{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `hermes-webui` image is selected through a build variable", "shortDescription": {"text": "Compose service `hermes-webui` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.get_or_create` used but never assigned in __init__: Method `estimate_context` of class `AgentPool` read", "shortDescription": {"text": "[MINED108] `self.get_or_create` used but never assigned in __init__: Method `estimate_context` of class `AgentPool` reads `self.get_or_create`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeE"}, "fullDescription": {"text": "Initialize `self.get_or_create = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "Create an application user after package installation and switch to it with USER appuser or USER 10001."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_PORT` on a `pull_request` trigger: This workflow triggers on `pull_request", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_PORT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WEBSITE_SSH_PORT }` lets a PR from any fork exfiltrate the "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/222"}, "properties": {"repository": "EKKOLearnAI/hermes-web-ui", "repoUrl": "https://github.com/EKKOLearnAI/hermes-web-ui", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48294, "scanner": "repobility-ast-engine", "fingerprint": "cae487d6b3610a3910ebc8bbb0d787083882bb65745d0ad4416c4b4d455f5f47", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cae487d6b3610a3910ebc8bbb0d787083882bb65745d0ad4416c4b4d455f5f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1512}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48293, "scanner": "repobility-ast-engine", "fingerprint": "74f37613125cb2a56e68bd32d02b604a48fb3f5e8d87d96c5462dcfd7c0ddec9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74f37613125cb2a56e68bd32d02b604a48fb3f5e8d87d96c5462dcfd7c0ddec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48292, "scanner": "repobility-ast-engine", "fingerprint": "2288e84637d06851378bf9a32bfc84265e251dfcb455a552df46748567aa7239", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2288e84637d06851378bf9a32bfc84265e251dfcb455a552df46748567aa7239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 465}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48291, "scanner": "repobility-ast-engine", "fingerprint": "3fa0fb1eaf67f99bcb54ab706a949c5c7416237e232ceee499005a5438717ba5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fa0fb1eaf67f99bcb54ab706a949c5c7416237e232ceee499005a5438717ba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 3440}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48290, "scanner": "repobility-ast-engine", "fingerprint": "bfc3860b609eea325f40c87ba2439885e69519ade725b484046381c490d0b3d6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bfc3860b609eea325f40c87ba2439885e69519ade725b484046381c490d0b3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 3013}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48289, "scanner": "repobility-ast-engine", "fingerprint": "8ed29532d55439c52823169a04faa221da6e91eeb800337f3f91c279a983d4f1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ed29532d55439c52823169a04faa221da6e91eeb800337f3f91c279a983d4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 2581}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48288, "scanner": "repobility-ast-engine", "fingerprint": "3599f7d979c5d8fd2f27e50179eae29b5fbb99a9639b80638fc0d9f7f0c21307", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3599f7d979c5d8fd2f27e50179eae29b5fbb99a9639b80638fc0d9f7f0c21307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 2507}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48287, "scanner": "repobility-ast-engine", "fingerprint": "75c01e886eb2a450712c1b67599316d0f3fc1a3fc43404c56b28797ec740d60c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75c01e886eb2a450712c1b67599316d0f3fc1a3fc43404c56b28797ec740d60c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 2335}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48286, "scanner": "repobility-ast-engine", "fingerprint": "e55494dfc67b3721f3ab6d888d1247d97bfe0e5c3f45eaffa80cf1c3a501cf7f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e55494dfc67b3721f3ab6d888d1247d97bfe0e5c3f45eaffa80cf1c3a501cf7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1833}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48285, "scanner": "repobility-ast-engine", "fingerprint": "23087c567fda08fb60dd05e9b1303f3984bae4c747c3c892e87bea96c2b64920", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23087c567fda08fb60dd05e9b1303f3984bae4c747c3c892e87bea96c2b64920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1463}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48284, "scanner": "repobility-ast-engine", "fingerprint": "4846ab475dad73ec1965dd029caf3652def2e5913af78ae1f49bfb2e5b4e9a24", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4846ab475dad73ec1965dd029caf3652def2e5913af78ae1f49bfb2e5b4e9a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1448}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48283, "scanner": "repobility-ast-engine", "fingerprint": "b0c8ab15b9d270bc8753dd985680f40d8a0052b0cf9f7f48d44b752e939b8e95", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0c8ab15b9d270bc8753dd985680f40d8a0052b0cf9f7f48d44b752e939b8e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1063}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48282, "scanner": "repobility-ast-engine", "fingerprint": "abc2da28972ef35e38753e79820a46c767f099e15c73214d54484d6562ca525e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abc2da28972ef35e38753e79820a46c767f099e15c73214d54484d6562ca525e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1039}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48281, "scanner": "repobility-ast-engine", "fingerprint": "98564c45c3f0cddd689bf1040d67d92b6ecbcb84115cf6157e666222b9ebf72c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98564c45c3f0cddd689bf1040d67d92b6ecbcb84115cf6157e666222b9ebf72c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1026}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48280, "scanner": "repobility-ast-engine", "fingerprint": "7a783c572b386201031e4ab45572b88ee468a9165c900c0464f38842d2984190", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a783c572b386201031e4ab45572b88ee468a9165c900c0464f38842d2984190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 707}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48279, "scanner": "repobility-ast-engine", "fingerprint": "72a5e19cb9564bc45758c030678afca4ad7eb9d4492c1cfb9c828477ef118847", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72a5e19cb9564bc45758c030678afca4ad7eb9d4492c1cfb9c828477ef118847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48278, "scanner": "repobility-ast-engine", "fingerprint": "132f0ad155a3bc2217422d1da7cdfcc1aff800a91d233d43d2947555c89590ff", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|132f0ad155a3bc2217422d1da7cdfcc1aff800a91d233d43d2947555c89590ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 2970}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48277, "scanner": "repobility-ast-engine", "fingerprint": "72ca3bf0fc681c0d39b2aa9fa4a4dc205556551acb3d9c579699cdbff8123c6e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72ca3bf0fc681c0d39b2aa9fa4a4dc205556551acb3d9c579699cdbff8123c6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 753}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48276, "scanner": "repobility-ast-engine", "fingerprint": "3652e07b46cd489b0390388b485c7be8082d233874db9effbcce89c650530ff4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3652e07b46cd489b0390388b485c7be8082d233874db9effbcce89c650530ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 681}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48275, "scanner": "repobility-ast-engine", "fingerprint": "5a007741c4a8ac9fcbd2c573eedf8ae3a41e7a276d8ee071759bc4ab04ba87d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a007741c4a8ac9fcbd2c573eedf8ae3a41e7a276d8ee071759bc4ab04ba87d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 670}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48274, "scanner": "repobility-ast-engine", "fingerprint": "58fa6361a2366513f95ea307d7eb26a17cbddc098d91ee089a738a7e82d229bb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58fa6361a2366513f95ea307d7eb26a17cbddc098d91ee089a738a7e82d229bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 612}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48273, "scanner": "repobility-ast-engine", "fingerprint": "883a82bdadc0f6cc6f9818cfb944259f7782853b96187483c37696af5ef58e52", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|883a82bdadc0f6cc6f9818cfb944259f7782853b96187483c37696af5ef58e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 