● AI Code Audit · demo
ArgosBrain✓ Verified

Vela Payments, Inc.

An ArgosBrain AI Code Audit — deterministic, reachability-aware, computed from the actual source at one commit. Don't trust this page: re-run it yourself and you'll get the same result.

Repository
vela-payments/core
Commit
a3f9c21
Branch
main
Scanned
2026-06-02 14:22 UTC
Engine
ArgosBrain v0.75.0
§1 · Executive summary

No reachable critical or high-severity issues. Codebase maturity: Satisfactory.

Across 38,400 symbols (TypeScript & Go), the audit found 0 reachable critical/high security issues, 7 medium/low findings, no unmasked PII flows, and no unfinished AI stubs reachable from production. Severity caps at High by convention (reachability-ranked) — see scope.

Codebase Maturity Evaluation
Authentication & Access ControlStrong
Cryptography & Key ManagementStrong
Data HandlingSatisfactory
Dependency ManagementSatisfactory
AI-Generated Code IntegritySatisfactory
Error HandlingModerate
Testing & VerificationModerate
DocumentationModerate
ConfigurationStrong

● Strong   Satisfactory   Moderate   Weak — each rating is computed deterministically (same code → same rating).

§2 · Security · red-team, 9 perspectives

0 reachable critical/high · 2 medium · 5 low

Findings are reachability-ranked: an issue only counts if an attacker can structurally reach it. Down-rated and unreachable candidates are listed in the appendix, never deleted. Each finding carries a CWE, a severity, an exploitation difficulty, and a file:line target.

1. Verbose error responses expose internal stack traces
Severity
Medium
Difficulty
Low
Type
CWE-209 · Info Disclosure
ID
ACB-VELA-01
Target
api/middleware/errors.ts:88–94
The global error handler returns err.stack in the JSON body when NODE_ENV is unset. Reachable from 6 public routes. Leaks file paths and dependency versions useful for follow-on attacks.

Short term — strip stack traces from responses outside development; return a correlation ID instead.
Long term — centralise error shaping in one sanitiser and add a test asserting no stack field ships in production responses.
2. CORS allow-list reflects the request Origin header
Severity
Low
Difficulty
Medium
Type
CWE-942 · CORS
ID
ACB-VELA-04
Target
api/cors.ts:21
Access-Control-Allow-Origin echoes req.headers.origin. Credentials are not currently sent cross-origin, so impact is Low — but the reflected-origin pattern becomes High the moment a credentialed endpoint is added.

Short term — replace reflection with a static allow-list.
Long term — add a CI check (csrf/cors skill) that fails on reflected-origin patterns.

+ 5 more (3 low, 2 info) in the full report · SARIF export available for CodeQL / Semgrep / GitHub code-scanning interop.

§3 · Data & privacy

Where customer data flows — and where it doesn't leak.

PII / payment data lineage
14 source→sink paths traced. All reach storage encrypted; 0 reach a log line or response body unmasked.
Compliance reachability (PCI-DSS)
Cardholder-data sources show no reachable path to an unencrypted sink. Structural evidence — necessary, not sufficient; pair with field-level taint.
§4 · AI-specific risk · the part no one else checks

Is this AI code actually finished — and not slop?

Empirically, 89% of real AI-code defects are maintainability, not security. This section is unique to ArgosBrain — no SAST tool or audit firm surfaces it.

"Fake-done" / slop
0 in prod
0 stubs the AI called complete in shipped paths. 3 placeholders, all in test fixtures, none reachable from production.
Prompt-injection surface
2 paths
2 paths where user input reaches an LLM call (support bot). Both pass through an input filter — flagged for review, not exploitable as found.
LLM cost hotspots
1 in loop
1 LLM call inside a per-row loop in reports/summary.ts:140 — linear token blow-up. Estimated 8× spend on large batches.
System-prompt leaks
none
No system prompt or model credential reachable from a user-facing response path.
§5 · Code health & debt

Ranked by payoff-per-refactor — not invented dollars.

Hotspots (complexity × churn)
3 load-bearing modules: high complexity AND high inbound callers AND frequently changed — the highest-risk refactor targets, ranked.
Dead & unreachable code
4.2% of functions have no inbound caller — flagged for removal, listed by file.
Test coverage gaps
11 high-traffic functions on a data-mutating path have no test reaching them — prioritised by reachability.
§6 · Architecture

The real architecture — from the call graph, not the wiki.

API surface
23 live HTTP routes extracted from the call graph (dead routes excluded). OpenAPI spec exported.
Service boundaries
5 cohesive modules; 2 cross-boundary couplings flagged as extraction friction.
Coverage
38,400 symbols, no sampling — exhaustive over ingested source.
§7 · Compliance evidence + scope

Evidence Vanta & Drata can't produce.

Policy-side GRC tools (Vanta, Drata) collect config and policy attestations. They have no code-level reachability proof. This audit supplies the missing layer: SOC 2 CC6.1 logical-access evidence as source→sink paths, with file:line citations an auditor can follow.

Don't trust us — reproduce it
$ argosbrain verify --repo vela-payments/core --commit a3f9c21

Signature ed25519:9f2c…a41b · tied to commit a3f9c21 · cannot be forged or back-dated. Same input → same report. No LLM in the read path.

Scope & limits

ArgosBrain reports structural reachability — necessary evidence, not a guarantee. Static control-flow does not see reflection, dynamic dispatch, or runtime configuration; a finding unreachable today can become reachable after a refactor. Down-rated and dropped candidates are kept in the appendix, never silently deleted. This is a reproducible signal, not a legal-grade exploitability proof — pair with dynamic testing (Semgrep Pro / CodeQL) and your perimeter controls. Findings require human verification before remediation.

This is a demo with sample data — Vela Payments is fictional. Run a real audit on your codebase → · How it works