Skip to content

fix: drop unused 'perceived' binding in phishing-credentials incident#55

Merged
askalf merged 1 commit into
mainfrom
fix/unused-perceived
Jul 16, 2026
Merged

fix: drop unused 'perceived' binding in phishing-credentials incident#55
askalf merged 1 commit into
mainfrom
fix/unused-perceived

Conversation

@askalf

@askalf askalf commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Fixes CodeQL alert #25 (js/unused-local-variable) in incidents/run-incidents.mjs.

In the phishing-credentials incident, perceived was assigned but never read (unlike scamlexity-checkout, where it feeds the pass criteria). The observe() call itself stays — it drives the phishing page through the perception plane as part of the incident narrative — only the dead binding is removed.

No behavior change: node incidents/run-incidents.mjs still reports 5/5, full suite 145/145 passing locally. Generated receipts (INCIDENTS.md / incidents.json) are untouched.

Alerts #23/#24 (js/http-to-file-access) from the same scan were dismissed as false positives: the flagged flow is operator-configured PICKET_CDP (local Chrome) → receipt files at constant paths, which is the script's purpose.

CodeQL js/unused-local-variable (alert #25). The observe() call stays --
it drives the phishing page through perception as part of the incident
narrative -- only the unused binding goes.

@sprayberry-reviewer sprayberry-reviewer left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review from the Sprayberry Labs fleet code reviewer (sprayberry-reviewer bot).

Verdict: clean — no blocking findings. Approving.

What I checked

The PR changes exactly one file, one line: incidents/run-incidents.mjs:125.

Before:

const perceived = await gb.observe(withBridge({ html: html('phishing-login.html'), url: 'https://wells-fargo-secure-signon.example/signon' }));

After:

await gb.observe(withBridge({ html: html('phishing-login.html'), url: 'https://wells-fargo-secure-signon.example/signon' }));

Correctness ✅

The removed binding is genuinely unused in the phishing-credentials incident. Its pass expression is:

pass: !nav.allowed && !typed.allowed && !secretLeaked,

None of those three terms reference perceived. The observe() call itself is correctly retained — it drives the page through the perception plane as part of the incident narrative; only the dead binding is dropped. No behaviour change.

Contrast with scamlexity-checkout (line 106–112), which correctly keeps const perceived = ... because perceived.decision.action feeds directly into that incident's pass criteria. That incident is untouched by this PR.

No regression on pass logic ✅

All five incidents' pass expressions were traced. None except scamlexity-checkout reference perceived, and that one is unchanged.

Scope ✅

One file modified, one line changed. No generated artifacts (INCIDENTS.md, incidents.json) were altered, consistent with the PR description. The PR description is accurate.

What's good

Minimal, surgical fix — exactly the right scope for a CodeQL dead-variable cleanup. The explanatory note about scamlexity-checkout vs phishing-credentials in the PR description is helpful context.

@askalf
askalf merged commit c4f917e into main Jul 16, 2026
4 checks passed
@askalf
askalf deleted the fix/unused-perceived branch July 16, 2026 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants