The repository could not be structurally verified. Basic structural requirements were not met.
API service (high confidence)
- API frameworks: express
- Route decorators detected in source
Downloads
Public verification URL:
Markdown
[](https://altermenta.com/c/NV-6e1d35)
HTML
<a href="https://altermenta.com/c/NV-6e1d35"><img src="https://altermenta.com/badge/6e1d35a3951a873a.svg" alt="Nucleus Verified"/></a>
Direct URL
https://altermenta.com/badge/6e1d35a3951a873a.svg
Compliance Framework Coverage
OWASP LLM Top 10 (2025)
— LLM01— LLM02~ LLM03✓ LLM04— LLM05✓ LLM06— LLM07~ LLM08✓ LLM09~ LLM10
NIST AI RMF 1.0
GOVERNMAP✓ MEASURE (primary)MANAGE
Regulatory Framework Coverage
🌍 ISO 27001 · 2 findings🇪🇺 DORA · 2 findings🇬🇧 FCA · 2 findings🇪🇺🇬🇧 PSD2 · 3 findings🌍 SWIFT CSP · 2 findings
Structural detection only. Not a formal compliance assessment. View all frameworks →
Security Findings
1 HIGH1 MEDIUM37 INFO
sensitive_logINFO
examples/auth/index.js:61
Sensitive data in console.log — may leak to production logs
timing_attackINFO
examples/auth/index.js:70
String comparison on secret — use crypto.timingSafeEqual()
missing_rate_limitINFO
examples/auth/index.js:100
Auth route without visible rate limiter — apply rate limiting middleware
missing_rate_limitINFO
examples/auth/index.js:104
Auth route without visible rate limiter — apply rate limiting middleware
insecure_cookieINFO
examples/cookies/index.js:43
Cookie set without secure/httpOnly flags
insecure_cookieMEDIUM
lib/response.js:733
Cookie set without secure/httpOnly flags
env_real_secretHIGH
lib/response.js:744
Secret in .env file — use placeholder and set in deployment
insecure_cookieINFO
test/req.signedCookies.js:16
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.append.js:89
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:13
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:28
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:41
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:42
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:43
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:59
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:74
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:89
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:105
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:119
Cookie set without secure/httpOnly flags
insecure_cookieINFO
test/res.cookie.js:135
Cookie set without secure/httpOnly flags
... and 19 more findings
Top Structural Risks
- [high] Secret in .env file — use placeholder and set in deployment (CWE-798) — lib/response.js:744
- [high] Verification gate 'build' failed
- [medium] Cookie set without secure/httpOnly flags (CWE-614) — lib/response.js:733
- [medium] 28 of 1127 test functions have no assertions
- [medium] Dependency lockfile missing — requirements.txt, package-lock.json
Verification Tiers
VERIFIED
Passed all critical gates. Structure, determinism, contracts, and build integrity confirmed.
PARTIAL
Passed most gates. Minor issues found that do not compromise core integrity.
UNVERIFIED
Significant issues found. Could not be structurally certified.
Why this verdict?
Failed gates: build. No structural verification could be confirmed. Structural integrity: no critical gaps detected.
