487
            process.env.LANGFUSE_LLM_CONNECTION_ANTHROPIC_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7267e0838edbf553 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:502
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #613a539e492da643 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:509
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39941161ba70f9af Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:516
      if (!process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2e6ccdbdfa61eaf Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:540
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6a8f92e58d2c5b32 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:545
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5153749eb9e24461 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:546
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc3af9ad62b9ba1d Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:569
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b5104be2b4bd772 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:574
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31e49252ba43b02b Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:575
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1b54cde8da595c9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:597
        model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cabe1bf62c96f6eb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:602
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19a3c5df01beac57 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:603
        baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35d663535ff9b8a4 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:623
          model: process.env.LANGFUSE_LLM_CONNECTION_AZURE_MODEL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0dd0b0b1a025d340 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:629
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_AZURE_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd5c54e715727887 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:630
          baseURL: process.env.LANGFUSE_LLM_CONNECTION_AZURE_BASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7282c80994083753 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:646
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_ACCESS_KEY_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dbb2048572f7098a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:653
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_SECRET_ACCESS_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8e9e0f62e0d7bff Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:660
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f260c39bc82c09a5 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:672
        accessKeyId: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_ACCESS_KEY_ID!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c85802dfdd04dcb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:674
          process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_SECRET_ACCESS_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #22777416d3fa7401 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:680
        region: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d068edbd3333f81 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:806
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad56df649f003749 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:813
      if (!process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f531ec8e74d31e41 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:825
        apiKey: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_API_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7fb6fbe1e8b036a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:830
      region: process.env.LANGFUSE_LLM_CONNECTION_BEDROCK_REGION!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #005c372837342852 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:905
      if (!process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75dcc3b868bbf723 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:934
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c1516f0fca3f1888 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:968
              process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #631349498add87fb Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1011
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #227fc0975f14ab3a Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1039
        secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f10dde56743d332d Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1066
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63db481113e53967 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1100
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bddb664401aedb01 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1137
          secretKey: encrypt(process.env.LANGFUSE_LLM_CONNECTION_VERTEXAI_KEY!),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f67de35c126bb5b9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1153
      if (!process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e442405835495df9 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1184
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60379330242c654e Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1217
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cdd88d29d6d8a431 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1247
          process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #49905079f7749cc7 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1277
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #517e4008cf7bf4d0 Environment-variable access.
repo/worker/src/__tests__/llmConnections.test.ts:1315
              process.env.LANGFUSE_LLM_CONNECTION_GOOGLEAISTUDIO_KEY!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56bb2b77834a3181 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:24
  process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f9aaeb030a8c997 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:28
    process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de29303b94c41c7e Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:47
      delete process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f22caf9d6f885af6 Environment-variable access.
repo/worker/src/__tests__/modelMatch.test.ts:49
      process.env.LANGFUSE_LOCAL_CACHE_MODEL_MATCH_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #35878d3443bfd88b Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/monitorWorkerIntegration.test.ts:287
      http.post("https://webhook.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #32a608940ba8aa51 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/network.ts:44
  return http.post("https://api.openai.com/v1/chat/completions", async () => {
    logger.info("openai handler");
    return response;
  });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #abf3a8916355aa81 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:6
  process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b197a18577238ad Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:326
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #581a71f7ba522308 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:327
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9b65a4608aee1f1f Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:354
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3806eac1f5ab935e Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:362
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #997806be4ec9ef89 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:363
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad97aa4b7392dfc8 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:388
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #493d24b29aba45cb Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:396
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe2478fd029330a9 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:397
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73d7cd8d4120a58c Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:420
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #373c4aa1f789a997 Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:428
        process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc93f35000b8aafd Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:429
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e30b980867a3afc Environment-variable access.
repo/worker/src/__tests__/thresholdProcessing.test.ts:462
      process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #264f2687bcfaccdb Environment-variable access.
repo/worker/src/__tests__/usageThresholdCacheInvalidation.test.ts:15
  process.env.LANGFUSE_FREE_TIER_USAGE_THRESHOLD_ENFORCEMENT_ENABLED = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c905550cef5b647 Environment-variable access.
repo/worker/src/__tests__/usageThresholdCacheInvalidation.test.ts:19
const SALT = process.env.SALT || "test-salt-for-hashing";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #7d507385c2c4d033 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:206
        http.post("https://redirector.example.com/step1", () => {
          step1Called = true;
          return new Response(null, {
            status: 302,
            headers: { Location: "https://final.example.com/webhook" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #8c146ad5aeb5ca1f Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:213
        http.post("https://final.example.com/webhook", () => {
          step2Called = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #ebc6eeb2f96415a2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:244
        http.post("https://redirector.example.com/step1", () => {
          callOrder.push("step1");
          return new Response(null, {
            status: 302,
            headers: { Location: "https://redirector.example.com/step2" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3be8bf55e099ebc0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:251
        http.post("https://redirector.example.com/step2", () => {
          callOrder.push("step2");
          return new Response(null, {
            status: 302,
            headers: { Location: "https://redirector.example.com/step3" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #c720d16e730e8c0c Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:258
        http.post("https://redirector.example.com/step3", () => {
          callOrder.push("step3");
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #5c600c5259c41d5b Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:288
        http.post("https://direct.example.com/webhook", () => {
          called = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #4b19e571fb622291 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:318
        http.post("https://relative-redirect.example.com/start", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "/final" }, // Relative URL
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #54ea9f6613861dab Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:324
        http.post("https://relative-redirect.example.com/final", () => {
          finalCalled = true;
          return HttpResponse.json({ success: true }, { status: 200 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #b3df7e1ef7fdf4c7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:396
        http.post("https://circular.example.com/a", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "https://circular.example.com/b" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f0059c20e640e6cc Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:402
        http.post("https://circular.example.com/b", () => {
          return new Response(null, {
            status: 302,
            headers: { Location: "https://circular.example.com/a" },
          });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2b699cb7340eb808 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhook-redirect.test.ts:431
        http.post("https://broken-redirect.example.com/hook", () => {
          // Return 302 without Location header
          return new Response(null, { status: 302 });
        }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #c5c30ae23920b622 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:48
      http.post("https://webhook.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 200 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #8412954dfc848338 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:59
      http.post("https://webhook-error.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json(
          { error: "Internal Server Error" },
          { status: 500 },
        );
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #09e4f2c1a10f7f56 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:73
      http.post("https://webhook-201.example.com/*", async ({ request }) => {
        this.receivedRequests.push({
          url: request.url,
          method: request.method,
          headers: Object.fromEntries(request.headers.entries()),
          body: JSON.stringify(await request.json()),
        });
        return HttpResponse.json({ success: true }, { status: 201 });
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #1d1b8991b61e8822 Hardcoded external endpoint. Review what data is sent to this destination.
repo/worker/src/__tests__/webhooks.test.ts:84
      http.post("https://webhook-timeout.example.com/*", () => {
        return HttpResponse.error();
      }),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #a051f74942631c1d Environment-variable access.
repo/worker/src/env.ts:612
  process.env.DOCKER_BUILD === "1" // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfe7c839ae13472e Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:9
const endpoint = process.env.LANGFUSE_CODE_EVAL_AWS_LAMBDA_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96232ad14e62fedc Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:13
process.env.AWS_ACCESS_KEY_ID ??= "test";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c812234e5a7faaf Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:14
process.env.AWS_SECRET_ACCESS_KEY ??= "test";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #313151e18ab43a9f Environment-variable access.
repo/worker/src/features/evaluation/codeBased/awsLambdaCodeEvalDispatcher.integration.test.ts:15
process.env.AWS_REGION ??= "us-east-1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1aca58b7639d4694 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:32
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ee80718a841ca54 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:133
  const oldData = JSON.parse(fs.readFileSync(inputPath, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #165baa64d990eba7 Filesystem access.
repo/worker/src/scripts/convertDefaultModelPricesToTiers.ts:149
  fs.writeFileSync(outputPath, JSON.stringify(newModels, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8dd481377544ae3b Filesystem access.
repo/worker/src/scripts/createDefaultModelPricesJson.ts:68
    await fs.writeFile(EXPORT_PATH, JSON.stringify(modelPrices, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3922d048d7bf0a15 Filesystem access.
repo/worker/src/scripts/refillQueueEvent/index.ts:3
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0d864258389adcf Filesystem access.
repo/worker/src/scripts/refillQueueEvent/index.ts:67
  const fileContent = fs.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd33b6986c477ea8 Filesystem access.
repo/worker/src/scripts/replayIngestionEvents/s3-ingestion-event-replay.ts:13
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a3eb210733d3f00 Environment-variable access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:56
const LANGFUSE_HOST = process.env.LANGFUSE_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ea8984debbc0dda Environment-variable access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:57
const ADMIN_API_KEY = process.env.ADMIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5d937db4e6f6064 Filesystem access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:79
  const content = readFileSync(CHECKPOINT_FILE, "utf-8").trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7df07cf10bb43706 Filesystem access.
repo/worker/src/scripts/replayIngestionEventsV2/replay.ts:85
  writeFileSync(CHECKPOINT_FILE, String(offset), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da6880e23b337c53 Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:254
    await writeFile(outPath, failedObservationList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad60c80f34c37e7b Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:269
    await writeFile(outPath, failedTraceList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46c86a78d66e8031 Filesystem access.
repo/worker/src/scripts/verifyClickhouseRecords/index.ts:282
    await writeFile(outPath, failedScoreList.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d3a15ac4d0e9384 Environment-variable access.
repo/worker/src/utils/hostId.ts:14
    process.env.ECS_CONTAINER_METADATA_URI_V4 ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c97ffc86dde92ae9 Environment-variable access.
repo/worker/src/utils/hostId.ts:15
    process.env.ECS_CONTAINER_METADATA_URI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccd8decd23cbe107 Environment-variable access.
repo/worker/src/utils/hostId.ts:22
  const envHost = process.env.HOSTNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a03def7bfcee5b2 Environment-variable access.
repo/worker/vitest.config.ts:10
    reporters: process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f98f22eef4b1a8b7 Environment-variable access.
repo/worker/vitest.config.ts:13
    silent: process.env.CI ? "passed-only" : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2687a3fc9d6643e3 Environment-variable access.
repo/worker/vitest.config.ts:14
    retry: process.env.CI ? 3 : 0,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7f98e08b5cc9dd5 Environment-variable access.
repo/worker/vitest.config.ts:18
    slowTestThreshold: process.env.CI ? 2_000 : 300,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/shared

