What

Two clusters of semgrep / scanner noise that are not real findings:

A. auth/token_parser.py:42, 65

jwt.decode(token, options={"verify_signature": False}) — semgrep flags this as ERROR. It's intentional: this code only checks if a string is JWT-shaped (no auth decision is made). Any real auth decision uses jwt.decode(..., verify_signature=True) elsewhere.

Fix: add inline comments + nosemgrep:

# Token-shape detection only; no auth decision is made on this decode.
# Real verification happens in auth/verify.py.
payload = jwt.decode(token, options={"verify_signature": False})  # nosemgrep: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode

B. Synthetic test tokens

Test fixtures use string literals like sk-very-secret-api-key-1234567890 and sk-enterprise-abc123-partner (in tests/unit/test_identity.py:35, tests/e2e/test_advanced_personas.py:801, simulate_users.py:1004).

These are clearly synthetic but trigger gitleaks generic-api-key (24 false positives across this repo).

Fix: rename to <test-fixture-token> prefix, e.g. <test-fixture-sk-1>, or move to tests/fixtures/tokens.json with a path-based gitleaks allowlist.

Source

Owner-self code audit on 2026-05-04. Report Section 1 + 2.