Merged
Conversation
raye-deng
force-pushed
the
fix/ocr-self-scan-l2
branch
from
4e29b22 to
0c7f802
Compare
raye-deng
force-pushed
the
fix/ocr-self-scan-l2
branch
from
0c7f802 to
e1d5d00
Compare
raye-deng
force-pushed
the
fix/ocr-self-scan-l2
branch
2 times, most recently
from
a781f53 to
0eb66c0
Compare
Issues fixed from OCR L2 self-scan: - Use cryptographically secure randomInt() instead of Math.random() for license key generation (CWE-338) - Clarify re-export aliases in index.ts to avoid symbol collision warnings Scan report: Score 67/100 → 67/100 (remaining issues are false positives from detector pattern data and complexity warnings requiring architectural refactoring)
- Add JSDoc comments to exported interfaces - Export ParsedLLMIssue, ImportOccurrence, and other types - Minor type safety improvements
- Extract matchFunctionDeclaration() and extractBracedBody() helpers in duplication.ts to reduce nesting from 5 to 3 - Extract groupByFunctionName() and reportDuplicates() helpers in context-coherence.ts to reduce nesting from 5 to 3 - Before: 111 issues (67/100) - After: 97 issues (67/100) - Context Coherence improved: 15→3 issues
raye-deng
force-pushed
the
fix/ocr-self-scan-l2
branch
from
0eb66c0 to
3cc7536
Compare
raye-deng
added a commit
that referenced
this pull request
Mar 18, 2026
…n detection Quick Win #1: V4 hallucinated import detector now falls back to whitelist-based detection when registry manager is unavailable (offline mode). Flags non-relative, non-builtin imports with confidence 0.6. Quick Win #3: Over-engineering detector now detects abstract classes and interfaces with only one implementation — a common AI over-engineering pattern. Scans source text for abstract class/interface definitions and their extends/implements relationships. Both features include full test coverage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛡️ OCR Self-Scan Report
This PR fixes issues identified by Open Code Review's own L2 analysis.
Scan Summary
Changes
packages/core/src/license/generator.ts: ReplaceMath.random()withcrypto.randomInt()for cryptographically secure license key generation (CWE-338)Analysis of Remaining Issues
Most of the 111 remaining issues are false positives or architectural:
The score is dominated by Implementation Quality (0/20) which penalizes high cyclomatic complexity in parser files — these are inherent to regex-based language parsers and not practical to reduce without a full rewrite.
Evidence
This demonstrates OCR's self-scanning capability — eating our own dog food. The scan correctly identified a real security issue (
Math.random()for key generation) while also revealing false positive patterns in detector/pattern files that we can improve in future versions.Generated by Open Code Review L2 self-scan