npm first-party
expand_more 38 low-confidence finding(s)
low env_fs production #d56794c851ee0886 Environment-variable access.
repo/packages/shared/scripts/seeder/cli-main.ts:62
const baseUrl = (process.env.NEXTAUTH_URL ?? "http://localhost:3000").replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb69ec83fccf3eb0 Environment-variable access.
repo/packages/shared/scripts/seeder/cli.ts:26
  (name) => process.env[name] === undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84420211e758daa Environment-variable access.
repo/packages/shared/scripts/seeder/cli.ts:43
    process.env.LANGFUSE_LOG_LEVEL = "error";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e18ee87f00fc0aa5 Environment-variable access.
repo/packages/shared/scripts/seeder/doctor.ts:52
  ].filter((name) => process.env[name] === undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff80118010e7d4f1 Environment-variable access.
repo/packages/shared/scripts/seeder/doctor.ts:315
  const endpoint = process.env.LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32c981e1cbdd59e6 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:1
import { readFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bfba43e3ff5a2e9 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:25
    readFileSync(path.join(utilsDir, "nested_json.json"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35d2537df51c24b0 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:28
    readFileSync(path.join(utilsDir, "chat_ml_json.json"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3663ee1b8fb5fdd9 Filesystem access.
repo/packages/shared/scripts/seeder/scenarios/many-traces.ts:31
    heavyMarkdown: readFileSync(path.join(utilsDir, "markdown.txt"), "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec2f1a12c0a7e987 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:11
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #734c7884d6a61490 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:89
  const fileBytes = fs.readFileSync(mediaFile.filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b756917a4ef283e1 Filesystem access.
repo/packages/shared/scripts/seeder/seed-media.ts:161
  const fileBytes = fs.readFileSync(mediaFile.filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64e3155dcbf48ccf Filesystem access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:52
const inAppAgentSystemPrompt = readFileSync(
  IN_APP_AGENT_SYSTEM_PROMPT_PATH,
  "utf-8",
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e82bb75e8cb6766 Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:209
    secret: process.env.SEED_SECRET_KEY ?? "sk-lf-1234567890", // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a4590443ae8d3bc Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:273
      secret: process.env.SEED_SECRET_KEY ?? "sk-lf-asdfghjkl", // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02828372a0eee56c Environment-variable access.
repo/packages/shared/scripts/seeder/seed-postgres.ts:306
    const OPENAI_API_KEY = process.env.OPENAI_API_KEY; // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efaf9b012c574c8d Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/framework-trace-loader.ts:1
import { readFileSync, readdirSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6e1753bd7170fe6 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/framework-trace-loader.ts:45
      const content = readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b42cb74070cdb05d Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:1
import { readFileSync, writeFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a23641bb1fd397b2 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:23
const baseData = JSON.parse(readFileSync(baseFile, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cedc6d57fb78abc Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:24
const detailedObs = JSON.parse(readFileSync(detailedFile, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aecfd17469a8e0b5 Filesystem access.
repo/packages/shared/scripts/seeder/utils/framework-traces/merge-observations.ts:64
writeFileSync(outputFile, JSON.stringify(output, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13cd25ab52f0a78c Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:25
import { readFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f47c617fbdf62581 Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:61
        readFileSync(nestedJsonPath, "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d20b7d61b4f4343f Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:63
      const heavyMarkdownContent = readFileSync(heavyMarkdownPath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c9a0a159b189a58 Filesystem access.
repo/packages/shared/scripts/seeder/utils/seeder-orchestrator.ts:65
        readFileSync(chatMlJsonPath, "utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7554c06f06c4b693 Environment-variable access.
repo/packages/shared/src/db.ts:34
  if (env.NODE_ENV === "development") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a435a7392caf4f0a Environment-variable access.
repo/packages/shared/src/db.ts:55
if (process.env.NODE_ENV === "development") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ea228aab9bd21a0 Environment-variable access.
repo/packages/shared/src/env.ts:522
  process.env.DOCKER_BUILD === "1" // eslint-disable-line turbo/no-undeclared-env-vars

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #babee49f42975467 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:12
const _override = process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06c8cd6ec1fd80a9 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:13
  ? new Date(process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORT_CUTOFF)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #242e799c89e19bb3 Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:25
const _exporterOverride = process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #018a2d425e2fe74b Environment-variable access.
repo/packages/shared/src/features/analytics-integrations/blob-export-gate.ts:26
  ? new Date(process.env.NEXT_PUBLIC_LANGFUSE_BLOB_EXPORTER_CUTOFF)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef8c694aacedf7ba Environment-variable access.
repo/packages/shared/src/server/clickhouse/client.ts:118
      (key) => process.env[key] === "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3730f718f9cc5b69 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:3
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7d5a08c595ee7bf Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:76
        ? fs.readFileSync(env.REDIS_TLS_CA_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fe3bf61d81ebe53 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:79
        ? fs.readFileSync(env.REDIS_TLS_CERT_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0ec75b98824ce94 Filesystem access.
repo/packages/shared/src/server/redis/redis.ts:82
        ? fs.readFileSync(env.REDIS_TLS_KEY_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@team-plain/typescript-sdk

