Corpus · Four tiers
Targets
Four classes of target: hand-crafted micro-fixtures (JS/TS and Python), hand-authored app-shaped repos, and 24 real-world AI app repositories. Each class measures something different — see methodology.
- Section A
- 15
- Section B
- 10
- Section C
- 4 / 6
- Real-world
- 24
JS/TS fixtures
Python fixtures
App-shaped, 94 labels
GitHub repos
Section A — JS/TS micro-fixtures
Hand-crafted JavaScript / TypeScript fixtures across six AI-app categories. Each fixture is either deliberately vulnerable or deliberately safe. Scored on /results against getdebug + gitleaks + trufflehog.
client-side-llm-key
5 fixtures (3 vuln, 2 safe)- client-side-llm-key/safe/express-backend-proxy safe
- client-side-llm-key/safe/next-api-proxy safe
- client-side-llm-key/vulnerable/direct-hardcode-browser vulnerable
- client-side-llm-key/vulnerable/next-public-prefix vulnerable
- client-side-llm-key/vulnerable/vite-import-meta vulnerable
pii-in-prompt
2 fixtures (1 vuln, 1 safe)- pii-in-prompt/safe/redact-to-display-fields safe
- pii-in-prompt/vulnerable/stringify-user-object vulnerable
prompt-injection
2 fixtures (1 vuln, 1 safe)- prompt-injection/safe/role-separated-channels safe
- prompt-injection/vulnerable/string-concat-prompt vulnerable
unbounded-stream
2 fixtures (1 vuln, 1 safe)- unbounded-stream/safe/abort-on-disconnect-and-timeout safe
- unbounded-stream/vulnerable/no-abort-no-timeout vulnerable
unsafe-role-merge
2 fixtures (1 vuln, 1 safe)- unsafe-role-merge/safe/persona-allowlist-into-user-role safe
- unsafe-role-merge/vulnerable/user-persona-into-system vulnerable
unsafe-tool-output
2 fixtures (1 vuln, 1 safe)- unsafe-tool-output/safe/validated-tool-output-allowlist safe
- unsafe-tool-output/vulnerable/shell-exec-tool-output vulnerable
Section B — Python micro-fixtures
Hand-crafted Python AI-app fixtures across five categories. Scored on /results against getdebug + bandit + semgrep.
pii-in-prompt
2 fixtures (1 vuln, 1 safe)- pii-in-prompt/safe/redact-to-display-fields-py safe
- pii-in-prompt/vulnerable/stringify-user-object-py vulnerable
prompt-injection
2 fixtures (1 vuln, 1 safe)- prompt-injection/safe/role-separated-channels-py safe
- prompt-injection/vulnerable/string-concat-prompt-py vulnerable
unbounded-stream
2 fixtures (1 vuln, 1 safe)- unbounded-stream/safe/abort-on-disconnect-and-timeout-py safe
- unbounded-stream/vulnerable/no-abort-no-timeout-py vulnerable
unsafe-role-merge
2 fixtures (1 vuln, 1 safe)- unsafe-role-merge/safe/persona-allowlist-into-user-role-py safe
- unsafe-role-merge/vulnerable/user-persona-into-system-py vulnerable
unsafe-tool-output
2 fixtures (1 vuln, 1 safe)- unsafe-tool-output/safe/validated-tool-output-allowlist-py safe
- unsafe-tool-output/vulnerable/shell-exec-tool-output-py vulnerable
Section C — App-shaped repositories
Six hand-authored AI-app repositories deliberately seeded with the six AI-app vulnerability categories at app density. Four baselined, two pending.
-
cst-nextjs-chat
github.com/getdebug-ai/cst-nextjs-chat ↗next.js-14-app-router · typescript · labeled 2026-06-07 · truth v0.1.0
- Labels
- 23
- Vulnerable
- 13
- Safe
- 10
- Borderline
- 0
Category breakdown
CSK · 3 PI · 4 UTO · 4 URM · 4 PIP · 4 UBS · 4 -
cst-vite-rag
github.com/getdebug-ai/cst-vite-rag ↗vite+express+langchain.js+pgvector · typescript · labeled 2026-06-07 · truth v0.1.0
- Labels
- 23
- Vulnerable
- 15
- Safe
- 8
- Borderline
- 0
Category breakdown
CSK · 3 PI · 5 UTO · 5 URM · 3 PIP · 3 UBS · 4 -
cst-sveltekit-stream
github.com/getdebug-ai/cst-sveltekit-stream ↗sveltekit+anthropic+better-sqlite3 · typescript · labeled 2026-06-07 · truth v0.1.0
- Labels
- 25
- Vulnerable
- 14
- Safe
- 11
- Borderline
- 0
Category breakdown
CSK · 3 PI · 4 UTO · 4 URM · 5 PIP · 4 UBS · 5 -
cst-express-agent
github.com/getdebug-ai/cst-express-agent ↗express+anthropic+postgres-js · typescript · labeled 2026-06-07 · truth v0.1.0
- Labels
- 23
- Vulnerable
- 17
- Safe
- 6
- Borderline
- 0
Category breakdown
CSK · 2 PI · 4 UTO · 8 URM · 4 PIP · 2 UBS · 3
Pending (2)
- cst-fastapi-tools in progress
- cst-crewai-multiagent in progress
Real-world — 24 GitHub AI-app repositories
Public repos pulled in three sub-categories: a known-leaky baseline (high recall expected), popular references (high precision expected, near-zero false positives), and a sample of mid-popularity AI app templates. No span labels — these are scored by total finding count on /results.
leaky-repo-baseline (1 repos)
popular-reference (3 repos)
ai-starter (20 repos)
- amjadraza/langchain-streamlit-docker-template
- joshuasundance-swca/langchain-research-assistant-docker
- rahulsamant37/langchain-langgraph-starter
- oisee/zllm
- NJUxlj/Travel-Agent-based-on-Qwen2-RLHF
- ssgrummons/rag-with-milvus-langchain-streamlit
- CronusL-1141/AI-company
- Sinapsis-AI/sinapsis-langchain
- rryyqn/ai-chatbot
- D-artisan/ai-chatbot
- arvindsis11/Ai-Healthcare-Chatbot
- Ramakm/AI-Chatbot
- stackitcloud/rag-template
- The-Swarm-Corporation/Multi-Agent-RAG-Template
- xyspg/RAG-template
- mia-platform/ai-rag-template
- alexeykrol/claude-code-starter
- hamzafarooq/claude-code-starter
- davidhershey/ClaudePlaysPokemonStarter
- ArtemXTech/claude-code-obsidian-starter