Verification Gates
gate_v2: PASSDetectable code structure (functions, classes, imports, routes)
gate_d: PASSSame prompt + seed produces identical hash on replay
contract: PASSAll claimed capabilities have supporting code evidence
build: FAILSource files compile without syntax errors
gate_s: PASSCross-file references and architecture consistency (informational)
Complexity
HIGH
Modules: 47Classes: 0Functions: 123Routes: 240Tests: 1127 (28 without assertions)Dependencies: 44
Languages
JavaScript primary82.5%141 files, 17434 LOC
Markdown16.6%4 files, 3503 LOC
JSON0.5%1 files, 99 LOC
CSS0.2%4 files, 44 LOC
HTML0.2%8 files, 44 LOC
Frameworks & Libraries
Repository Metrics
158Files
21,124Lines of Code
141Source Files
91Test Files
1Dependencies
4Doc Files
Code Structure
Functions (100)
authenticateexamples/auth/index.js:60restrictexamples/auth/index.js:75formatexamples/content-negotiation/index.js:33errorexamples/error/index.js:20listexamples/online/index.js:40loadUserexamples/route-middleware/index.js:25andRestrictToSelfexamples/route-middleware/index.js:36andRestrictToexamples/route-middleware/index.js:50initializeRedisexamples/search/index.js:29GithubViewexamples/view-constructor/github-view.js:23ferretsexamples/view-locals/index.js:17countexamples/view-locals/index.js:48usersexamples/view-locals/index.js:56count2examples/view-locals/index.js:86users2examples/view-locals/index.js:94
Entrypoints (10)
index.jsexamples/auth/index.jsexamples/content-negotiation/index.jsexamples/cookie-sessions/index.jsexamples/cookies/index.jsexamples/downloads/index.jsexamples/ejs/index.jsexamples/error/index.jsexamples/error-pages/index.jsexamples/hello-world/index.js
API Surface
40 application routes across 50 controller(s)
| Method | Path | File |
|---|---|---|
| GET | /user/:id | History.md:3240 |
| GET | / | Readme.md:39 |
| GET | /restricted | examples/auth/index.js:88 |
| GET | /logout | examples/auth/index.js:92 |
| GET | /login | examples/auth/index.js:100 |
| POST | /login | examples/auth/index.js:104 |
| GET | /users | examples/content-negotiation/index.js:40 |
| GET | /forget | examples/cookies/index.js:34 |
| POST | / | examples/cookies/index.js:39 |
| GET | /files/*file | examples/downloads/index.js:26 |
| GET | env | examples/error/index.js:10 |
| GET | /next | examples/error/index.js:34 |
| GET | /404 | examples/error-pages/index.js:34 |
| GET | /403 | examples/error-pages/index.js:41 |
| GET | /500 | examples/error-pages/index.js:48 |
| GET | /fail | examples/markdown/index.js:36 |
| GET | /user/:user | examples/params/index.js:55 |
| GET | /users/:from-:to | examples/params/index.js:63 |
| GET | /user/:id/edit | examples/route-middleware/index.js:78 |
| DELETE | /user/:id | examples/route-middleware/index.js:82 |
Show all (20 more routes)
| Method | Path | File |
|---|---|---|
| GET | /user/:id/view | examples/route-separation/index.js:43 |
| PUT | /user/:id/edit | examples/route-separation/index.js:45 |
| GET | /posts | examples/route-separation/index.js:49 |
| GET | /search/{:query} | examples/search/index.js:52 |
| GET | /client.js | examples/search/index.js:69 |
| GET | /Readme.md | examples/view-constructor/index.js:39 |
| GET | /middleware | examples/view-locals/index.js:64 |
| GET | /middleware-locals | examples/view-locals/index.js:102 |
| GET | /api/users | examples/web-service/index.js:75 |
| GET | /api/repos | examples/web-service/index.js:80 |
| GET | /api/user/:name/repos | examples/web-service/index.js:85 |
| GET | query parser fn | lib/request.js:231 |
| GET | trust proxy fn | lib/request.js:301 |
| GET | subdomain offset | lib/request.js:388 |
| GET | etag fn | lib/response.js:161 |
| GET | json escape | lib/response.js:235 |
| GET | json replacer | lib/response.js:236 |
| GET | json spaces | lib/response.js:237 |
| GET | jsonp callback name | lib/response.js:267 |
| GET | /user/:uid/photos/:file | lib/response.js:355 |
Test-referenced routes: 44 (excluded from primary surface)
Data Models
No data models detected
Detected Capabilities
API Routes (22)
examples/auth/index.js:84 app.get('/', function(req, res){examples/auth/index.js:88 app.get('/restricted', restrict, function(req, res){examples/auth/index.js:92 app.get('/logout', function(req, res){examples/auth/index.js:100 app.get('/login', function(req, res){examples/auth/index.js:104 app.post('/login', function (req, res, next) {Testing (65)
test/Route.js:9 describe('Route', function(){test/Route.js:10 it('should work without handlers', function(done) {test/Route.js:16 it('should not stack overflow with a large sync stack', function (done) {test/Route.js:47 describe('.all', function(){test/Route.js:48 it('should add handler', function(done){Logging (21)
examples/auth/index.js:61 if (!module.parent) console.log('authenticating %s:%s', name, pass);examples/auth/index.js:133 console.log('Express started on port 3000');examples/content-negotiation/index.js:45 console.log('Express started on port 3000');examples/cookie-sessions/index.js:24 console.log('Express started on port 3000');examples/cookies/index.js:52 console.log('Express started on port 3000');Configuration (15)