457}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48272, "scanner": "repobility-ast-engine", "fingerprint": "37107b0b2bbcca49c0a197a0f73c02089c0d1249068aa115d84e61a007c5d81f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37107b0b2bbcca49c0a197a0f73c02089c0d1249068aa115d84e61a007c5d81f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48271, "scanner": "repobility-ast-engine", "fingerprint": "95a184962d7d457f6dd2b7b2f99210d1c4ca32a6e130def5463ab3fae1cc94ea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95a184962d7d457f6dd2b7b2f99210d1c4ca32a6e130def5463ab3fae1cc94ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 48270, "scanner": "repobility-ast-engine", "fingerprint": "193410bee123e8c4fb4305856c2610af50e5f86b2012ff88980bac72d07548ae", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|193410bee123e8c4fb4305856c2610af50e5f86b2012ff88980bac72d07548ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 304}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 48244, "scanner": "repobility-journey-contract", "fingerprint": "65548c2d4f0b58f6731259aaa6b670da0e7bd6f057959c7ab0b5cdf319e04bc5", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|tests/e2e/fixtures.ts|264|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/fixtures.ts"}, "region": {"startLine": 264}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 48243, "scanner": "repobility-journey-contract", "fingerprint": "f441b4ffe1dc430dc3a8b6e99808107c4d96a75190f2b5dc1c88efcbadafa0b4", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|127|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/preload/index.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 48242, "scanner": "repobility-journey-contract", "fingerprint": "528c6d59b8c072a21f1ab9812193f5abe1c6b016e3254d87ba750c78081ec900", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|32|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/preload/index.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 48240, "scanner": "repobility-docker", "fingerprint": "26d61d20e54c3b5f1c4aad12a65b152a211e0cb6d6cefc095825b0c72dceca19", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|26d61d20e54c3b5f1c4aad12a65b152a211e0cb6d6cefc095825b0c72dceca19", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 48239, "scanner": "repobility-agent-runtime", "fingerprint": "d6f6ce7f8240879f7663f948cf3b8cbc154d7dd1124a54e4dda4807d86000853", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d6f6ce7f8240879f7663f948cf3b8cbc154d7dd1124a54e4dda4807d86000853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 48238, "scanner": "repobility-agent-runtime", "fingerprint": "ee70e92374a860b3e90d8256cd2f624a0120025114d254c0d5d63ac959f57c01", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ee70e92374a860b3e90d8256cd2f624a0120025114d254c0d5d63ac959f57c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/models.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 48237, "scanner": "repobility-agent-runtime", "fingerprint": "6ca87092142656dc337cbec689c7d1490083547cd4b4f17f931d4abb5200fcc6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6ca87092142656dc337cbec689c7d1490083547cd4b4f17f931d4abb5200fcc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/media.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 48236, "scanner": "repobility-agent-runtime", "fingerprint": "4e2e27c496380a32eeabfbc6d3ad5fa7142b4156f0c4cd93922c198534ebc84f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4e2e27c496380a32eeabfbc6d3ad5fa7142b4156f0c4cd93922c198534ebc84f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/preload/index.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 48235, "scanner": "repobility-agent-runtime", "fingerprint": "8d0a04138dab5e5bf620140a5801214b6a2691d263825938771ea671f4f31374", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|8d0a04138dab5e5bf620140a5801214b6a2691d263825938771ea671f4f31374"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/app.ts"}, "region": {"startLine": 318}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 48234, "scanner": "repobility-agent-runtime", "fingerprint": "835108bce464f78fc1f83940669f108992744188a6af3156d6150d366c7525ab", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|835108bce464f78fc1f83940669f108992744188a6af3156d6150d366c7525ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/composables/useVoiceSettings.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 48233, "scanner": "repobility-agent-runtime", "fingerprint": "54481b96cfd957493fd702c55d5115eb8d369523458f6fdef1ff953bc3984305", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|54481b96cfd957493fd702c55d5115eb8d369523458f6fdef1ff953bc3984305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/composables/useToolTraceVisibility.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 48209, "scanner": "repobility-threat-engine", "fingerprint": "b1b863a24fa7aeece35e31e55260ab820d251b8cb73fdc744478ab53374565a3", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(.*)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1b863a24fa7aeece35e31e55260ab820d251b8cb73fdc744478ab53374565a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/router/index.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 48208, "scanner": "repobility-threat-engine", "fingerprint": "fb9da5e40e11e819a895b361a8d2014551c16f767e1386348ffc0fde1662c054", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (error) {\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fb9da5e40e11e819a895b361a8d2014551c16f767e1386348ffc0fde1662c054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/run-chat/message-format.ts"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 48198, "scanner": "repobility-threat-engine", "fingerprint": "2b01239e41130cc25aad8e756682902594257795b50fdecbd5618aaeb2df2e2b", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|78|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/safe-file-store.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 48197, "scanner": "repobility-threat-engine", "fingerprint": "78ae2eb732ac08aa699a9bea314ac598408017ffdc1d040629d5344c99adad7d", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|118|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/profile-credentials.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 48196, "scanner": "repobility-threat-engine", "fingerprint": "b41d78551d6434a49754ddca5b737fa7b1db4d7a636cc70dd46ead6bd9885f7a", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "sessionId = `gc_compress_${roomId}_${profile}_${Date.now()}_${Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|48|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/context-engine/gateway-client.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 48188, "scanner": "repobility-threat-engine", "fingerprint": "b894b25ffea2f693b1417ffc7830d1a09ce2cfe8aee56d7d71e6d28d62725836", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = '<redacted>'", "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/db/hermes/users-store.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 48187, "scanner": "repobility-threat-engine", "fingerprint": "298b0d116b84ddae57ffaa84c125702fcd4bf612538eebf8ada2705a71939023", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = '<redacted>'", "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/preload/index.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 48182, "scanner": "repobility-threat-engine", "fingerprint": "d3199aea4dda7c3164517baea8f8613ca8bae88a62f378c73686ec2126ce0934", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|245|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/db/hermes/users-store.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 48181, "scanner": "repobility-threat-engine", "fingerprint": "25fb51cf78574950ea6d8a234efbb90123bde59c6eac6f4a7d6f7be0a10deb8c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/scripts/merge-mac-latest-yml.mjs"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 48180, "scanner": "repobility-threat-engine", "fingerprint": "8e3600060a5ea3b657309b34af32f0547c5bd007ba190131d6e59428df9d320c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|61|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/utils/thinking-parser.