npm dependency
high pii_flow dependency Excluded from app score #396d7a7f4c5ab491 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:160 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:160
    return request(this.#ctx, {
      query: args.query,
      variables: args.variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c8da2041d077d3be User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:173 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:173
    const res = await request(this.#ctx, {
      query: UserByEmailDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #cd2e0aba0dfa6e72 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:187 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:187
    const res = await request(this.#ctx, {
      query: UserByEmailDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #49e8135586e6f920 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:201 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:201
    const res = await request(this.#ctx, {
      query: UserByIdDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5f66b159b60565ad User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:217 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:217
    const res = await request(this.#ctx, {
      query: CustomersDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #940e4f533a9a81f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:235 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:235
    const res = await request(this.#ctx, {
      query: CustomerByIdDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e46c7879144d5602 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:254 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:254
    const res = await request(this.#ctx, {
      query: CustomerByExternalIdDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0a62e0cebd86b02f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:273 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:273
    const res = await request(this.#ctx, {
      query: CustomerByEmailDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #42951034e5fa896c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:294 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:294
    const res = await request(this.#ctx, {
      query: UpsertCustomerDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7541210cc93af1fb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:313 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:313
    const res = await request(this.#ctx, {
      query: DeleteCustomerDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5bfa89afb680db45 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:329 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:329
    const res = await request(this.#ctx, {
      query: CustomerGroupByIdDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #4c23988e7c221db4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:344 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:344
    const res = await request(this.#ctx, {
      query: CustomerGroupsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #602234c8da239e4d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:361 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:361
    const res = await request(this.#ctx, {
      query: AddCustomerToCustomerGroupsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #f3883a8f792e8d53 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:379 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:379
    const res = await request(this.#ctx, {
      query: RemoveCustomerFromCustomerGroupsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #9c829036b0d90637 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:395 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:395
    const res = await request(this.#ctx, {
      query: CustomerCustomerGroupsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #60c5cbadada2e26c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:416 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:416
    const res = await request(this.#ctx, {
      query: CustomerTenantsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #dcdec92a179292d6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:432 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:432
    const res = await request(this.#ctx, {
      query: SendNewEmailDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #8f4a31dd9d6143a8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:447 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:447
    const res = await request(this.#ctx, {
      query: ReplyToEmailDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #35e76ef859fe09f3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:460 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:460
    const res = await request(this.#ctx, {
      query: ReplyToThreadDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e3946a82b5cd44aa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:473 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:473
    const res = await request(this.#ctx, {
      query: CreateAttachmentUploadUrlDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d7293796e65c5df3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:489 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:489
    const res = await request(this.#ctx, {
      query: MyWorkspaceDocument,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b277da5ba9a7c982 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:505 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:505
    const res = await request(this.#ctx, {
      query: CreateCustomerCardConfigDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #2d8122e655abf9ec User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:523 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:523
    const res = await request(this.#ctx, {
      query: UpdateCustomerCardConfigDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #bb13400389979d21 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:541 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:541
    const res = await request(this.#ctx, {
      query: DeleteCustomerCardConfigDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c6117697fcc9fcb6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:558 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:558
    const res = await request(this.#ctx, {
      query: ThreadsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #276651857d716775 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:575 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:575
    const res = await request(this.#ctx, {
      query: ThreadDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1f2d0596521c750c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:589 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:589
    const res = await request(this.#ctx, {
      query: ThreadByRefDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #8150ac665f0d0332 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:604 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:604
    const res = await request(this.#ctx, {
      query: ThreadByExternalIdDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #046ca664ae4aa098 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:618 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:618
    const res = await request(this.#ctx, {
      query: CreateThreadDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d85febf0cce54577 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:634 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:634
    const res = await request(this.#ctx, {
      query: AssignThreadDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e55f4727a38734d9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:650 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:650
    const res = await request(this.#ctx, {
      query: UnassignThreadDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ee4d0de7a8508f81 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:666 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:666
    const res = await request(this.#ctx, {
      query: ChangeThreadPriorityDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #9ee226a694c776cd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:682 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:682
    const res = await request(this.#ctx, {
      query: UpdateThreadTenantDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7654f9eadf6842c6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:698 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:698
    const res = await request(this.#ctx, {
      query: AddLabelsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #abfbcfc1dd9e60f8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:712 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:712
    const res = await request(this.#ctx, {
      query: RemoveLabelsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #68665a768e0a63ef User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:728 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:728
    const res = await request(this.#ctx, {
      query: MarkThreadAsDoneDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #534abd407f2b111c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:744 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:744
    const res = await request(this.#ctx, {
      query: SnoozeThreadDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #22992ddb444eea35 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:760 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:760
    const res = await request(this.#ctx, {
      query: MarkThreadAsTodoDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7196539472e4df4e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:776 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:776
    const res = await request(this.#ctx, {
      query: ArchiveLabelTypeDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #cfbd89834c405ebd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:793 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:793
    const res = await request(this.#ctx, {
      query: LabelTypesDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b05a6741c2e31819 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:810 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:810
    const res = await request(this.#ctx, {
      query: LabelTypeDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1ed2189610b59abb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:822 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:822
    const res = await request(this.#ctx, {
      query: CreateCustomerEventDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #95a65335595a8012 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:836 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:836
    const res = await request(this.#ctx, {
      query: CreateThreadEventDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d2f2af87c950e3e6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:849 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:849
    const res = await request(this.#ctx, {
      query: UpsertThreadFieldDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #76e109384ed3f76e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:862 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:862
    const res = await request(this.#ctx, {
      query: DeleteThreadFieldDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5aac912705b72bb7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:875 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:875
    const res = await request(this.#ctx, {
      query: CreateWebhookTargetDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #23b6d4578ca32393 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:888 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:888
    const res = await request(this.#ctx, {
      query: UpdateWebhookTargetDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d8753079060875a7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:901 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:901
    const res = await request(this.#ctx, {
      query: DeleteWebhookTargetDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #09f5a425b5d4c98b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:915 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:915
    const res = await request(this.#ctx, {
      query: WebhookTargetsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e7fca002df6b298f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:932 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:932
    const res = await request(this.#ctx, {
      query: WebhookTargetDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #357e01e02ea74b89 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:946 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:946
    const res = await request(this.#ctx, {
      query: CreateNoteDocument,
      variables: { input },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #fb544b286981172e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:956 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:956
    const res = await request(this.#ctx, {
      query: TenantDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #af113d9db1be45a1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:970 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:970
    const res = await request(this.#ctx, {
      query: TenantsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #792508b74580b0e4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:985 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:985
    const res = await request(this.#ctx, {
      query: SearchTenantsDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #8f519e0e4a84d1ec User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:999 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:999
    const res = await request(this.#ctx, {
      query: UpsertTenantDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5e8be471ad4001fc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1012 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1012
    const res = await request(this.#ctx, {
      query: SetCustomerTenantsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #53207048bbfdd159 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1025 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1025
    const res = await request(this.#ctx, {
      query: AddCustomerToTenantsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #a32a3cc7b5b0a86a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1038 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1038
    const res = await request(this.#ctx, {
      query: RemoveCustomerFromTenantsDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #534be56fbd5753fe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1051 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1051
    const res = await request(this.#ctx, {
      query: UpsertCompanyDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6dbbf6e74f93bcc4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1065 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1065
    const res = await request(this.#ctx, {
      query: CompaniesDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #2f349ef773d7f8c1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1080 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1080
    const res = await request(this.#ctx, {
      query: SearchCompaniesDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c3a0e4b5805b7d6d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1094 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1094
    const res = await request(this.#ctx, {
      query: UpdateCustomerCompanyDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c81a22a1ee50481e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1107 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1107
    const res = await request(this.#ctx, {
      query: TierDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7b4a5daf9116d7d9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1121 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1121
    const res = await request(this.#ctx, {
      query: TiersDocument,
      variables,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #8bad0594122b1972 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1135 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1135
    const res = await request(this.#ctx, {
      query: AddMembersToTierDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #78ab4a3c13d24569 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1148 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1148
    const res = await request(this.#ctx, {
      query: RemoveMembersFromTierDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #bf58ba8bd58943d5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1161 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1161
    const res = await request(this.#ctx, {
      query: UpdateTenantTierDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b721f25eb58120a1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1174 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1174
    const res = await request(this.#ctx, {
      query: UpdateCompanyTierDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #39cc5de5a7a37b75 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1187 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1187
    const res = await request(this.#ctx, {
      query: CreateLabelTypeDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #71548e9c42d072c3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1200 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1200
    const res = await request(this.#ctx, {
      query: IndexDocumentDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #04605c8003f5bf18 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1213 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1213
    const res = await request(this.#ctx, {
      query: SendCustomerChatDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #67e688de228e176a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1226 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1226
    const res = await request(this.#ctx, {
      query: SendChatDocument,
      variables: {
        input,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #13e4d008a378e89c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/client.ts:1239 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:148 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/client.ts:1239
    const res = await request(this.#ctx, {
      query: CreateKnowledgeSourceDocument,
      variables: { input },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7fbf0b9725669d5b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/request.ts:39 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/request.ts:31 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/request.ts:39
    const result = await fetch(url, {
      method: 'POST',
      headers,
      body: JSON.stringify({
        query: query,
        variables: args.variables || null,
      }),
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow tooling Excluded from app score unknown #f359bcf0b21ded1f PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/assignThread.ts:13 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/assignThread.ts:5 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/assignThread.ts:13
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #bb8d0e540f37755d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/assignThread.ts:16 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/assignThread.ts:5 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/assignThread.ts:16
    console.log(res.data);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #68d3020c3644c74c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:14 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:14
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #2445c786700cc0ee PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:16 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:16
    console.log('Attachment upload url created!', res.data);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #78043a7f249d45a3 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:11 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:11
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #347f2a00f8d12f73 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:15 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:15
    console.log(`Thread with id=${res.data.id} and ref=${res.data.ref} found`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #185b8b5f39a12583 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:19 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:19
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #ffb89e21a48663ad PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:22 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:22
    console.log(res.data);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #f8bae05873f6776a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:36 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:36
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #7b04031c5a0bc188 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:39 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/threadFields.ts:39
    console.log(res.data);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #f0296b4750ddb938 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:21 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:21
    console.error(res.error);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow tooling Excluded from app score unknown #17eb24653ba0c5ec PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:23 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:4 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:23
    console.log(`Created customer with id=${res.data.customer.id}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

expand_more 5 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #d7d7b408f20239a5 Environment-variable access.
pkgs/npm/@[email protected]/src/examples/assignThread.ts:5
    apiKey: process.env.API_KEY || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0dc0e2f809e42491 Environment-variable access.
pkgs/npm/@[email protected]/src/examples/createAttachmentUploadUrl.ts:4
  const client = new PlainClient({ apiKey: process.env.API_KEY || '' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3cf7e9d5a33bd97f Environment-variable access.
pkgs/npm/@[email protected]/src/examples/getThreadByRef.ts:4
  const client = new PlainClient({ apiKey: process.env.API_KEY || '' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4bcff8b35023d0c9 Environment-variable access.
pkgs/npm/@[email protected]/src/examples/threadFields.ts:4
  apiKey: process.env.API_KEY || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4311c6247ee16ce0 Environment-variable access.
pkgs/npm/@[email protected]/src/examples/upsertCustomer.ts:4
  const client = new PlainClient({ apiKey: process.env.API_KEY || '' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

