DollhouseMCP

# SonarCloud Issue Analysis Report Generated: 2025-09-27T18:32:20.402Z ## Executive Summary - **Total Issues**: 2468 - **BLOCKER**: 16 - **CRITICAL**: 235 - **MAJOR**: 531 ## BLOCKER Issues (Must Fix) ### Vulnerabilities (14) - [ ] scripts/validation/run-sync-test-with-pat.sh:7 - Make sure this Github token gets revoked, changed, and removed from the code. - [ ] .github/workflows/readme-sync.yml:69 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:43 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:44 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:61 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:144 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:146 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:148 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:158 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:159 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:160 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:165 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/version-update.yml:167 - Change this workflow to not use user-controlled data directly in a run block. - [ ] .github/workflows/branch-protection.yml:134 - Change this workflow to not use user-controlled data directly in a run block. ### Bugs (0) ### Code Smells (2) - [ ] src/config/ConfigWizardCheck.ts:80 - Refactor this function to not always return the same value. - [ ] src/portfolio/UnifiedIndexManager.ts:1245 - Refactor this function to not always return the same value. ## Top Rules by Count ### typescript:S7772 (305 issues, MINOR) Type: CODE_SMELL Examples: - src/elements/memories/Memory.ts:21 - src/elements/memories/MemoryManager.ts:24 - src/elements/memories/MemoryManager.ts:25 ### typescript:S7728 (191 issues, MINOR) Type: CODE_SMELL Examples: - src/elements/memories/Memory.ts:590 - src/elements/memories/MemorySearchIndex.ts:531 - test/__tests__/unit/elements/memories/Memory.privacy.test.ts:166 ### typescript:S2933 (150 issues, MAJOR) Type: CODE_SMELL Examples: - src/index.ts:103 - src/elements/memories/Memory.ts:141 - src/elements/memories/Memory.ts:142 ### typescript:S2004 (132 issues, CRITICAL) Type: CODE_SMELL Examples: - test/__tests__/qa/portfolio-single-upload.qa.test.ts:290 - test/__tests__/qa/portfolio-single-upload.qa.test.ts:369 - test/__tests__/qa/portfolio-single-upload.qa.test.ts:271 ### typescript:S1128 (125 issues, MINOR) Type: CODE_SMELL Examples: - src/elements/memories/MemoryManager.ts:13 - src/elements/memories/MemoryManager.ts:21 - test/__tests__/unit/elements/memories/Memory.concurrent.test.ts:8 ### javascript:S7772 (123 issues, MINOR) Type: CODE_SMELL Examples: - test/manual/test-memory-editing.cjs:8 - test/manual/test-memory-editing.cjs:9 - test/manual/test-memory-validation.cjs:8 ### typescript:S7781 (109 issues, MINOR) Type: CODE_SMELL Examples: - src/index.ts:1917 - src/elements/memories/Memory.ts:60 - src/elements/memories/MemoryManager.ts:215 ### typescript:S7773 (88 issues, MINOR) Type: CODE_SMELL Examples: - src/elements/memories/Memory.ts:532 - src/elements/memories/Memory.ts:540 - src/index.ts:1760 ### typescript:S7778 (88 issues, MINOR) Type: CODE_SMELL Examples: - test/__tests__/unit/elements/memories/Memory.concurrent.test.ts:110 - test/__tests__/unit/elements/memories/Memory.concurrent.test.ts:111 - test/__tests__/unit/elements/memories/Memory.concurrent.test.ts:112 ### typescript:S1854 (87 issues, MAJOR) Type: CODE_SMELL Examples: - src/elements/memories/MemoryManager.ts:153 - src/elements/memories/MemorySearchIndex.ts:609 - test/__tests__/integration/fuzzy-matching.test.ts:90 ### typescript:S3776 (83 issues, CRITICAL) Type: CODE_SMELL Examples: - src/index.ts:1630 - src/index.ts:2053 - src/elements/memories/MemoryManager.ts:64 ### typescript:S2486 (80 issues, MINOR) Type: CODE_SMELL Examples: - test/__tests__/unit/elements/memories/MemoryManager.test.ts:664 - test/__tests__/unit/elements/memories/MemoryManager.test.ts:687 - scripts/run-security-audit.ts:70 ### typescript:S7780 (67 issues, MINOR) Type: CODE_SMELL Examples: - test/__tests__/unit/elements/memories/MemoryManager.test.ts:706 - test/__tests__/unit/elements/memories/MemoryManager.test.ts:720 - test/__tests__/unit/elements/memories/MemoryManager.test.ts:721 ### typescript:S7764 (67 issues, MINOR) Type: CODE_SMELL Examples: - test/__tests__/qa/upload-ziggy-demo.test.ts:89 - test/__tests__/qa/upload-ziggy-demo.test.ts:220 - test/__tests__/unit/collection/CollectionIndexManager.test.ts:28 ### typescript:S4325 (41 issues, MINOR) Type: CODE_SMELL Examples: - src/index.ts:1806 - src/index.ts:2138 - src/index.ts:2139 ## Files with Most Issues ### src/index.ts Total: 147 (BLOCKER: 0, CRITICAL: 19, MAJOR: 53, MINOR: 75) ### test/__tests__/unit/InputValidator.test.ts Total: 48 (BLOCKER: 0, CRITICAL: 16, MAJOR: 2, MINOR: 30) ### src/tools/portfolio/submitToPortfolioTool.ts Total: 43 (BLOCKER: 0, CRITICAL: 8, MAJOR: 13, MINOR: 22) ### test/__tests__/integration.test.ts Total: 36 (BLOCKER: 0, CRITICAL: 5, MAJOR: 6, MINOR: 25) ### src/portfolio/UnifiedIndexManager.ts Total: 34 (BLOCKER: 1, CRITICAL: 5, MAJOR: 11, MINOR: 17) ### test/__tests__/integration/fuzzy-matching.test.ts Total: 32 (BLOCKER: 0, CRITICAL: 14, MAJOR: 2, MINOR: 16) ### src/security/InputValidator.ts Total: 31 (BLOCKER: 0, CRITICAL: 1, MAJOR: 8, MINOR: 22) ### src/portfolio/PortfolioSyncManager.ts Total: 30 (BLOCKER: 0, CRITICAL: 7, MAJOR: 11, MINOR: 12) ### test/qa/oauth-pat-test.mjs Total: 29 (BLOCKER: 0, CRITICAL: 2, MAJOR: 3, MINOR: 24) ### src/security/audit/reporters/MarkdownReporter.ts Total: 29 (BLOCKER: 0, CRITICAL: 1, MAJOR: 1, MINOR: 27) ## Fixable Pattern Groups ### GitHub Actions Command Injection (13 issues) Pattern: Use environment variables instead of direct interpolation in run blocks ### Functions Always Return Same Value (2 issues) Pattern: Either make configurable or remove return value ### High Cognitive Complexity (99 issues) Pattern: Extract methods, reduce nesting, simplify conditionals ### Dead Code (87 issues) Pattern: Remove unreachable/unused code ### Duplicated Blocks (0 issues) Pattern: Extract common code to shared functions ### Use for...of Loops (0 issues) Pattern: Replace forEach with for...of for better performance ## Recommended Cleanup Strategy ### Phase 1: Critical Security & Reliability (1-2 hours) 1. Fix GitHub Actions command injection vulnerabilities (13 issues) 2. Fix "always returns same value" bugs (2 issues) 3. Document intentional example token in SECURITY_AUDIT.md ### Phase 2: Code Quality Quick Wins (2-3 hours) 1. Replace forEach with for...of in non-performance-critical code 2. Remove obvious dead code 3. Fix simple type assertions ### Phase 3: Refactoring (4-6 hours) 1. Reduce cognitive complexity in top offenders 2. Extract duplicated test code to helpers 3. Consolidate similar validation logic ### Phase 4: Documentation & Suppression 1. Mark test-specific patterns as won't fix 2. Document architectural decisions for complex methods 3. Add inline suppressions for intentional patterns ✓ Detailed analysis saved to sonarcloud-analysis.json