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 7099, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 7098, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 7093, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Koa"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7087, "scanner": "repobility-docker", "fingerprint": "760ac601a127d9d4183e8f345ee8a3d90cf6d1346bb24a50e33d510933b19a11", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|760ac601a127d9d4183e8f345ee8a3d90cf6d1346bb24a50e33d510933b19a11", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 7085, "scanner": "repobility-threat-engine", "fingerprint": "5d3634b52a3fa9ae5a831651db04f29c7823f4c3a0a671e5e762e3ce3bdd3121", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d3634b52a3fa9ae5a831651db04f29c7823f4c3a0a671e5e762e3ce3bdd3121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 252}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 7083, "scanner": "repobility-threat-engine", "fingerprint": "422ddb643535d4ef90be7d6ec66b64849e05e05c0009ef95e56b3ff84b1374f1", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|718|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/file-provider.ts"}, "region": {"startLine": 718}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 7082, "scanner": "repobility-threat-engine", "fingerprint": "4ec3570e0910630d4fbd4c48d36b19d34bdbe31b13352a04b6d21378de8a001e", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|94|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/config.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 7081, "scanner": "repobility-threat-engine", "fingerprint": "5d76ddbea5ac33242ce5e6aed49d6f5f3bb1c58057b92b569b15d6c143de71a8", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|77|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/config-helpers.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7079, "scanner": "repobility-threat-engine", "fingerprint": "0bd6ff438103d2be5964a486e4431f91458d981f48b044adbd1bf73e93b98395", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0bd6ff438103d2be5964a486e4431f91458d981f48b044adbd1bf73e93b98395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/tts.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7078, "scanner": "repobility-threat-engine", "fingerprint": "eecb611904df4213dd4d805ecfb791b54125838560a394072ede88d885232eb3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eecb611904df4213dd4d805ecfb791b54125838560a394072ede88d885232eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/session-deleter.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7077, "scanner": "repobility-threat-engine", "fingerprint": "c0268b4579ccc15ecde491d8d606594d0c37c2802fd53ba10aebae165d2ab52d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0268b4579ccc15ecde491d8d606594d0c37c2802fd53ba10aebae165d2ab52d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/login-limiter.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 7065, "scanner": "repobility-agent-runtime", "fingerprint": "076f804fcdc8f236e5e1655968392c4ba0244339edec3136ccba2490adb0a4e0", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|076f804fcdc8f236e5e1655968392c4ba0244339edec3136ccba2490adb0a4e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/session-browser-prefs.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 7064, "scanner": "repobility-agent-runtime", "fingerprint": "299b5b348d5b12759e8f9b6bfa692fba2c4a8920e0cf3da756b3a9d458fc8936", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|299b5b348d5b12759e8f9b6bfa692fba2c4a8920e0cf3da756b3a9d458fc8936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/kanban.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 7063, "scanner": "repobility-agent-runtime", "fingerprint": "8ee3880207d94944569eea7f5566c9190ff91fd9237d197571b70b216c8fbaba", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|8ee3880207d94944569eea7f5566c9190ff91fd9237d197571b70b216c8fbaba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/app.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 7062, "scanner": "repobility-agent-runtime", "fingerprint": "93834ac622cab5fe7d6c2d8c972d731c5e61ee6d20508ec1cf90b0181f5be1cb", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|93834ac622cab5fe7d6c2d8c972d731c5e61ee6d20508ec1cf90b0181f5be1cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/composables/useVoiceSettings.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b56121aa6c0f0c2ea2e699e8ee99d178afd76cb2790a90930c4867d8a5e484ad", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobCard.vue", "duplicate_line": 191, "correlation_key": "fp|b56121aa6c0f0c2ea2e699e8ee99d178afd76cb2790a90930c4867d8a5e484ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/ProviderCard.vue"}, "region": {"startLine": 298}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17a41958bde8f8a823daf4255125f2bed7f3488e342d02e0431e039b1008e00c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/group-chat/GroupChatInput.vue", "duplicate_line": 265, "correlation_key": "fp|17a41958bde8f8a823daf4255125f2bed7f3488e342d02e0431e039b1008e00c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/group-chat/GroupChatPanel.vue"}, "region": {"startLine": 451}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95284f5e31e0301f42a194f6f3b09bdc7bac7d64d97d6984d227e7a9ca3695f4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/ChatInput.vue", "duplicate_line": 22, "correlation_key": "fp|95284f5e31e0301f42a194f6f3b09bdc7bac7d64d97d6984d227e7a9ca3695f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/group-chat/GroupChatInput.vue"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e09cac519e3d8ed591c83f092660933832e6ff2c32f7fab3279c56bfbec0e4bd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/FilesPanel.vue", "duplicate_line": 99, "correlation_key": "fp|e09cac519e3d8ed591c83f092660933832e6ff2c32f7fab3279c56bfbec0e4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/chat/TerminalPanel.vue"}, "region": {"startLine": 461}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d7dfd1802c0c0b2712a6bc8b2ec020464b10c91c79ac7ada708f98acf23f4f7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/HistoryMessageList.vue", "duplicate_line": 21, "correlation_key": "fp|1d7dfd1802c0c0b2712a6bc8b2ec020464b10c91c79ac7ada708f98acf23f4f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/chat/MessageList.vue"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94cb20b8f6a93bbfb85902a6a7751b0b3425ab08ac92cdd8009b8218238a1819", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/api/hermes/conversations.ts", "duplicate_line": 11, "correlation_key": "fp|94cb20b8f6a93bbfb85902a6a7751b0b3425ab08ac92cdd8009b8218238a1819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/db/hermes/session-store.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "478e93afb70efd393630491988e9369365022542a5e2640279a537d0f0bc329f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/server/src/db/hermes/conversations-db.ts", "duplicate_line": 41, "correlation_key": "fp|478e93afb70efd393630491988e9369365022542a5e2640279a537d0f0bc329f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/db/hermes/session-store.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4c562112eeb5fb9fc3ffe53ec4289f0133b3ef743209578cca83919146db475", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/api/hermes/conversations.ts", "duplicate_line": 11, "correlation_key": "fp|f4c562112eeb5fb9fc3ffe53ec4289f0133b3ef743209578cca83919146db475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/db/hermes/conversations-db.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "976b8732348c63e90d0b5447131fa7c3835f3ce64b08810c863021975ba058a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/views/hermes/McpManagerView.vue", "duplicate_line": 593, "correlation_key": "fp|976b8732348c63e90d0b5447131fa7c3835f3ce64b08810c863021975ba058a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/UsageView.vue"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "819968fa9306c81bd79836da9805583815369e5ffd1826746249b90d19cbc501", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/views/hermes/PerformanceView.vue", "duplicate_line": 195, "correlation_key": "fp|819968fa9306c81bd79836da9805583815369e5ffd1826746249b90d19cbc501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/UsageView.vue"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8acf1ba99fbe7e8bce5db7e8782e7e5393b564fbf01537c115daf473529c9d26", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/views/hermes/McpManagerView.vue", "duplicate_line": 622, "correlation_key": "fp|8acf1ba99fbe7e8bce5db7e8782e7e5393b564fbf01537c115daf473529c9d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/PluginsView.vue"}, "region": {"startLine": 237}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47b05be4632b83a66f5bb76af5bd68c7781b5d88af6001fee25438098723f7a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/views/hermes/McpManagerView.vue", "duplicate_line": 593, "correlation_key": "fp|47b05be4632b83a66f5bb76af5bd68c7781b5d88af6001fee25438098723f7a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/PerformanceView.vue"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0163d6bf73f142add9b934ebe98e8dc557bab9ac746ec1f56965b71c5e298df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/FilesPanel.vue", "duplicate_line": 