next-auth

npm dependency
high pii_flow dependency Excluded from app score #3627db4a99bc4f43 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/core/lib/oauth/callback.js:86 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/core/lib/oauth/callback.js:83 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/core/lib/oauth/callback.js:86
      const response = await provider.token.request({
        provider,
        params,
        checks,
        client
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #76537d8e907fdbb2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/core/lib/oauth/callback.js:103 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/core/lib/oauth/callback.js:83 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/core/lib/oauth/callback.js:103
      profile = await provider.userinfo.request({
        provider,
        tokens,
        client
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #34cb447e56093cf4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/providers/hubspot.js:33 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/providers/hubspot.js:32 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/providers/hubspot.js:33
        const response = await fetch(url, {
          headers: {
            "Content-Type": "application/json"
          },
          method: "GET"
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #29dccd52e7e218e1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/providers/trakt.js:21 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/providers/trakt.js:23 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/providers/trakt.js:21
        const res = await fetch("https://api.trakt.tv/users/me?extended=full", {
          headers: {
            Authorization: `Bearer ${context.tokens.access_token}`,
            "trakt-api-version": "2",
            "trakt-api-key": context.provider.clientId
          }
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1ae4f1be6d0d5029 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:91 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:87 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:91
      const response = await provider.token.request({
        provider,
        params,
        checks,
        client,
      })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #9b36e73b80f51fb7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:111 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:87 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/core/lib/oauth/callback.ts:111
      profile = await provider.userinfo.request({
        provider,
        tokens,
        client,
      })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #3a3aba52bdc67942 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/providers/hubspot.ts:46 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/providers/hubspot.ts:44 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/providers/hubspot.ts:46
        const response = await fetch(url, {
          headers: {
            "Content-Type": "application/json",
          },
          method: "GET",
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #3aee06b81e18f46b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/providers/trakt.ts:33 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/providers/trakt.ts:35 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/providers/trakt.ts:33
        const res = await fetch("https://api.trakt.tv/users/me?extended=full", {
          headers: {
            Authorization: `Bearer ${context.tokens.access_token}`,
            "trakt-api-version": "2",
            "trakt-api-key": context.provider.clientId as string,
          },
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #191d66aa6c413426 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/react/index.tsx:252 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/react/index.tsx:50 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/react/index.tsx:252
  const res = await fetch(_signInUrl, {
    method: "post",
    headers: {
      "Content-Type": "application/x-www-form-urlencoded",
    },
    // @ts-expect-error
    body: new URLSearchParams({
      ...options,
      csrfToken: await getCsrfToken(),
      callbackUrl,
      json: true,
    }),
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #8cdc7388e121cde7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/src/react/index.tsx:314 · flow /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/react/index.tsx:50 → /tmp/closeopen-yihwgiie/pkgs/npm/[email protected]/src/react/index.tsx:314
  const res = await fetch(`${baseUrl}/signout`, fetchOptions)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 51 low-confidence finding(s)
low env_fs dependency Excluded from app score #483cadd91a6e1710 Environment-variable access.
pkgs/npm/[email protected]/core/lib/assert.js:28
    if (!options.secret && process.env.NODE_ENV !== "production") warnings.push("NO_SECRET");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d237eb50eeb3c10 Environment-variable access.
pkgs/npm/[email protected]/core/lib/assert.js:31
  if (!options.secret && process.env.NODE_ENV === "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c347cca5cd39655 Environment-variable access.
pkgs/npm/[email protected]/jwt/index.js:65
    secureCookie = (_process$env$NEXTAUTH = (_process$env$NEXTAUTH2 = process.env.NEXTAUTH_URL) === null || _process$env$NEXTAUTH2 === void 0 ? void 0 : _process$env$NEXTAUTH2.startsWith("https://")) !== null && _process$env$NEXTAUTH !== void 0 ? _process$env$NEXTAUTH : !!process.env.VERCEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8f8d5feac33c573 Environment-variable access.
pkgs/npm/[email protected]/jwt/index.js:70
    secret = (_process$env$NEXTAUTH3 = process.env.NEXTAUTH_SECRET) !== null && _process$env$NEXTAUTH3 !== void 0 ? _process$env$NEXTAUTH3 : process.env.AUTH_SECRET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a707e7ea8289d16 Environment-variable access.
pkgs/npm/[email protected]/next/index.js:17
  (_options$secret = options.secret) !== null && _options$secret !== void 0 ? _options$secret : options.secret = (_ref = (_options$jwt$secret = (_options$jwt = options.jwt) === null || _options$jwt === void 0 ? void 0 : _options$jwt.secret) !== null && _options$jwt$secret !== void 0 ? _options$jwt$secret : process.env.NEXTAUTH_SECRET) !== null && _ref !== void 0 ? _ref : process.env.AUTH_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7785aff7539eb61 Environment-variable access.
pkgs/npm/[email protected]/next/index.js:49
  (_options$secret2 = options.secret) !== null && _options$secret2 !== void 0 ? _options$secret2 : options.secret = (_process$env$NEXTAUTH = process.env.NEXTAUTH_SECRET) !== null && _process$env$NEXTAUTH !== void 0 ? _process$env$NEXTAUTH : process.env.AUTH_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b89ab02880c2fd99 Environment-variable access.
pkgs/npm/[email protected]/next/index.js:128
  (_options$secret3 = (_options = options).secret) !== null && _options$secret3 !== void 0 ? _options$secret3 : _options.secret = (_process$env$NEXTAUTH2 = process.env.NEXTAUTH_SECRET) !== null && _process$env$NEXTAUTH2 !== void 0 ? _process$env$NEXTAUTH2 : process.env.AUTH_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc10a8cbca5539a7 Environment-variable access.
pkgs/npm/[email protected]/next/index.js:155
  if (!deprecatedWarningShown && process.env.NODE_ENV !== "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d8dedd5059288e6 Environment-variable access.
pkgs/npm/[email protected]/next/middleware.js:22
  const authPath = (0, _parseUrl.default)(process.env.NEXTAUTH_URL).path;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3c42e7c9f122c7b Environment-variable access.
pkgs/npm/[email protected]/next/middleware.js:27
  const secret = (_ref = (_options$secret = options === null || options === void 0 ? void 0 : options.secret) !== null && _options$secret !== void 0 ? _options$secret : process.env.NEXTAUTH_SECRET) !== null && _ref !== void 0 ? _ref : process.env.AUTH_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #a801efc873160c7d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/providers/foursquare.js:23
        const url = new URL("https://api.foursquare.com/v2/users/self");

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #b7c366bce32540a5 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/providers/github.js:28
          const res = await fetch("https://api.github.com/user/emails", {
            headers: {
              Authorization: `token ${tokens.access_token}`
            }
          });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #b3c0c7ab85f03e5b Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/providers/linkedin.js:30
      const emailResponse = await fetch("https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))", {
        headers: {
          Authorization: `Bearer ${tokens.access_token}`
        }
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #6b59d836401eb3b2 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/providers/todoist.js:26
        const res = await fetch("https://api.todoist.com/sync/v9/sync", {
          method: "POST",
          headers: {
            Authorization: `Bearer ${tokens.access_token}`,
            "Content-Type": "application/json"
          },
          body: JSON.stringify({
            sync_token: "*",
            resource_types: '["user"]'
          })
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #b7d922c89c52accc Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/providers/trakt.js:21
        const res = await fetch("https://api.trakt.tv/users/me?extended=full", {
          headers: {
            Authorization: `Bearer ${context.tokens.access_token}`,
            "trakt-api-version": "2",
            "trakt-api-key": context.provider.clientId
          }
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #4375d834bb188604 Environment-variable access.
pkgs/npm/[email protected]/react/index.js:53
  baseUrl: (0, _parseUrl.default)((_process$env$NEXTAUTH = process.env.NEXTAUTH_URL) !== null && _process$env$NEXTAUTH !== void 0 ? _process$env$NEXTAUTH : process.env.VERCEL_URL).origin,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6fe535d59f5b321 Environment-variable access.
pkgs/npm/[email protected]/react/index.js:54
  basePath: (0, _parseUrl.default)(process.env.NEXTAUTH_URL).path,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d929c82d5485a9a4 Environment-variable access.
pkgs/npm/[email protected]/react/index.js:55
  baseUrlServer: (0, _parseUrl.default)((_ref = (_process$env$NEXTAUTH2 = process.env.NEXTAUTH_URL_INTERNAL) !== null && _process$env$NEXTAUTH2 !== void 0 ? _process$env$NEXTAUTH2 : process.env.NEXTAUTH_URL) !== null && _ref !== void 0 ? _ref : process.env.VERCEL_URL).origin,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42082fb29c64e105 Environment-variable access.
pkgs/npm/[email protected]/react/index.js:56
  basePathServer: (0, _parseUrl.default)((_process$env$NEXTAUTH3 = process.env.NEXTAUTH_URL_INTERNAL) !== null && _process$env$NEXTAUTH3 !== void 0 ? _process$env$NEXTAUTH3 : process.env.NEXTAUTH_URL).path,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9dbabf1dfaf11b0 Environment-variable access.
pkgs/npm/[email protected]/react/index.js:90
  if (!value && process.env.NODE_ENV !== "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d4d55438afc6e3 Environment-variable access.
pkgs/npm/[email protected]/src/core/lib/assert.ts:54
    if (!options.secret && process.env.NODE_ENV !== "production")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f46223ff7179a15d Environment-variable access.
pkgs/npm/[email protected]/src/core/lib/assert.ts:60
  if (!options.secret && process.env.NODE_ENV === "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cea5c4f839f63b43 Filesystem access.
pkgs/npm/[email protected]/src/css/index.ts:4
import fs from "fs"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5586ad9d058157c4 Environment-variable access.
pkgs/npm/[email protected]/src/css/index.ts:7
const pathToCss = path.join(process.cwd(), process.env.NODE_ENV === "development" ? "node_modules/next-auth/css/index.css" : "/src/css/index.css")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1535afd3d4c8ff5f Filesystem access.
pkgs/npm/[email protected]/src/css/index.ts:10
  return fs.readFileSync(pathToCss, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60fcd3441a2d7fe2 Environment-variable access.
pkgs/npm/[email protected]/src/jwt/index.ts:75
    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f730a593149b70a Environment-variable access.
pkgs/npm/[email protected]/src/jwt/index.ts:76
      !!process.env.VERCEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b52643cbd969d466 Environment-variable access.
pkgs/npm/[email protected]/src/jwt/index.ts:83
    secret = process.env.NEXTAUTH_SECRET ?? process.env.AUTH_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74f659fb480e3f5d Environment-variable access.
pkgs/npm/[email protected]/src/next/index.ts:32
    process.env.NEXTAUTH_SECRET ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #570121154e61210e Environment-variable access.
pkgs/npm/[email protected]/src/next/index.ts:33
    process.env.AUTH_SECRET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd274e3d73684f59 Environment-variable access.
pkgs/npm/[email protected]/src/next/index.ts:77
  options.secret ??= process.env.NEXTAUTH_SECRET ?? process.env.AUTH_SECRET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #414c27d66e523b30 Environment-variable access.
pkgs/npm/[email protected]/src/next/index.ts:204
  options.secret ??= process.env.NEXTAUTH_SECRET ?? process.env.AUTH_SECRET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b6b5378c2203a49 Environment-variable access.
pkgs/npm/[email protected]/src/next/index.ts:241
  if (!deprecatedWarningShown && process.env.NODE_ENV !== "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa7d27e588deed1c Environment-variable access.
pkgs/npm/[email protected]/src/next/middleware.ts:108
  const authPath = parseUrl(process.env.NEXTAUTH_URL).path

