{
  "tool": "baseline-raw",
  "target_project": "/project",
  "tokens_in": 61086,
  "tokens_out": 3091,
  "duration_analysis_sec": 0.0009984970092773438,
  "duration_llm_sec": 83.40452527999878,
  "duration_total_sec": 83.41804504394531,
  "context_chars": 232610,
  "raw_code_chars": 2790515,
  "compression_ratio": 0.0,
  "llm_response": "Code Review Report: `app/analytics.py`\n\n## Executive Summary\nThis module contains critical security vulnerabilities, severe code duplication (200+ identical function signatures), and fundamental logic errors. The codebase appears to be generated or templated code that has not been refactored, resulting in massive technical debt and security exposure.\n\n---\n\n## 1. Security Concerns (Critical)\n\n### SQL Injection (`unsafe_sql_lookup`)\n```python\nquery = f\"SELECT * FROM {{table}} WHERE name = '{{user_input}}'\"\n```\n**Issue**: Direct string interpolation of `table` and `user_input` allows arbitrary SQL injection.\n**Fix**: Use parameterized queries:\n```python\n# Whitelist table names, use ? placeholders\ncursor.execute(f\"SELECT * FROM {allowed_tables[table]} WHERE name = ?\", (user_input,))\n```\n\n### Arbitrary Code Execution (`insecure_eval`)\n```python\ndef insecure_eval(expression: str) -> Any:\n    return eval(expression)\n```\n**Issue**: `eval()` executes arbitrary Python code. An attacker can execute `__import__('os').system('rm -rf /')`.\n**Fix**: Use `ast.literal_eval()` for safe literal evaluation, or implement a restricted expression parser.\n\n### Hardcoded Secrets (All `generated_rule_*` functions)\nEach of the 200+ functions contains hardcoded secrets:\n```python\nsecret = \"hardcoded-secret-0\"  # Repeats through secret-15 cycle\n```\nThese secrets are then stored in the global cache:\n```python\nGLOBAL_CACHE[cache_key] = {'secret': secret, ...}\n```\n**Issue**: Secrets in source code expose credentials in version control. Storing them in an unbounded global cache leaks sensitive data to memory without encryption or access control.\n\n---\n\n## 2. Potential Bugs & Logic Errors\n\n### Division by Zero (`broken_average`, `generated_rule_*`)\n```python\ndef broken_average(values: list[float]) -> float:\n    return sum(values) / (len(values) - 1)  # Crashes if len==1\n```\n**Issue**: Off-by-one error and zero-division. Empty lists also raise ZeroDivisionError.\n\nIn generated rules:\n```python\nratio = ...",
  "llm_quality_keywords": 20,
  "error": null,
  "metadata": {
    "mode": "raw_source"
  }
}