24, "correlation_key": "fp|f0163d6bf73f142add9b934ebe98e8dc557bab9ac746ec1f56965b71c5e298df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/FilesView.vue"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8565645940a7f7ef913e81a6c08fad134694e215455954b1710dd4afccbc79b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/DrawerPanel.vue", "duplicate_line": 65, "correlation_key": "fp|8565645940a7f7ef913e81a6c08fad134694e215455954b1710dd4afccbc79b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/CodingAgentsView.vue"}, "region": {"startLine": 783}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "100c7cced28f9e8cabaa7629abc16a138ee1a7cac84dd6a33ebb33f3dbaaf9d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/settings/GithubPreviewSettings.vue", "duplicate_line": 43, "correlation_key": "fp|100c7cced28f9e8cabaa7629abc16a138ee1a7cac84dd6a33ebb33f3dbaaf9d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/views/hermes/CodingAgentsView.vue"}, "region": {"startLine": 283}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc2ff331175c1c53a51be5ead5c4e0d22d48bc693e07ee03928676156c936287", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/usage/DailyTrend.vue", "duplicate_line": 3, "correlation_key": "fp|cc2ff331175c1c53a51be5ead5c4e0d22d48bc693e07ee03928676156c936287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/usage/StatCards.vue"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d51942ba1c3d8e6e25a456a7c96ddcb33cf708b4b4aeadc3f55c3f421281425b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobsPanel.vue", "duplicate_line": 49, "correlation_key": "fp|d51942ba1c3d8e6e25a456a7c96ddcb33cf708b4b4aeadc3f55c3f421281425b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfilesPanel.vue"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48220, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dba9a121017410b079b512a0f7a6429dbd1696b6b1d8a9d70040e6bce92ebbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/models/ProvidersPanel.vue", "duplicate_line": 22, "correlation_key": "fp|2dba9a121017410b079b512a0f7a6429dbd1696b6b1d8a9d70040e6bce92ebbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfilesPanel.vue"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48219, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b60c6902d98e14e845237789bac83c75f74da27467d548993a34deeb18f847a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/profiles/ProfileImportModal.vue", "duplicate_line": 82, "correlation_key": "fp|b60c6902d98e14e845237789bac83c75f74da27467d548993a34deeb18f847a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileRenameModal.vue"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48218, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4adb9698bbc05933a2ceddc671ad71521821f3d542acb5cc1023a1299cf6707", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobFormModal.vue", "duplicate_line": 159, "correlation_key": "fp|c4adb9698bbc05933a2ceddc671ad71521821f3d542acb5cc1023a1299cf6707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileRenameModal.vue"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48217, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07f73ea3b6e8253409255062a3dbe1c79fc7e943cf8f0f7f1ff43a2ea30232ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/models/CodexLoginModal.vue", "duplicate_line": 54, "correlation_key": "fp|07f73ea3b6e8253409255062a3dbe1c79fc7e943cf8f0f7f1ff43a2ea30232ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/XaiOAuthLoginModal.vue"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48216, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89912d8bbbebe764834732fa343c5b40056a2c05529fcee4f98d2e9192fbef9b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobCard.vue", "duplicate_line": 191, "correlation_key": "fp|89912d8bbbebe764834732fa343c5b40056a2c05529fcee4f98d2e9192fbef9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/ProviderCard.vue"}, "region": {"startLine": 327}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48215, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23fa754d53755e0b1ff7bce8e4a53e80bd56401614fe2584a64b3d3b26534332", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/mcp/McpServerCard.vue", "duplicate_line": 126, "correlation_key": "fp|23fa754d53755e0b1ff7bce8e4a53e80bd56401614fe2584a64b3d3b26534332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/ProviderCard.vue"}, "region": {"startLine": 304}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48214, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e588752901b91c7c9adcb32897f2b5f322fd2881824933493169c4e6f07ed99e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobCard.vue", "duplicate_line": 198, "correlation_key": "fp|e588752901b91c7c9adcb32897f2b5f322fd2881824933493169c4e6f07ed99e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/mcp/McpServerCard.vue"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48213, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdc8763b4a1453fa2a655c2f6f6347a0850bb092012200392a1af9e0452a1ac1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/HistoryMessageList.vue", "duplicate_line": 117, "correlation_key": "fp|bdc8763b4a1453fa2a655c2f6f6347a0850bb092012200392a1af9e0452a1ac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/group-chat/GroupMessageList.vue"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48212, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e88a30d48406202f9c390af21bbd373a2dd9c4329b2baa8996d971862d9fad8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/ChatInput.vue", "duplicate_line": 58, "correlation_key": "fp|e88a30d48406202f9c390af21bbd373a2dd9c4329b2baa8996d971862d9fad8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/group-chat/GroupChatInput.vue"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48211, "scanner": "repobility-ai-code-hygiene", "fingerprint": "279222d5a412300cdb90f01fda64a773cec0d7d7234e40dcbbb70888a1e80c42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/FilesPanel.vue", "duplicate_line": 100, "correlation_key": "fp|279222d5a412300cdb90f01fda64a773cec0d7d7234e40dcbbb70888a1e80c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/chat/TerminalPanel.vue"}, "region": {"startLine": 511}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48210, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d487014cdcccbf80ef49b0b789c07f455f46ce7a4e8ec8fa7665d53eb944774", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/chat/HistoryMessageList.vue", "duplicate_line": 26, "correlation_key": "fp|4d487014cdcccbf80ef49b0b789c07f455f46ce7a4e8ec8fa7665d53eb944774"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/chat/MessageList.vue"}, "region": {"startLine": 76}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 7097, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 7096, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 7095, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 7094, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7092, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hermes-webui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7091, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hermes-webui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 7089, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7061, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59b452d99ce5a0469bb4309da1be4174cb05367791e62468af8fb9bf9ef03d0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/profiles/ProfileCreateModal.vue", "duplicate_line": 56, "correlation_key": "fp|59b452d99ce5a0469bb4309da1be4174cb05367791e62468af8fb9bf9ef03d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileRenameModal.vue"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7060, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f312aa2a90e11c70f19698a5b8afef87a474a1a9b8e952d636d6d470537466e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobFormModal.vue", "duplicate_line": 159, "correlation_key": "fp|f312aa2a90e11c70f19698a5b8afef87a474a1a9b8e952d636d6d470537466e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileImportModal.vue"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95a5d3bd303519bb087fd9e8f845efeec35fb1fac4cd296795cd3384ff5c4a33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/profiles/ProfileCreateModal.vue", "duplicate_line": 56, "correlation_key": "fp|95a5d3bd303519bb087fd9e8f845efeec35fb1fac4cd296795cd3384ff5c4a33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileImportModal.vue"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee4196b54f60355b05756fbedb92b0e582c26eda86d035123993f8e9dd3ac07e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobFormModal.vue", "duplicate_line": 