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #739e9f4b859a4e84 Environment-variable access.
pkgs/npm/[email protected]/src/next/middleware.ts:122
    options?.secret ?? process.env.NEXTAUTH_SECRET ?? process.env.AUTH_SECRET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #5501d3241cb17820 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/providers/foursquare.js:16
        const url = new URL("https://api.foursquare.com/v2/users/self")

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #08c4ff0399c9494a Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/providers/github.ts:81
          const res = await fetch("https://api.github.com/user/emails", {
            headers: { Authorization: `token ${tokens.access_token}` },
          })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #e68798b9c2040e0b Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/providers/linkedin.ts:44
      const emailResponse = await fetch(
        "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))",
        { headers: { Authorization: `Bearer ${tokens.access_token}` } }
      )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #e1ffa87f3746db30 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/providers/todoist.ts:32
        const res = await fetch("https://api.todoist.com/sync/v9/sync", {
          method: "POST",
          headers: {
            Authorization: `Bearer ${tokens.access_token}`,
            "Content-Type": "application/json",
          },
          body: JSON.stringify({
            sync_token: "*",
            resource_types: '["user"]',
          }),
        })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #cd535c1659786947 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/providers/trakt.ts:33
        const res = await fetch("https://api.trakt.tv/users/me?extended=full", {
          headers: {
            Authorization: `Bearer ${context.tokens.access_token}`,
            "trakt-api-version": "2",
            "trakt-api-key": context.provider.clientId as string,
          },
        })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #283c76ed07e7fd44 Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:50
  baseUrl: parseUrl(process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL).origin,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e85a97a175088556 Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:51
  basePath: parseUrl(process.env.NEXTAUTH_URL).path,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32e5e99b0663a702 Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:53
    process.env.NEXTAUTH_URL_INTERNAL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98ff1e45f28cfde2 Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:54
      process.env.NEXTAUTH_URL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82a0fb8361fd433e Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:55
      process.env.VERCEL_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3877e674f0c896a Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:58
    process.env.NEXTAUTH_URL_INTERNAL ?? process.env.NEXTAUTH_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0706af8a806b683d Environment-variable access.
pkgs/npm/[email protected]/src/react/index.tsx:123
  if (!value && process.env.NODE_ENV !== "production") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49cd1fc2d7fa25b1 Environment-variable access.
pkgs/npm/[email protected]/src/utils/detect-origin.ts:4
  if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc340e830b45123e Environment-variable access.
pkgs/npm/[email protected]/src/utils/detect-origin.ts:8
  return process.env.NEXTAUTH_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5469c4f6d2f626a Environment-variable access.
pkgs/npm/[email protected]/utils/detect-origin.js:9
  if ((_process$env$VERCEL = process.env.VERCEL) !== null && _process$env$VERCEL !== void 0 ? _process$env$VERCEL : process.env.AUTH_TRUST_HOST) return `${protocol === "http" ? "http" : "https"}://${forwardedHost}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bce13d365f250dbd Environment-variable access.
pkgs/npm/[email protected]/utils/detect-origin.js:10
  return process.env.NEXTAUTH_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@ai-sdk/amazon-bedrock

npm dependency
high pii_flow dependency Excluded from app score #4de7273c386bead5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/bedrock-sigv4-fetch.ts:87 · flow /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/bedrock-sigv4-fetch.ts:76 → /tmp/closeopen-yihwgiie/pkgs/npm/@[email protected]/src/bedrock-sigv4-fetch.ts:87
    return fetch(input, {
      ...init,
      body,
      headers: combinedHeaders as HeadersInit,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

dd-trace

npm dependency
medium telemetry dependency Excluded from app score #f5a41615c264d38b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js:3
const TaintedUtils = require('@datadog/native-iast-taint-tracking')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #728ff9f892ef1730 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js:4
const TaintedUtils = require('@datadog/native-iast-taint-tracking')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1282e50e2675622c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js:57
      const iastRewriter = require('@datadog/wasm-js-rewriter')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #85ae90d3b51328f3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js:82
    getPrepareStackTrace = require('@datadog/wasm-js-rewriter/js/stack-trace').getPrepareStackTrace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d52e69be9c9f4ef9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js:233
    cacheRewrittenSourceMap = require('@datadog/wasm-js-rewriter/js/source-map').cacheRewrittenSourceMap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #01f690dc52a81a37 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js:4
const TaintedUtils = require('@datadog/native-iast-taint-tracking')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #43f29f0893d0cf61 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/waf/waf_manager.js:36
      const { DDWAF } = require('@datadog/native-appsec')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c1e921eb6f3192b6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/telemetry.js:69
  ciVisibilityMetrics.distribution(name, formatMetricTags(tags)).track(measure)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1ef0e34ebd86b306 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/config/stable.js:27
      libdatadog = require('@datadog/libdatadog')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91b0846d51b06714 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/crashtracking/crashtracker.js:6
const libdatadog = require('@datadog/libdatadog')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9044b4e75c3bf20e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/llmobs/telemetry.js:92
  llmobsMetrics.distribution('init_time', tags).track(initTimeMs)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ce5200eb82fed04f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/llmobs/telemetry.js:97
  llmobsMetrics.distribution('span.raw_size', tags).track(rawEventSize)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7df1f9de70d9e637 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/llmobs/telemetry.js:103
  llmobsMetrics.distribution('span.size', tags).track(eventSize)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8a7ca611a6dfe8ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporter_cli.js:5
const { SourceMapper, heap, encode } = require('@datadog/pprof')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #221df4b88faef97c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporters/agent.js:46
      durationDistribution.track(perf.now() - start)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8a66f013927b19d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporters/agent.js:63
      sizeDistribution.track(form.size())

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0045dc11a6246d77 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/profiler.js:150
              const zstdCompress = require('@datadog/libdatadog').load('datadog-js-zstd').zstd_compress

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f5bdf9afbe0a75a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/profiler.js:176
    const { setLogger, SourceMapper } = require('@datadog/pprof')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eb72e864dc692f4a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/profilers/shared.js:16
  const pprof = require('@datadog/pprof')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f80613014d3b320c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/profilers/space.js:35
    this.#pprof = require('@datadog/pprof')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #704a750d831987f9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/profilers/wall.js:167
    this.#pprof = require('@datadog/pprof')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #acdb3816cfbddc50 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/runtime_metrics/runtime_metrics.js:57
        nativeMetrics = require('@datadog/native-metrics')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ee9c3990a8c5b53f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/runtime_metrics/runtime_metrics.js:119
      const handle = nativeMetrics.track(span)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4cb96f4e3c681a5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/telemetry/metrics.js:78
    return this.track(value)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ca055a0ba8745224 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/telemetry/metrics.js:82
    return this.track(-value)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8214a55e477101d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/telemetry/metrics.js:120
    return this.track(value)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e4731423a90c2f5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/packages/dd-trace/src/tracer_metadata.js:8
    const libdatadog = require('@datadog/libdatadog')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 86 low-confidence finding(s)
low env_fs dependency Excluded from app score #f81c6e90da40b0b1 Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-esbuild/index.js:61
const DD_IAST_ENABLED = process.env.DD_IAST_ENABLED?.toLowerCase() === 'true' || process.env.DD_IAST_ENABLED === '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79f5ee1e78dcafc5 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/index.js:261
        const packageJson = JSON.parse(fs.readFileSync(/** @type {string} */(pathToPackageJson)).toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ca86afe6ef4e5be Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/index.js:346
          contents = fs.readFileSync(args.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2753d63dbfdf5c3c Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/index.js:349
        const fileCode = fs.readFileSync(args.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2884b73bbe37aa6a Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/index.js:388
      const fileCode = fs.readFileSync(args.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e33aac751793e0fa Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-esbuild/src/log.js:6
const DD_TRACE_DEBUG = (process.env.DD_TRACE_DEBUG || '').trim().toLowerCase()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abd174b6a743aff6 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/src/utils.js:76
    source: fs.readFileSync(fileURLToPath(url), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edfdd39ce3e4a6ea Filesystem access.
pkgs/npm/[email protected]/packages/datadog-esbuild/src/utils.js:204
      const packageJsonContent = fs.readFileSync(packageJsonPath).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #681b5c5e50d5f471 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38af6f9d0b8fc24d Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:78
    const content = fs.readFileSync(originalSupportFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f72c82fbd9b023c Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:98
    fs.writeFileSync(wrapperFile, wrapperContent)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62dd002d9a68db84 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:245
      const pkg = JSON.parse(fs.readFileSync(candidate, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ad5c00bf02a2d18 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:309
  fs.writeFileSync(wrapperFile, body)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8faa4ae53d45f53c Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:321
    const { version } = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b157a7d2ad72a7fc Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:340
  const previousCompilerOptions = process.env.TS_NODE_COMPILER_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17a4c31833bd54ce Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:350
  process.env.TS_NODE_COMPILER_OPTIONS = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df3195705a2172ed Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:357
      delete process.env.TS_NODE_COMPILER_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2037af03f4fc16d Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/cypress-config.js:359
      process.env.TS_NODE_COMPILER_OPTIONS = previousCompilerOptions