examples/cookies/index.js:13 if (process.env.NODE_ENV !== 'test') app.use(logger(':method :url'))examples/error-pages/index.js:11 var silent = process.env.NODE_ENV === 'test'examples/route-map/index.js:10 var verbose = process.env.NODE_ENV !== 'test'lib/application.js:91 var env = process.env.NODE_ENV || 'development';test/app.js:76 this.env = process.env.NODE_ENVError Handling (1)
examples/search/index.js:56 .catch((err) => {Dependencies
44 dependencies from npm
acceptsafterbody-parserconnect-rediscontent-dispositioncontent-typecookiecookie-parsercookie-sessioncookie-signaturedebugdepdejsencodeurlescape-htmleslintetagexpress-sessionfinalhandlerfreshhbshttp-errorsmarkedmerge-descriptorsmethod-overridemime-typesmochamorgannycon-finished
Claim Verification
No claims to verify
Claim Detail & Evidence
No claims analyzed
Structural Findings
No structural analysis available
Improvement Suggestions
28 of 1127 test functions have no assertions
Add assertions (assert, assertEqual, expect, etc.) to each test function to validate expected behavior.
Assertion-less tests inflate the test count without verifying functionality
Verification gate 'build' failed
Fix syntax errors in source files. Run a linter or compiler to identify issues.
Gate 'build' failure reduces trust score by 15 points
Dependency lockfile missing
Generate a lockfile (pip freeze > requirements.txt, npm install, cargo build) for deterministic builds.
Lockfiles ensure deterministic builds and prevent supply chain attacks via version drift
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-3AB94AAdd request validation to mutating endpoints.
Structural integrity check 'input_without_validation' flagged this issue
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-AC641FAdd request validation to mutating endpoints.
Structural integrity check 'input_without_validation' flagged this issue
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-C32EC9Add request validation to mutating endpoints.
Structural integrity check 'input_without_validation' flagged this issue
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-BB1C34Wrap database writes in transaction blocks with error handling.
Structural integrity check 'writes_without_error_handling' flagged this issue
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-6053DFWrap database writes in transaction blocks with error handling.
Structural integrity check 'writes_without_error_handling' flagged this issue
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-90C3A4Wrap database writes in transaction blocks with error handling.
Structural integrity check 'writes_without_error_handling' flagged this issue
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-9F0A1BWrap database writes in transaction blocks with error handling.
Structural integrity check 'writes_without_error_handling' flagged this issue
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-E11774Wrap database writes in transaction blocks with error handling.
Structural integrity check 'writes_without_error_handling' flagged this issue
Configuration or dependency declared but may not be consumed in code.
SF-63F4AFVerify that declared dependencies and config values are actually used.
Structural integrity check 'dependency_without_usage' flagged this issue
Configuration or dependency declared but may not be consumed in code.
SF-4B259AVerify that declared dependencies and config values are actually used.
Structural integrity check 'dependency_without_usage' flagged this issue
Configuration or dependency declared but may not be consumed in code.
SF-87B2CDVerify that declared dependencies and config values are actually used.
Structural integrity check 'dependency_without_usage' flagged this issue
Configuration or dependency declared but may not be consumed in code.
SF-D74C37Verify that declared dependencies and config values are actually used.
Structural integrity check 'dependency_without_usage' flagged this issue
Repair Feedback
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-3AB94A [input_without_validation]Add request validation to mutating endpoints.
Files: examples/auth/index.js
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-AC641F [input_without_validation]Add request validation to mutating endpoints.
Files: examples/cookies/index.js
Mutating endpoint (POST/PUT/PATCH) detected without request validation schema (Pydantic, Joi, Zod, etc.).
SF-C32EC9 [input_without_validation]Add request validation to mutating endpoints.
Files: examples/route-separation/index.js
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-BB1C34 [writes_without_error_handling]Wrap database writes in transaction blocks with error handling.
Files: lib/application.js
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-6053DF [writes_without_error_handling]Wrap database writes in transaction blocks with error handling.
Files: lib/application.js
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-90C3A4 [writes_without_error_handling]Wrap database writes in transaction blocks with error handling.