159, "correlation_key": "fp|ee4196b54f60355b05756fbedb92b0e582c26eda86d035123993f8e9dd3ac07e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/profiles/ProfileCreateModal.vue"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "338ea17b67310884379760eed80b151b487b8ef4e23b287dd00d9a3c0e321db1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/jobs/JobsPanel.vue", "duplicate_line": 49, "correlation_key": "fp|338ea17b67310884379760eed80b151b487b8ef4e23b287dd00d9a3c0e321db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/ProvidersPanel.vue"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00e69541cf1c6152c6e969a7e148242e8b2537977c0a77c3cd13b99681e6a253", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/models/CodexLoginModal.vue", "duplicate_line": 6, "correlation_key": "fp|00e69541cf1c6152c6e969a7e148242e8b2537977c0a77c3cd13b99681e6a253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/NousLoginModal.vue"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7897278f04db9b05f92633611459a645ffb7d295b087668e23d6263a2c2deb0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/hermes/models/CodexLoginModal.vue", "duplicate_line": 6, "correlation_key": "fp|f7897278f04db9b05f92633611459a645ffb7d295b087668e23d6263a2c2deb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/models/CopilotLoginModal.vue"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 48195, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 48191, "scanner": "repobility-threat-engine", "fingerprint": "53343f951d56e456a152658c916834cb3893d0c4d3d3ae11ea04dc78e3d732d2", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`Server: http://localhost:${config.port} (LAN: http://${localIp}:${config.port})", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|20|console.log server: http://localhost: config.port lan: http:// localip : config.port"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 48190, "scanner": "repobility-threat-engine", "fingerprint": "e90916d282a399915be49eed68c0c9a3f148896ae92e718579260c5854da3162", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e90916d282a399915be49eed68c0c9a3f148896ae92e718579260c5854da3162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 48189, "scanner": "repobility-threat-engine", "fingerprint": "d2de8a8cf8ab681682625ed54e70a47f4851e906132f6d7ea42dc7b258c862ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2de8a8cf8ab681682625ed54e70a47f4851e906132f6d7ea42dc7b258c862ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/config.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 48183, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 48179, "scanner": "repobility-threat-engine", "fingerprint": "ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "aggregated_count": 16}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48178, "scanner": "repobility-threat-engine", "fingerprint": "ba8ce24a3cbcea103bc5e5fbe235721acb9a638202aff8c1d1f710481f5fb6c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba8ce24a3cbcea103bc5e5fbe235721acb9a638202aff8c1d1f710481f5fb6c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/models.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48177, "scanner": "repobility-threat-engine", "fingerprint": "e8fe120de94d0dc60a7df01fbd95761492a65f05d1d8651248d2175923a7321e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8fe120de94d0dc60a7df01fbd95761492a65f05d1d8651248d2175923a7321e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/jobs.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48176, "scanner": "repobility-threat-engine", "fingerprint": "4602661ee33f8d404157b9fbb41f9da45b32c103d476523af2325158988034ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4602661ee33f8d404157b9fbb41f9da45b32c103d476523af2325158988034ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/files.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 48175, "scanner": "repobility-threat-engine", "fingerprint": "631639bba613bae3219d85666c92905b3d998a8608006dabf877699d8d3298a3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|631639bba613bae3219d85666c92905b3d998a8608006dabf877699d8d3298a3", "aggregated_count": 8}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48174, "scanner": "repobility-threat-engine", "fingerprint": "3bc9a82a1c0bb78400e00e54065581b12404cb3617a3f7ba9bcafae34f923895", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bc9a82a1c0bb78400e00e54065581b12404cb3617a3f7ba9bcafae34f923895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/jobs.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48173, "scanner": "repobility-threat-engine", "fingerprint": "a0144b4dfaacdba547b577674761c30d5884acdef2064c495cb60bd592637132", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0144b4dfaacdba547b577674761c30d5884acdef2064c495cb60bd592637132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/main.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48172, "scanner": "repobility-threat-engine", "fingerprint": "7ac1cbfadf18134c872f741941640ff7ed1c479e0b07196e9205894200f29e7b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ac1cbfadf18134c872f741941640ff7ed1c479e0b07196e9205894200f29e7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/i18n/index.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 48171, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 48170, "scanner": "repobility-threat-engine", "fingerprint": "e7b1a8fb8a67a20055777fc6c17af966dc77a267fe3105f1c7439ef16027234d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7b1a8fb8a67a20055777fc6c17af966dc77a267fe3105f1c7439ef16027234d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/xai-auth.ts"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 48169, "scanner": "repobility-threat-engine", "fingerprint": "7f42253ba2778a99e27d1b7c5d5e9f945cff79bd2c0a4c5be0138cdf4753001d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f42253ba2778a99e27d1b7c5d5e9f945cff79bd2c0a4c5be0138cdf4753001d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/preload/index.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 48168, "scanner": "repobility-threat-engine", "fingerprint": "946015056e75a399b1e014efcf45cad0f3ce8d1d2c3fdf90d6216b77337d821a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|946015056e75a399b1e014efcf45cad0f3ce8d1d2c3fdf90d6216b77337d821a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/hermes/chat/highlight.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 48167, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48166, "scanner": "repobility-threat-engine", "fingerprint": "a6d5a119c35823363a2ab29c6eb8ae86dfc17b1681e1fd5d5f929c6e77c636bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6d5a119c35823363a2ab29c6eb8ae86dfc17b1681e1fd5d5f929c6e77c636bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48165, "scanner": "repobility-threat-engine", "fingerprint": "1ac1598de0076b8d2b1eab866a567c76fda88ce0f387638500389a6ab84d3762", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ac1598de0076b8d2b1eab866a567c76fda88ce0f387638500389a6ab84d3762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/xai-auth.ts"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48164, "scanner": "repobility-threat-engine", "fingerprint": "46965d92b0cfebe587ac4807bc2d27225ace4f7ac3775947c002b406a5253260", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46965d92b0cfebe587ac4807bc2d27225ace4f7ac3775947c002b406a5253260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/client.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 48163, "scanner": "repobility-threat-engine", "fingerprint": "67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 48159, "scanner": "repobility-threat-engine", "fingerprint": "b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "aggregated_count": 42}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48158, "scanner": "repobility-threat-engine", "fingerprint": "82920b1376016b618538fdb94f41f27601c795ef161d00858bc8a8ace098c5d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82920b1376016b618538fdb94f41f27601c795ef161d00858bc8a8ace098c5d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/hermes/model-context.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48157, "scanner": "repobility-threat-engine", "fingerprint": "5547a35bcd4382f85968dd573c09f08dbd3ffcd2435261e16969abd2a88b9941", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5547a35bcd4382f85968dd573c09f08dbd3ffcd2435261e16969abd2a88b9941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/hermes/config.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48156, "scanner": "repobility-threat-engine", "fingerprint": "83fb20a4ee1b0f9d087ad50a249a84ba9867962d8108545187f952a5305ea032", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83fb20a4ee1b0f9d087ad50a249a84ba9867962d8108545187f952a5305ea032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/auth.