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66e1428c09ff313e Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/helpers/rewriter/index.js:3
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edb475f4a0488553 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/helpers/rewriter/index.js:86
      const pkg = JSON.parse(readFileSync(
        join(basename, 'package.json'), 'utf8'
      ))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db69a039fcff3fb8 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/jest.js:2344
    const source = readFileSync(suiteFilePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12c3e320de56fd71 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-instrumentations/src/jest/coverage-backfill.js:110
    sourceText = readFileSync(absoluteFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a861523a6cc76e20 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-cypress/src/source-map-utils.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2f5ae207c92abe4 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-cypress/src/source-map-utils.js:92
    return JSON.parse(fs.readFileSync(absoluteFilePath + '.map', 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c5cf6cf07ef07ff Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-cypress/src/source-map-utils.js:95
    const content = fs.readFileSync(absoluteFilePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69c6e6261eb411ab Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-cypress/src/source-map-utils.js:325
    content = fs.readFileSync(absoluteFilePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57f0c3a1cb3a8bc7 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-jest/src/util.js:3
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e155cea40242d84 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-jest/src/util.js:76
    testSource = readFileSync(test.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d208a858849ce562 Filesystem access.
pkgs/npm/[email protected]/packages/datadog-plugin-nyc/src/index.js:59
      const content = readFileSync(settingsCachePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edbfd9ea7697750a Filesystem access.
pkgs/npm/[email protected]/packages/datadog-webpack/index.js:155
          packageJson = JSON.parse(fs.readFileSync(pkgJson).toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #836de61054b2d53a Environment-variable access.
pkgs/npm/[email protected]/packages/datadog-webpack/src/log.js:6
const DD_TRACE_DEBUG = (process.env.DD_TRACE_DEBUG || '').trim().toLowerCase()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6e2012d03014bb6 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/appsec/rule_manager.js:31
    ? JSON.parse(readFileSync(config.rules, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ee7e100ef4106b Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8cd3229eb620755 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js:146
    const packFileContent = fs.readFileSync(packFileToUpload)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2b3503641da4743 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/requests/fs-cache.js:62
    const raw = fs.readFileSync(cachePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bf26144347c82ec Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/requests/fs-cache.js:91
    fs.writeFileSync(tmpPath, JSON.stringify({ timestamp: Date.now(), data }), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fad3eb61cecf44f Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/requests/fs-cache.js:136
    fs.writeFileSync(tmpPath, String(Date.now()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b36b2755a0cfab3 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/requests/fs-cache.js:167
    const content = fs.readFileSync(getLockPath(cacheKey), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3abdbff912e67e85 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/requests/upload-coverage-report.js:45
    const coverageContent = readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1eb1ec64d7ebd91 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/test-optimization-cache.js:36
  process.env.DD_EXPERIMENTAL_TEST_OPT_SETTINGS_CACHE = cacheFilePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #332cfa50236da776 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/test-optimization-cache.js:52
    return JSON.parse(readFileSync(settingsCachePath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7237f1506aaef951 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ci-visibility/test-optimization-cache.js:70
    writeFileSync(settingsCachePath, JSON.stringify(cache), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cb36a054964bf7d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/git_properties.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #979137641963465d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/git_properties.js:86
    const gitHeadContent = fs.readFileSync(gitHeadPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2131580af2e3b233 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/git_properties.js:104
    const gitHeadRefContent = fs.readFileSync(gitHeadRefPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbadbe9927a6b5fe Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/parsers.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c8388610b8fe1eb Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/parsers.js:120
      return fs.readFileSync(raw, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cac3635eb7e48465 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/stable.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #820f0fb2286839ff Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/config/stable.js:60
      return fs.readFileSync(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #311d228f69be3021 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/debugger/devtools_client/source-maps.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #343ac8580e96cdca Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/debugger/devtools_client/source-maps.js:17
    return cacheIt(path, JSON.parse(await readFile(path, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fef0168fb564aa2 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/debugger/devtools_client/source-maps.js:24
    return cacheIt(path, JSON.parse(readFileSync(path, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23641c9d275c7441 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/debugger/index.js:3
const { readFile } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5ad875fd9f727fe Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/debugger/index.js:245
  readFile(path, 'utf8', (err, data) => {
    if (err) {
      log.error('[debugger] Failed to read probe file: %s', path, err)
      return
    }
    try {
      const parsedData = JSON.parse(data)
      log.debug('[debugger] Successfully parsed probe file: %s', path)
      cb(parsedData)
    } catch (err) {
      log.error('[debugger] Probe file (%s) is not valid JSON', path, err)
    }
  })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1f63f5a76ec709a Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/exporter.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #805e50222a32b7f6 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/exporters/common/docker.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7824c89193f4db0a Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/exporters/common/docker.js:22
  cgroup = fs.readFileSync('/proc/self/cgroup', 'utf8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55c593d6d7382d4c Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/git_metadata.js:38
      const fromProperties = getGitMetadataFromGitProperties(fs.readFileSync(gitPropertiesFile, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19d07c749bb80645 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/git_metadata.js:54
      repositoryUrl = getRemoteOriginURL(fs.readFileSync(gitConfigPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9a1c40330af9f65 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/index.js:16
  var forced = isTrue(process.env.DD_INJECT_FORCE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fc92d07ff1b53ba Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/index.js:23
  if (process.env.DD_INJECTION_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7736c1c9a22ac644 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/log.js:7
var DD_TRACE_DEBUG = process.env.DD_TRACE_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fac6f026fd57ab9e Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/log.js:8
var DD_TRACE_LOG_LEVEL = process.env.DD_TRACE_LOG_LEVEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0489c6643458a511 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/telemetry.js:3
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ae976d701d68025 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/telemetry.js:10
if (!process.env.DD_INJECTION_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b68b618600ccd9a Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/telemetry.js:14
var telemetryForwarderPath = process.env.DD_TELEMETRY_FORWARDER_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b9ca9253920d336 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/guardrails/telemetry.js:55
  if (['1', 'true', 'True'].indexOf(process.env.DD_INJECT_FORCE) !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aebf4547814be2b4 Environment-variable access.
pkgs/npm/[email protected]/packages/dd-trace/src/log/index.js:88
      (process.env.OTEL_LOG_LEVEL === 'debug' || config.enabled)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86293f1a159f2db3 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/pkg.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #158b0249064919ab Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/pkg.js:26
    return JSON.parse(fs.readFileSync(filePath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35108ce1c17a670d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/ci.js:3
const { readFileSync, readdirSync, existsSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0da71b185520b863 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/ci.js:104
  return JSON.parse(readFileSync(path, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5be7121a46b6b463 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/ci.js:266
    const content = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed94bfb198c2f5a9 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/git-cache.js:5
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e792da88e3ee06d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/git-cache.js:64
    return fs.readFileSync(cacheFilePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4852a92ea5d95f8f Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/git-cache.js:75
    fs.writeFileSync(cacheFilePath, result, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1372977a57f5244 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/git.js:5
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #906f804d6286f728 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/test.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0b020d1ce51112e Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/plugins/util/test.js:764
      return fs.readFileSync(path.join(rootDir, location)).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0a7485da68af78d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporter_cli.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b190661515d4e384 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporter_cli.js:69
const profile = JSON.parse(fs.readFileSync(process.argv[5], 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #597d628a4978f509 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/profiling/exporters/file.js:3
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8b213271759ca92 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/require-package-json.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48fe4bdf2ca7d762 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/require-package-json.js:20
    return JSON.parse(fs.readFileSync(candidate, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30a22c298d9e787d Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/require-package-json.js:28
        return JSON.parse(fs.readFileSync(candidate, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a5faee544063943 Filesystem access.
pkgs/npm/[email protected]/packages/dd-trace/src/ritm.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

posthog-js

npm dependency
medium telemetry dependency Excluded from app score #8d0901e834438893 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/customizations/setAllPersonProfilePropertiesAsPersonPropertiesForFlags.js:15
    posthog.setPersonPropertiesForFlags(personProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8088e5a3056886a2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/crisp-chat-integration.js:22
            var replayUrl = posthog.get_session_replay_url();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2333cf457744a3e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/crisp-chat-integration.js:23
            var personUrl = posthog.requestRouter.endpointFor('ui', "/project/".concat(posthog.config.token, "/person/").concat(posthog.get_distinct_id()));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2ca4d0220b4cf77d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/crisp-chat-integration.js:37
        sessionIdListenerUnsubscribe = posthog.onSessionId(function (sessionId) {
            if (!reportedSessionIds.has(sessionId)) {
                updateCrispChat();
                reportedSessionIds.add(sessionId);
            }
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c16df90648a1f48f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/intercom-integration.js:22
            var replayUrl = posthog.get_session_replay_url();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eab58f26acd2d203 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/intercom-integration.js:23
            var personUrl = posthog.requestRouter.endpointFor('ui', "/project/".concat(posthog.config.token, "/person/").concat(posthog.get_distinct_id()));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8c729e5e2884f2b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/intercom-integration.js:32
        sessionIdListenerUnsubscribe = posthog.onSessionId(function (sessionId) {
            if (!reportedSessionIds.has(sessionId)) {
                updateIntercom();
                reportedSessionIds.add(sessionId);
            }
        });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d7161a27234c4ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/entrypoints/logs.js:341
                    if (args.length > 0 && !isCapturingLog && posthog.is_capturing()) {

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e50b4cc4387ffc6b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:17
        if (!ctx.event.userId && ctx.event.anonymousId !== posthog.get_distinct_id()) {

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f9d7319e3c220d71 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:20
            posthog.reset();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4f4541915ad0f960 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:22
        if (ctx.event.userId && ctx.event.userId !== posthog.get_distinct_id()) {