Files: lib/application.js
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-9F0A1B [writes_without_error_handling]Wrap database writes in transaction blocks with error handling.
Files: lib/application.js
Database write operation detected without transaction handling or error protection (try/except, with session.begin()).
SF-E11774 [writes_without_error_handling]Wrap database writes in transaction blocks with error handling.
Files: lib/application.js
Configuration or dependency declared but may not be consumed in code.
SF-63F4AF [dependency_without_usage]Verify that declared dependencies and config values are actually used.
Files: examples/cookies/index.js
Configuration or dependency declared but may not be consumed in code.
SF-4B259A [dependency_without_usage]Verify that declared dependencies and config values are actually used.
Files: examples/error-pages/index.js
Scan Certification
A95/100
security:39 finding(s)
accessibility:3 finding(s)
performance:1 finding(s)
Security Scan
| Severity | Location | Description | CWE |
|---|---|---|---|
| INFO | examples/auth/index.js:61 | Sensitive data in console.log — may leak to production logs | CWE-532 |
| INFO | examples/auth/index.js:70 | String comparison on secret — use crypto.timingSafeEqual() | CWE-208 |
| INFO | examples/auth/index.js:100 | Auth route without visible rate limiter — apply rate limiting middleware | CWE-307 |
| INFO | examples/auth/index.js:104 | Auth route without visible rate limiter — apply rate limiting middleware | CWE-307 |
| INFO | examples/cookies/index.js:43 | Cookie set without secure/httpOnly flags | CWE-614 |
| MEDIUM | lib/response.js:733 | Cookie set without secure/httpOnly flags | CWE-614 |
| HIGH | lib/response.js:744 | Secret in .env file — use placeholder and set in deployment | CWE-798 |
| INFO | test/req.signedCookies.js:16 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.append.js:89 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:13 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:28 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:41 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:42 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:43 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:59 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:74 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:89 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:105 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:119 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:135 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:148 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:163 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:178 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:193 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:207 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:221 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:235 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:252 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:269 | Cookie set without secure/httpOnly flags | CWE-614 |
| INFO | test/res.cookie.js:285 | Cookie set without secure/httpOnly flags | CWE-614 |
Accessibility Scan
- missing_landmarks in
examples/ejs/views/header.html:1 — Missing ARIA landmark roles (WCAG-1.3.1) - missing_label in
examples/search/public/index.html:17 — Form input without aria-label or associated label (WCAG-1.3.1) - missing_landmarks in
examples/search/public/index.html:1 — Missing ARIA landmark roles (WCAG-1.3.1)
Performance Scan
- no_lazy_loading — Consider code splitting / lazy loading for large JS/TS projects (No lazy loading patterns detected)
Verification Delta
Supersedes proof 464c09a2556c7d26 (was UNVERIFIED)
0
Introduced
0
Resolved
65
Unchanged
Files: +0 added, -0 removed, ~0 changed, 158 unchanged
Analysis Scope
158 files analyzed · Languages: JavaScript
Verification History
UNVERIFIED
Previous run ·
464c09a2556cUNVERIFIED
Current run ·
6e1d35a3951a2 verification runs tracked
Cryptographic Proof
Deterministic Hash: 0f439565165e639cbaa2d6accd2f033157329aa2d492c96050d6459407fcdd27
Specification Hash: e8761f647aa9bacecd5e7fa6b20dc4c14885ab66a796f78b24bccb33324fccac
Artifact Tree Hash: d3e01b08e5fb66b82d69ed9e55239887b4eabe7527a82806c4f211ec84f89afd
Proof Pack Hash: 6e1d35a3951a873a6ddad3b7ed6a159844a2b65fd34a0c1287f2d4e9513dc433
🔍 Verify this certificate independently
Anyone can verify this certificate at:
verify.altermenta.com/c/NV-6e1d35
Open Verification Page →Share this URL with auditors, customers, or anyone who needs to verify this result. No account required.
Not Verified Scope (always disclosed)
- semantic correctness of business logic
- runtime behavior under production load
- dynamic security testing (fuzzing, DAST, penetration testing)
- runtime performance benchmarking
- concurrency correctness validation
- data integrity under concurrent writes
Log in to report a false positive finding.