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `hermes-webui` image is selected through a build variable"}, "properties": {"repobilityId": 7090, "scanner": "repobility-docker", "fingerprint": "0043b77c7c471032bb30591b4e1a2bf9b66322d7363d9d4060981d0054648de8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${WEBUI_IMAGE:-hermes-web-ui-local:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0043b77c7c471032bb30591b4e1a2bf9b66322d7363d9d4060981d0054648de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 7086, "scanner": "repobility-docker", "fingerprint": "8dc126f4c321df2995efa1cddf74c20d0acb178e7cd1e496fbc747abfb983e61", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8dc126f4c321df2995efa1cddf74c20d0acb178e7cd1e496fbc747abfb983e61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 7084, "scanner": "repobility-threat-engine", "fingerprint": "c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 7080, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 7076, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7075, "scanner": "repobility-threat-engine", "fingerprint": "dcd2305513d4b8c29395a21bdf73d58facbd9290871080d9c2336c4bb3e81e46", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info('[context-compress] session=%s: snapshot at %d, %d new messages, assembled ~%d tokens (t", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|88|logger.info context-compress session s: snapshot at d d new messages assembled d tokens t"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/chat-run-socket.ts"}, "region": {"startLine": 883}}}]}, {"ruleId": "SEC018", "level": "none", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 7072, "scanner": "repobility-threat-engine", "fingerprint": "96f53c87a94f79a954731e55d934a87bc8d021f22a59f81ac3332aae22ddcdc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|96f53c87a94f79a954731e55d934a87bc8d021f22a59f81ac3332aae22ddcdc1"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 7069, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7068, "scanner": "repobility-threat-engine", "fingerprint": "62011277bbef9d03e87396f0ac6f02b88ec324632c85bb188f04e5446d515601", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|17|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/hermes/group-chat.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7067, "scanner": "repobility-threat-engine", "fingerprint": "a395da24e6314a220853dc81daf348c0038752aeca7a6169d0c4c274992295c7", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|96|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/hermes/group-chat.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7066, "scanner": "repobility-threat-engine", "fingerprint": "029fbfa0c684a785625b4305eee88c8b93468a87f7c2ea09c58c000c3cabe3b6", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|74|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/stores/hermes/chat.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48321, "scanner": "repobility-supply-chain", "fingerprint": "4d36ed6844cff453180b3a1fcea83d475e2470c222ed7a46a308d209e41934f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d36ed6844cff453180b3a1fcea83d475e2470c222ed7a46a308d209e41934f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v3`: `uses: astral-sh/setup-uv@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48320, "scanner": "repobility-supply-chain", "fingerprint": "0ae0abcba88fc552300aa65f49b3f390ab5a50955b286ed6e3c9d48f5e515107", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ae0abcba88fc552300aa65f49b3f390ab5a50955b286ed6e3c9d48f5e515107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48319, "scanner": "repobility-supply-chain", "fingerprint": "77d991f6bc7e25e476f63c89bb50a3fb9683cf56f710098f68bfc74ebe6b7792", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77d991f6bc7e25e476f63c89bb50a3fb9683cf56f710098f68bfc74ebe6b7792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48318, "scanner": "repobility-supply-chain", "fingerprint": "e9ad9dc0222784c23cc0a088dd0026a3a141ca1234a3f62eb5d8c713bc6d4347", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9ad9dc0222784c23cc0a088dd0026a3a141ca1234a3f62eb5d8c713bc6d4347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48317, "scanner": "repobility-supply-chain", "fingerprint": "4ebe6655f7ec5af35b243d93284ab42bb32c85b0473ab980239d4e5d99a732cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ebe6655f7ec5af35b243d93284ab42bb32c85b0473ab980239d4e5d99a732cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48316, "scanner": "repobility-supply-chain", "fingerprint": "af272fff2f6f7ff3ebd60c41cbad878651006feadda2aef248ea3c3935fdebea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af272fff2f6f7ff3ebd60c41cbad878651006feadda2aef248ea3c3935fdebea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48315, "scanner": "repobility-supply-chain", "fingerprint": "7d22d22759a3c507db662940e955cecca0929a83986f262c3b932af3d1e70bb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d22d22759a3c507db662940e955cecca0929a83986f262c3b932af3d1e70bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-lockfile-check.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48314, "scanner": "repobility-supply-chain", "fingerprint": "9b80ca07d6ff126888a91df4ac27590d1f41942f088d3b04debef10914fab191", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b80ca07d6ff126888a91df4ac27590d1f41942f088d3b04debef10914fab191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-lockfile-check.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48313, "scanner": "repobility-supply-chain", "fingerprint": "6630096401b9f95ce251e3dca3dec73459136b279efc63871eff2f4ef34538f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6630096401b9f95ce251e3dca3dec73459136b279efc63871eff2f4ef34538f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48308, "scanner": "repobility-supply-chain", "fingerprint": "1b4f1507311af356a964ec02d3b2e9ad645944bdc19aba7f126d57b5dd710d10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b4f1507311af356a964ec02d3b2e9ad645944bdc19aba7f126d57b5dd710d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48307, "scanner": "repobility-supply-chain", "fingerprint": "75de842b075771f728e77dd6f77072dffc28bc27a99f99f5672114e27b4a5e78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75de842b075771f728e77dd6f77072dffc28bc27a99f99f5672114e27b4a5e78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48306, "scanner": "repobility-supply-chain", "fingerprint": "e8992f3fbfc84133cc6f94673d4f56addf79309c9867f1b225ff3b5407e1fbe4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8992f3fbfc84133cc6f94673d4f56addf79309c9867f1b225ff3b5407e1fbe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-manual-build.yml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48305, "scanner": "repobility-supply-chain", "fingerprint": "212f0acdcd423c81662ed96e396624a13ff4076c4a1667c21b9d71a64e6e5643", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|212f0acdcd423c81662ed96e396624a13ff4076c4a1667c21b9d71a64e6e5643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-manual-build.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v3`: `uses: astral-sh/setup-uv@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48304, "scanner": "repobility-supply-chain", "fingerprint": "598ed6ba51271f8c4eb74befd83ad9c87ed2125c3ca75d911001aeea2416d46a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|598ed6ba51271f8c4eb74befd83ad9c87ed2125c3ca75d911001aeea2416d46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-manual-build.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48303, "scanner": "repobility-supply-chain", "fingerprint": "8fd209d9846cb2a776f3c20774cd7e63bb7a34d51f94dee6683f90d8f88d6556", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fd209d9846cb2a776f3c20774cd7e63bb7a34d51f94dee6683f90d8f88d6556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-manual-build.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48302, "scanner": "repobility-supply-chain", "fingerprint": "a58ef91c7f6bb8498770e9336b197ad1b4f5aec2f957add10ce08c9769360484", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a58ef91c7f6bb8498770e9336b197ad1b4f5aec2f957add10ce08c9769360484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-manual-build.