fix: drop unused 'perceived' binding in phishing-credentials incident#55
Conversation
CodeQL js/unused-local-variable (alert #25). The observe() call stays -- it drives the phishing page through perception as part of the incident narrative -- only the unused binding goes.
sprayberry-reviewer
left a comment
There was a problem hiding this comment.
Automated review from the Sprayberry Labs fleet code reviewer (sprayberry-reviewer bot).
Verdict: clean — no blocking findings. Approving.
What I checked
The PR changes exactly one file, one line: incidents/run-incidents.mjs:125.
Before:
const perceived = await gb.observe(withBridge({ html: html('phishing-login.html'), url: 'https://wells-fargo-secure-signon.example/signon' }));After:
await gb.observe(withBridge({ html: html('phishing-login.html'), url: 'https://wells-fargo-secure-signon.example/signon' }));Correctness ✅
The removed binding is genuinely unused in the phishing-credentials incident. Its pass expression is:
pass: !nav.allowed && !typed.allowed && !secretLeaked,None of those three terms reference perceived. The observe() call itself is correctly retained — it drives the page through the perception plane as part of the incident narrative; only the dead binding is dropped. No behaviour change.
Contrast with scamlexity-checkout (line 106–112), which correctly keeps const perceived = ... because perceived.decision.action feeds directly into that incident's pass criteria. That incident is untouched by this PR.
No regression on pass logic ✅
All five incidents' pass expressions were traced. None except scamlexity-checkout reference perceived, and that one is unchanged.
Scope ✅
One file modified, one line changed. No generated artifacts (INCIDENTS.md, incidents.json) were altered, consistent with the PR description. The PR description is accurate.
What's good
Minimal, surgical fix — exactly the right scope for a CodeQL dead-variable cleanup. The explanatory note about scamlexity-checkout vs phishing-credentials in the PR description is helpful context.
Fixes CodeQL alert #25 (
js/unused-local-variable) inincidents/run-incidents.mjs.In the
phishing-credentialsincident,perceivedwas assigned but never read (unlikescamlexity-checkout, where it feeds the pass criteria). Theobserve()call itself stays — it drives the phishing page through the perception plane as part of the incident narrative — only the dead binding is removed.No behavior change:
node incidents/run-incidents.mjsstill reports 5/5, full suite 145/145 passing locally. Generated receipts (INCIDENTS.md/incidents.json) are untouched.Alerts #23/#24 (
js/http-to-file-access) from the same scan were dismissed as false positives: the flagged flow is operator-configuredPICKET_CDP(local Chrome) → receipt files at constant paths, which is the script's purpose.