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ada11ee67ba05fae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:24
            posthog.identify(ctx.event.userId);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #127fb0e5c4bee8df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:26
        var additionalProperties = posthog.calculateEventProperties(eventName, ctx.event.properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2f90aa99d867cc7a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/segment-integration.js:55
            posthog.register({
                distinct_id: user.id(),
                $device_id: getSegmentAnonymousId(),
            });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a00090831f098b1e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/surveys.js:881
                posthog.capture(posthog_surveys_types_1.SurveyEventName.SHOWN, __assign(__assign((_a = {}, _a[posthog_surveys_types_1.SurveyEventProperties.SURVEY_NAME] = survey.name, _a[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ID] = survey.id, _a[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ITERATION] = survey.current_iteration, _a[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ITERATION_START_DATE] = survey.current_iteration_start_date, _a), (surveyLanguage && (_b = {}, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_LANGUAGE] = surveyLanguage, _b))), { sessionRecordingUrl: (_c = posthog.get_session_replay_url) === null || _c === void 0 ? void 0 : _c.call(posthog) }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5e84578fe830641a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/surveys/surveys-extension-utils.js:383
    posthog.capture(posthog_surveys_types_1.SurveyEventName.SENT, __assign(__assign(__assign(__assign(__assign((_b = {}, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_NAME] = survey.name, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ID] = survey.id, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ITERATION] = survey.current_iteration, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_ITERATION_START_DATE] = survey.current_iteration_start_date, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_SUBMISSION_ID] = surveySubmissionId, _b[posthog_surveys_types_1.SurveyEventProperties.SURVEY_COMPLETED] = isSurveyCompleted, _b), (surveyLanguage && (_c = {}, _c[posthog_surveys_types_1.SurveyEventProperties.SURVEY_LANGUAGE] = surveyLanguage, _c))), { sessionRecordingUrl: (_e = posthog.get_session_replay_url) === null || _e === void 0 ? void 0 : _e.call(posthog) }), (0, surveys_1.buildSurveyResponseProperties)(responses, survey)), properties), { $set: (_d = {},
            _d[(0, survey_utils_1.getSurveyInteractionProperty)(survey, 'responded')] = true,
            _d) }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fafa0a7b0780f452 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/surveys/surveys-extension-utils.js:410
    posthog.capture(posthog_surveys_types_1.SurveyEventName.DISMISSED, __assign(__assign(__assign({}, _buildSurveyEventProperties(survey, inProgressSurvey, posthog)), (surveyLanguage && (_a = {}, _a[posthog_surveys_types_1.SurveyEventProperties.SURVEY_LANGUAGE] = surveyLanguage, _a))), { $set: (_b = {},
            _b[(0, survey_utils_1.getSurveyInteractionProperty)(survey, 'dismissed')] = true,
            _b) }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4738c18cbfc05615 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/lib/src/extensions/surveys/surveys-extension-utils.js:443
    posthog.capture(posthog_surveys_types_1.SurveyEventName.ABANDONED, _buildSurveyEventProperties(survey, inProgressSurvey, posthog), {
        transport: 'sendBeacon',
    });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

posthog-node

npm dependency
medium telemetry dependency Excluded from app score #423264d89137703c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:69
    posthog.withContext(buildRequestContextData(posthog, req), () => next())

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #15fa349b2f120b37 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:98
    posthog.addPendingPromise(
      ErrorTracking.buildEventMessage(
        posthog.getErrorPropertiesBuilder(),
        error,
        hint,
        contextData.distinctId,
        additionalProperties
      ).then((msg) => {
        return posthog._capturePreparedEvent(msg, false)
      })
    )

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #13bea766ce734725 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:100
        posthog.getErrorPropertiesBuilder(),

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f539b8c14150e0e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:106
        return posthog._capturePreparedEvent(msg, false)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

@aws-sdk/credential-providers

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #e695ad4fb9a39626 Environment-variable access.
pkgs/npm/@[email protected]/dist-cjs/fromTemporaryCredentials.js:8
    return (0, fromTemporaryCredentials_base_1.fromTemporaryCredentials)(options, fromNodeProviderChain_1.fromNodeProviderChain, async ({ profile = process.env.AWS_PROFILE }) => (0, config_1.loadConfig)({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2032d8696a0bea2f Environment-variable access.
pkgs/npm/@[email protected]/dist-es/fromTemporaryCredentials.js:5
    return fromTemporaryCredentialsBase(options, fromNodeProviderChain, async ({ profile = process.env.AWS_PROFILE }) => loadConfig({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@hookform/resolvers

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #760fd3bd3d5fe1e1 Environment-variable access.
pkgs/npm/@[email protected]/yup/src/yup.ts:97
      if (schemaOptions?.context && process.env.NODE_ENV === 'development') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@paralleldrive/cuid2

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #fe7c21d4f48383b8 Filesystem access.
pkgs/npm/@[email protected]/bin/cuid2.js:4
import { writeFileSync, readFileSync, existsSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46404dad19facf4b Filesystem access.
pkgs/npm/@[email protected]/bin/cuid2.js:51
      const content = readFileSync(configPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9599739a19c7091 Filesystem access.
pkgs/npm/@[email protected]/bin/cuid2.js:60
        writeFileSync(configPath, newContent, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@tanstack/react-query

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #d5b2dd4f3864a7cc Environment-variable access.
pkgs/npm/@[email protected]/src/useBaseQuery.ts:44
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d41bde48a71b291 Environment-variable access.
pkgs/npm/@[email protected]/src/useBaseQuery.ts:69
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1002e08aeecea3d9 Environment-variable access.
pkgs/npm/@[email protected]/src/useSuspenseInfiniteQuery.ts:34
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7df46b43b65b9185 Environment-variable access.
pkgs/npm/@[email protected]/src/useSuspenseQueries.ts:194
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #742d626f23124913 Environment-variable access.
pkgs/npm/@[email protected]/src/useSuspenseQuery.ts:17
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chroma-js

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #926e44fe832f4b6b Filesystem access.
pkgs/npm/[email protected]/.bin/update-version.cjs:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb0357c648ac554e Filesystem access.
pkgs/npm/[email protected]/.bin/update-version.cjs:8
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #783080a60b579975 Filesystem access.
pkgs/npm/[email protected]/.bin/update-version.cjs:13
fs.writeFileSync(versionFilePath, versionFileContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

core-js

npm dependency
expand_more 6 low-confidence finding(s)
low egress dependency Excluded from app score #5a3397d23dfe9bed Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/internals/url-constructor-detection.js:32
    || new URL('https://a@b').username !== 'a'

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #81a820ef481a627a Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/internals/url-constructor-detection.js:35
    || new URL('https://тест').host !== 'xn--e1aybc'

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #390c16f22e1f36c2 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/internals/url-constructor-detection.js:37
    || new URL('https://a#б').hash !== '#%D0%B1'

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #576f594d3245ae9d Filesystem access.
pkgs/npm/[email protected]/postinstall.js:4
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6c2f1fa41b4e467 Filesystem access.
pkgs/npm/[email protected]/postinstall.js:44
      banners = JSON.parse(fs.readFileSync(file));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e35877f680eeb24e Filesystem access.
pkgs/npm/[email protected]/postinstall.js:52
    fs.writeFileSync(file, JSON.stringify(banners), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-config-prettier

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #7e4868ca9638fa0b Environment-variable access.
pkgs/npm/[email protected]/bin/cli.js:45
      switch (process.env.ESLINT_USE_FLAT_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54b764b89e2e5dfc Environment-variable access.
pkgs/npm/[email protected]/index.js:3
const includeDeprecated = !process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #5830da040984369e Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fastest-levenshtein

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #bf9341212005c6eb Filesystem access.
pkgs/npm/[email protected]/bench.js:8
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9fc8136e02029b7 Filesystem access.
pkgs/npm/[email protected]/bench.js:43
    fs.writeFileSync("data.json", JSON.stringify(data_1));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c5a350824d7d28b Filesystem access.
pkgs/npm/[email protected]/bench.js:45
var data = JSON.parse(fs.readFileSync("data.json", "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ioredis

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #25f4eb83eba83ddc Filesystem access.
pkgs/npm/[email protected]/built/utils/index.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64f98f50bafb9395 Filesystem access.
pkgs/npm/[email protected]/built/utils/index.js:362
        const data = await fs_1.promises.readFile(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jsonpath-plus

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #9440a59cfd1ae2d4 Filesystem access.
pkgs/npm/[email protected]/bin/jsonpath-cli.js:2
import {readFile} from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78cf68da01634dbc Filesystem access.
pkgs/npm/[email protected]/bin/jsonpath-cli.js:9
    const json = JSON.parse(await readFile(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nanoid

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1fde20fcc48ab967 Filesystem access.
pkgs/npm/[email protected]/bin/nanoid.js:20
  let pkg = JSON.parse(readFileSync(join(root, '..', 'package.json'), 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pg

