Help Center › Error reference
Look up the exact text you see. Most “errors” in Perimeter are deliberate safety messages, not bugs.
| Message | Meaning | Resolution |
|---|---|---|
| scan blocked: target is outside any authorized scope | The target maps to no scope. | Add a scope covering it, then verify it. |
| scan blocked: scope … is unverified — prove ownership (DNS-TXT/file challenge) before scanning | The scope exists but isn’t verified. | Verify ownership. Deferred / hosted live challenge is server-side. |
| Drop reason out_of_scope_unknown_asset | A result referenced an asset not in your inventory. | Discover/add the asset under a verified scope. Expected for the demo Trivy out-of-scope row. |
| Drop reason scope_unverified | A result’s asset belongs to an unverified scope. | Verify the scope, then re-ingest. |
| Ingest summary “… blocked (unverified scope — ownership not proven)” | The guard refused results for an unverified-scope target. | Correct behaviour; verify the scope. |
| Ingest failed: … | The sample payload couldn’t be loaded/parsed. | Ensure you’re serving over HTTP (not file://) so the payload JSON resolves. |
| Message | Meaning | Resolution |
|---|---|---|
| fetchLiveFeeds is the deferred live-feed seam (TODO wave-next): pass { live:true, fetcher } … | The live EPSS/KEV network pull won’t run without an explicit opt-in — by design, so it never fakes data. | Use the snapshot enrichment / Ingest flow. The live pull is hosted. Deferred / hosted |
| “Continuous hosted scanning is a Pro feature” | Scheduling needs the hosted_scan entitlement. | Sign in with a plan that includes it. See entitlements. |
| “Daily EPSS/KEV refresh is already scheduled” | Idempotent — the job is registered. | None needed. |
| Message | Meaning | Resolution |
|---|---|---|
| Console info “Perimeter cloud tier not loaded (local-first OK): …” | The optional cloud module didn’t load. | Normal offline/not-deployed. App stays local-first; retry online if you want cloud features. |
| “Cloud sync is a Pro feature” | Sync needs hosted_scan. | Upgrade / sign in with the entitlement. |
| Pro badge stuck on “checking…” then “Locked” | Entitlement not granted, or the check failed (defaults to Locked). | Confirm sign-in + plan; check connectivity. |
| keystone-client: invalid publishableKey / { publishableKey, apiBase } are required | Cloud SDK misconfiguration (deployment-level). | App-config issue, not user-fixable; the app remains local-first. |
| Message | Meaning | Resolution |
|---|---|---|
| Failed to load Perimeter: load assets.json → 404 (or similar) | Seed data didn’t resolve. | Serve the repo root over HTTP so assets/data/*.json resolves from app/. |
| Stuck on “Loading attack surface…” | Fetch blocked (often file:// or a script blocker). | Use http://localhost:… and allow the origin. |
| Indicator | Meaning |
|---|---|
| KEV | In CISA Known Exploited Vulnerabilities — actively exploited; inherits CISA’s due date. |
| likely false positive | De-noise flagged it; hover/expand for the reason. Rescue with “Confirm real.” |
| ✓ confirmed ×N | Corroborated by N engines — never auto-suppressed. |
| SLA “… · overdue” | The remediation deadline has passed. |
| Scope verified / unverified · scan blocked | Ownership verified vs not (scanning gated on verified). |
| Asset new | Drift — appeared since the last discovery. |
Still stuck? Back to Troubleshooting & FAQ for symptom-based help.