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48301, "scanner": "repobility-supply-chain", "fingerprint": "94c297b02e880a914fe905743cf1b1766ba7f27d5cef38f7f22a1483dd45e092", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94c297b02e880a914fe905743cf1b1766ba7f27d5cef38f7f22a1483dd45e092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48300, "scanner": "repobility-supply-chain", "fingerprint": "42f3dcb7a59a48b72c4603141f016a4c0ec69dd6691c78e5ffda5ddbb55c0dbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42f3dcb7a59a48b72c4603141f016a4c0ec69dd6691c78e5ffda5ddbb55c0dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48299, "scanner": "repobility-supply-chain", "fingerprint": "83c73f6e936c08d26d83fbc7b30e0af72cea931b48b035f9417666d199e409c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83c73f6e936c08d26d83fbc7b30e0af72cea931b48b035f9417666d199e409c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48298, "scanner": "repobility-supply-chain", "fingerprint": "499b821a44b8c7e5e1c754bb399655640957a4ae55751564ea6410780a3cd586", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|499b821a44b8c7e5e1c754bb399655640957a4ae55751564ea6410780a3cd586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v3`: `uses: astral-sh/setup-uv@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48297, "scanner": "repobility-supply-chain", "fingerprint": "7e0b6836f51198f67befba1af77662f6f945dbc3f7d6504d82858d7f92e3c4d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e0b6836f51198f67befba1af77662f6f945dbc3f7d6504d82858d7f92e3c4d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48296, "scanner": "repobility-supply-chain", "fingerprint": "a3c1ced8998f464eefc08e6dfbeacf375c35c1d2f1f4a53f69ae8a8c97b04db6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3c1ced8998f464eefc08e6dfbeacf375c35c1d2f1f4a53f69ae8a8c97b04db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 48295, "scanner": "repobility-supply-chain", "fingerprint": "446263e468a2d4fab86aa626e72acf99c462c214428ae82a18b4148cea59cfae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|446263e468a2d4fab86aa626e72acf99c462c214428ae82a18b4148cea59cfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_or_create` used but never assigned in __init__: Method `estimate_context` of class `AgentPool` reads `self.get_or_create`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48269, "scanner": "repobility-ast-engine", "fingerprint": "43a997e7ef72956e2a1c8438868381d52a2b74efb718f97775d8203eb656fa97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43a997e7ef72956e2a1c8438868381d52a2b74efb718f97775d8203eb656fa97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1092}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._estimate_context_info` used but never assigned in __init__: Method `_bridge_context_ready_event` of class `AgentPool` reads `self._estimate_context_info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48268, "scanner": "repobility-ast-engine", "fingerprint": "e8b34279c9e39e3131727e6731e092c64b0822cca62961d4c17354492cd12166", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8b34279c9e39e3131727e6731e092c64b0822cca62961d4c17354492cd12166"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1071}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._estimate_context_info` used but never assigned in __init__: Method `_estimate_context_tokens` of class `AgentPool` reads `self._estimate_context_info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48267, "scanner": "repobility-ast-engine", "fingerprint": "48bedd9e3974f6b315119d7017d89a3f99d327009cc3041566afa4a6f15a8cf0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48bedd9e3974f6b315119d7017d89a3f99d327009cc3041566afa4a6f15a8cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1067}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._mcp_tool_names` used but never assigned in __init__: Method `_estimate_context_info` of class `AgentPool` reads `self._mcp_tool_names`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48266, "scanner": "repobility-ast-engine", "fingerprint": "96766bf37a3e6743c6e68779c44ec2ee199d1aba9ef2c5836983023c2633ad97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96766bf37a3e6743c6e68779c44ec2ee199d1aba9ef2c5836983023c2633ad97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1059}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._mcp_tool_names` used but never assigned in __init__: Method `_estimate_context_info` of class `AgentPool` reads `self._mcp_tool_names`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48265, "scanner": "repobility-ast-engine", "fingerprint": "ba940c8ebd3ab53bd54c121aed555cf0b41ea94808ebab13ae8adba82dfa30bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba940c8ebd3ab53bd54c121aed555cf0b41ea94808ebab13ae8adba82dfa30bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1060}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._agent_tool_names` used but never assigned in __init__: Method `_estimate_context_info` of class `AgentPool` reads `self._agent_tool_names`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48264, "scanner": "repobility-ast-engine", "fingerprint": "eaa7d4b14e0b96cb15ab9603874ebc309f66866189b6ce1cef605b96d6696a3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaa7d4b14e0b96cb15ab9603874ebc309f66866189b6ce1cef605b96d6696a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1046}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._agent_system_prompt` used but never assigned in __init__: Method `_estimate_context_info` of class `AgentPool` reads `self._agent_system_prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48263, "scanner": "repobility-ast-engine", "fingerprint": "05fdda9cf80553da93962e45a507692de265079dded63789f6fd91b94d384b82", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05fdda9cf80553da93962e45a507692de265079dded63789f6fd91b94d384b82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1042}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_event` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._append_event`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48262, "scanner": "repobility-ast-engine", "fingerprint": "96da0fb1b65259c858395ce80ff484dd58595c4b09ac2817760f05afb3be1d68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96da0fb1b65259c858395ce80ff484dd58595c4b09ac2817760f05afb3be1d68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 1004}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_event` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._append_event`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48261, "scanner": "repobility-ast-engine", "fingerprint": "79d812ebc4bfbde25ff306247c1b4d43fe3b4fc409031eaae32df79d0d798206", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79d812ebc4bfbde25ff306247c1b4d43fe3b4fc409031eaae32df79d0d798206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 995}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_event` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._append_event`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48260, "scanner": "repobility-ast-engine", "fingerprint": "b58d057f1953a20f70e888f530bd0caa0d5663dda15156ed32c69b1761f2e167", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b58d057f1953a20f70e888f530bd0caa0d5663dda15156ed32c69b1761f2e167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 984}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._estimate_context_tokens` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._estimate_context_tokens`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48259, "scanner": "repobility-ast-engine", "fingerprint": "1bf26d3873d9bc0ad9794d61eb558c75072995e002ff8fbab4df4bf366e824d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1bf26d3873d9bc0ad9794d61eb558c75072995e002ff8fbab4df4bf366e824d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 983}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._estimate_context_tokens` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._estimate_context_tokens`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48258, "scanner": "repobility-ast-engine", "fingerprint": "425fc6944c48c63f4e0079941fef0d7db305cdc1550dcc53e349a2431bf9fe9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|425fc6944c48c63f4e0079941fef0d7db305cdc1550dcc53e349a2431bf9fe9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 954}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_event` used but never assigned in __init__: Method `_install_compression_hook` of class `AgentPool` reads `self._append_event`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48257, "scanner": "repobility-ast-engine", "fingerprint": "d439a52072192b9f1f51fbe22af0edb73833e8219489e01aa4ffddb956a7b273", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d439a52072192b9f1f51fbe22af0edb73833e8219489e01aa4ffddb956a7b273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 