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #3055d9a7e6c16d41 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:15
    envVar = process.env['PG' + key.toUpperCase()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5e632056b6ef824 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:19
    envVar = process.env[envVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63ccca09bfb15b98 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:26
  switch (process.env.PGSSLMODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #335c43def2e01e12 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:127
      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd874d38932a360d Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d026650f3c2f66d Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:41
  forceNative = !!process.env.NODE_PG_FORCE_NATIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

protobufjs

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #256c3fbb73b297b8 Filesystem access.
pkgs/npm/[email protected]/scripts/postinstall.js:3
var path = require("path"),
    fs   = require("fs"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9eb84e64c16a9cf2 Filesystem access.
pkgs/npm/[email protected]/scripts/postinstall.js:4
    fs   = require("fs"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7ae523e6dfa47305 Filesystem access.
pkgs/npm/[email protected]/scripts/postinstall.js:17
    basePkg = JSON.parse(fs.readFileSync(path.join(__dirname, "..", "..", "package.json")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6838aa3187ac0f2 Filesystem access.
pkgs/npm/[email protected]/src/root.js:203
                source = util.fs.readFileSync(filename).toString("utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e843ce1a0df9c3a0 Filesystem access.
pkgs/npm/[email protected]/src/util/fs.js:5
    fs = require(/* webpackIgnore: true */ "fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #4b64f6ce928c6173 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-compiler-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b33609bcedc5f8ad Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c75ca1b756656082 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b067a3d296f9b7c5 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb3261b7e535adb1 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a59abb43d390c6ab Environment-variable access.
pkgs/npm/[email protected]/cjs/react.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #022cd29dc520722a Environment-variable access.
pkgs/npm/[email protected]/cjs/react.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff98d8830ad2bc01 Environment-variable access.
pkgs/npm/[email protected]/compiler-runtime.js:10
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c6aa99753eb4aaf Environment-variable access.
pkgs/npm/[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f501b5c2ba435aa Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3383ea4592df4211 Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfff71563108848c Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #353a6271d6d5fbf4 Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47b22d10954796ea Environment-variable access.
pkgs/npm/[email protected]/react.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-dom

npm dependency
expand_more 23 low-confidence finding(s)
low env_fs dependency Excluded from app score #86e6eb39ea50723c Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b0b34509270a02d Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.node.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f938657acbaa7f9 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16049517af99d73c Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.edge.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06911b2e883bc4dd Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.node.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bb845d76f7b4b46 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-test-utils.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6cacbf8c69652aa Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5bbb1b2de1da4f1 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73ca9d2c4d0434fa Environment-variable access.
pkgs/npm/[email protected]/client.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15853c3d74f1a641 Environment-variable access.
pkgs/npm/[email protected]/client.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13e61a50c0a307de Environment-variable access.
pkgs/npm/[email protected]/index.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e51e2a45b40c2052 Environment-variable access.
pkgs/npm/[email protected]/index.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26a8e301df2286ac Environment-variable access.
pkgs/npm/[email protected]/profiling.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef4828f34de04548 Environment-variable access.
pkgs/npm/[email protected]/profiling.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aae0a79ae03df13d Environment-variable access.
pkgs/npm/[email protected]/react-dom.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a12e4089b5212d3 Environment-variable access.
pkgs/npm/[email protected]/server.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e58e8272d950bc1 Environment-variable access.
pkgs/npm/[email protected]/server.bun.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ad9c9a8a0b03603 Environment-variable access.
pkgs/npm/[email protected]/server.edge.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83fce1fc031c1598 Environment-variable access.
pkgs/npm/[email protected]/server.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b2efffd7534467e Environment-variable access.
pkgs/npm/[email protected]/static.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40e1de02f98ebbf1 Environment-variable access.
pkgs/npm/[email protected]/static.edge.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad0f878788766d67 Environment-variable access.
pkgs/npm/[email protected]/static.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6ed7ffb35c42579 Environment-variable access.
pkgs/npm/[email protected]/test-utils.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-dropzone

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #df3ae10c7a63e45f Environment-variable access.
pkgs/npm/[email protected]/.babelrc.js:3
if (process.env['BABEL_ENV'] === 'es') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tiktoken

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #3dbd1c5e78c45418 Filesystem access.
pkgs/npm/[email protected]/lite/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40d66c6886751a0c Filesystem access.
pkgs/npm/[email protected]/lite/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11e8c19f95f40ec9 Filesystem access.
pkgs/npm/[email protected]/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #325b991d7e2d5759 Filesystem access.
pkgs/npm/[email protected]/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

use-query-params

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #fda955c44f8416d4 Environment-variable access.
pkgs/npm/[email protected]/src/QueryParamProvider.tsx:31
    process.env.NODE_ENV !== 'production' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

zustand

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #3765bd432e753eb7 Environment-variable access.
pkgs/npm/[email protected]/middleware.js:66
    extensionConnector = (enabled != null ? enabled : process.env.NODE_ENV !== "production") && window.__REDUX_DEVTOOLS_EXTENSION__;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49dbd00aa569be27 Environment-variable access.
pkgs/npm/[email protected]/middleware.js:128
      if (process.env.NODE_ENV !== "production" && args[0].type === "__setState" && !didWarnAboutReservedActionType) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @ag-ui/client prod — dist-only: no readable source
  • @ag-ui/core prod — dist-only: no readable source
  • @ag-ui/mastra prod — dist-only: no readable source
  • @appsignal/opentelemetry-instrumentation-bullmq prod — dist-only: no readable source
  • @baselime/trpc-opentelemetry-middleware prod — dist-only: no readable source
  • @codemirror/lang-javascript prod — dist-only: no readable source
  • @codemirror/lang-json prod — dist-only: no readable source
  • @codemirror/lang-python prod — dist-only: no readable source
  • @codemirror/language prod — dist-only: no readable source
  • @codemirror/lint prod — dist-only: no readable source
  • @codemirror/search prod — dist-only: no readable source
  • @codemirror/state prod — dist-only: no readable source
  • @dnd-kit/core prod — dist-only: no readable source
  • @dnd-kit/modifiers prod — dist-only: no readable source
  • @dnd-kit/sortable prod — dist-only: no readable source
  • @dnd-kit/utilities prod — dist-only: no readable source
  • @ferrucc-io/emoji-picker prod — dist-only: no readable source
  • @langfuse/ee prod — registry 404
  • @langfuse/shared prod — registry 404
  • @lezer/highlight prod — dist-only: no readable source
  • @mastra/client-js prod — dist-only: no readable source
  • @mastra/mcp prod — dist-only: no readable source
  • @modelcontextprotocol/sdk prod — dist-only: no readable source
  • @next-auth/prisma-adapter prod — dist-only: no readable source
  • @prisma/instrumentation prod — dist-only: no readable source
  • @radix-ui/react-accordion prod — dist-only: no readable source
  • @radix-ui/react-avatar prod — dist-only: no readable source
  • @radix-ui/react-checkbox prod — dist-only: no readable source
  • @radix-ui/react-collapsible prod — dist-only: no readable source
  • @radix-ui/react-dialog prod — dist-only: no readable source
  • @radix-ui/react-dropdown-menu prod — dist-only: no readable source
  • @radix-ui/react-hover-card prod — dist-only: no readable source
  • @radix-ui/react-label prod — dist-only: no readable source
  • @radix-ui/react-popover prod — dist-only: no readable source
  • @radix-ui/react-progress prod — dist-only: no readable source
  • @radix-ui/react-radio-group prod — dist-only: no readable source
  • @radix-ui/react-scroll-area prod — dist-only: no readable source
  • @radix-ui/react-select prod — dist-only: no readable source
  • @radix-ui/react-separator prod — dist-only: no readable source
  • @radix-ui/react-slider prod — dist-only: no readable source
  • @radix-ui/react-slot prod — dist-only: no readable source
  • @radix-ui/react-tabs prod — dist-only: no readable source
  • @radix-ui/react-switch prod — dist-only: no readable source
  • @radix-ui/react-toggle prod — dist-only: no readable source
  • @radix-ui/react-toggle-group prod — dist-only: no readable source
  • @radix-ui/react-tooltip prod — dist-only: no readable source
  • @t3-oss/env-nextjs prod — dist-only: no readable source
  • @tailwindcss/container-queries prod — dist-only: no readable source
  • bullmq prod — dist-only: no readable source
  • class-variance-authority prod — dist-only: no readable source
  • cmdk prod — dist-only: no readable source
  • https-proxy-agent prod — dist-only: no readable source
  • ip-address prod — dist-only: no readable source
  • json-schema-faker prod — dist-only: no readable source
  • next prod — tarball exceeds byte cap
  • next-themes prod — dist-only: no readable source
  • prism-react-renderer prod — dist-only: no readable source
  • react-hook-form prod — dist-only: no readable source
  • react-resizable-panels prod — dist-only: no readable source
  • sonner prod — dist-only: no readable source
  • streamdown prod — dist-only: no readable source
  • superjson prod — dist-only: no readable source
  • vaul prod — dist-only: no readable source
  • @repo/eslint-plugin prod — registry 404
  • eslint-config-turbo prod — dist-only: no readable source
  • typescript-eslint prod — dist-only: no readable source
  • @aws-sdk/client-lambda prod — scan budget exceeded
  • @aws-sdk/client-sesv2 prod — scan budget exceeded
  • @aws-sdk/lib-storage prod — scan budget exceeded
  • @aws-sdk/s3-request-presigner prod — scan budget exceeded
  • @azure/storage-blob prod — scan budget exceeded
  • @clickhouse/client prod — scan budget exceeded
  • @clickhouse/client-common prod — scan budget exceeded
  • @google-cloud/storage prod — scan budget exceeded
  • @langchain/anthropic prod — scan budget exceeded
  • @langchain/aws prod — scan budget exceeded
  • @langchain/google prod — scan budget exceeded
  • @langchain/openai prod — scan budget exceeded
  • @opentelemetry/otlp-transformer prod — scan budget exceeded
  • @prisma/client prod — scan budget exceeded
  • @react-email/components prod — scan budget exceeded
  • @react-email/render prod — scan budget exceeded
  • @slack/oauth prod — scan budget exceeded
  • @slack/web-api prod — scan budget exceeded
  • @smithy/node-http-handler prod — scan budget exceeded
  • ai prod — scan budget exceeded
  • ajv prod — scan budget exceeded
  • ajv-formats prod — scan budget exceeded
  • ipaddr.js prod — scan budget exceeded
  • langfuse-langchain prod — scan budget exceeded
  • lossless-json prod — scan budget exceeded
  • lru-cache prod — scan budget exceeded
  • nodemailer prod — scan budget exceeded
  • oci-common prod — scan budget exceeded
  • oci-objectstorage prod — scan budget exceeded
  • safe-regex2 prod — scan budget exceeded