967}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._clarify_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._clarify_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48256, "scanner": "repobility-ast-engine", "fingerprint": "0aaba57ba434e404c3248005f1e0ee976c55afc09851858ab117f82745064a37", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0aaba57ba434e404c3248005f1e0ee976c55afc09851858ab117f82745064a37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 917}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._tool_complete_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._tool_complete_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48255, "scanner": "repobility-ast-engine", "fingerprint": "3ba9307c7965d6d0cd2db96d8d7fb13f520633ad76394c9de2335c56adac2a6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ba9307c7965d6d0cd2db96d8d7fb13f520633ad76394c9de2335c56adac2a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 916}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._tool_start_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._tool_start_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48254, "scanner": "repobility-ast-engine", "fingerprint": "88508876fc56a9831b6c3cf4ff7181113fc7a87f3c65e3dcf8a8c0106d9e79f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88508876fc56a9831b6c3cf4ff7181113fc7a87f3c65e3dcf8a8c0106d9e79f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 915}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._tool_progress_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._tool_progress_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48253, "scanner": "repobility-ast-engine", "fingerprint": "99f82146a11e71e8ea5fe86db327f960d62c3ecc084bb16570a08eca2a983db6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99f82146a11e71e8ea5fe86db327f960d62c3ecc084bb16570a08eca2a983db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 914}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._text_event_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._text_event_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48252, "scanner": "repobility-ast-engine", "fingerprint": "2da59324fea6edb4b21f3dea68676f75298d56532044c6b0ac470d6135cc4a67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2da59324fea6edb4b21f3dea68676f75298d56532044c6b0ac470d6135cc4a67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 913}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._make_thinking_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._make_thinking_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48251, "scanner": "repobility-ast-engine", "fingerprint": "a051c4856cd42efc8ab25a350fc93c8d0c44c4befe18fec5dc328859a0f0a3e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a051c4856cd42efc8ab25a350fc93c8d0c44c4befe18fec5dc328859a0f0a3e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 912}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._status_callback` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._status_callback`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48250, "scanner": "repobility-ast-engine", "fingerprint": "9cda7c60c6fbf2e513b0c9b6a28bc9516513ea3999e3e907ebc401881a0977ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cda7c60c6fbf2e513b0c9b6a28bc9516513ea3999e3e907ebc401881a0977ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 911}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._destroy_session` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._destroy_session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48249, "scanner": "repobility-ast-engine", "fingerprint": "a62ff21d8726919936a3f4c851fa6ea4b847f9c1276bb2cc1560dc1fb8b40f14", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a62ff21d8726919936a3f4c851fa6ea4b847f9c1276bb2cc1560dc1fb8b40f14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 871}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._agent_tool_names` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._agent_tool_names`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48248, "scanner": "repobility-ast-engine", "fingerprint": "ebbd0a908be98af35e50c6db9f0952b4e02beff6035fd41613f51d412ff96593", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebbd0a908be98af35e50c6db9f0952b4e02beff6035fd41613f51d412ff96593"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 921}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._mcp_tool_names` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._mcp_tool_names`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48247, "scanner": "repobility-ast-engine", "fingerprint": "216c54dbd5de3ff6029acdf9b8b2cb481ba4820000f4908ea70a03f32033c90b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|216c54dbd5de3ff6029acdf9b8b2cb481ba4820000f4908ea70a03f32033c90b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 921}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._install_compression_hook` used but never assigned in __init__: Method `get_or_create` of class `AgentPool` reads `self._install_compression_hook`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48246, "scanner": "repobility-ast-engine", "fingerprint": "d54f2749466d7f99c4403f15f318e06991fc769d9603c0140fae49bc1e65e8fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d54f2749466d7f99c4403f15f318e06991fc769d9603c0140fae49bc1e65e8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 920}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get` used but never assigned in __init__: Method `get_for_profile` of class `SessionDbHolder` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 48245, "scanner": "repobility-ast-engine", "fingerprint": "76c5b4a6e003709856e0faaa4aabddfd49645d66c51507b19d363a1d06b46572", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|76c5b4a6e003709856e0faaa4aabddfd49645d66c51507b19d363a1d06b46572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/agent-bridge/hermes_bridge.py"}, "region": {"startLine": 807}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 48241, "scanner": "repobility-docker", "fingerprint": "cad95354d56bc062dc1a7cd11850afe9ac1eeea05ca32e57a6fe799a9b764369", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cad95354d56bc062dc1a7cd11850afe9ac1eeea05ca32e57a6fe799a9b764369"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 48207, "scanner": "repobility-threat-engine", "fingerprint": "04855167bb820b294a8727f40f9852f2399c3174f75d4bd6ce043a35d1d11fd4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04855167bb820b294a8727f40f9852f2399c3174f75d4bd6ce043a35d1d11fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/run-chat/response-stream.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 48206, "scanner": "repobility-threat-engine", "fingerprint": "6a6f79edaac7f65e23610daf9907e51e4483a6c85861edec1ad69e9b3f1327d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a6f79edaac7f65e23610daf9907e51e4483a6c85861edec1ad69e9b3f1327d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/run-chat/bridge-message.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 48205, "scanner": "repobility-threat-engine", "fingerprint": "aa0d282a8f86d7304dc7859ef050a719f0a47f0af5f4f5d8ee3b7013161fdacc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa0d282a8f86d7304dc7859ef050a719f0a47f0af5f4f5d8ee3b7013161fdacc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/run-chat/abort.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48194, "scanner": "repobility-threat-engine", "fingerprint": "66b31581b986586c9c61b9e1cda04224fa07d228ef841a69603e6b8018b406ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "socket.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66b31581b986586c9c61b9e1cda04224fa07d228ef841a69603e6b8018b406ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48193, "scanner": "repobility-threat-engine", "fingerprint": "5c6f326a33d82d31678f30e918bdbf42bc92403832b14c982fe7fc71edab044e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sessions.delete(id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c6f326a33d82d31678f30e918bdbf42bc92403832b14c982fe7fc71edab044e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/xai-auth.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48192, "scanner": "repobility-threat-engine", "fingerprint": "176bd0ed5a9606920960a51608aeecf356cb0093bd5507fa8103b92fadfe3d31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sessions.delete(id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|176bd0ed5a9606920960a51608aeecf356cb0093bd5507fa8103b92fadfe3d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/copilot-auth.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 48186, "scanner": "repobility-threat-engine", "fingerprint": "06a5835f7b70d7cb51c16a299e32e71130e5339b114620c8503a53970415c5eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06a5835f7b70d7cb51c16a299e32e71130e5339b114620c8503a53970415c5eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/scripts/merge-mac-latest-yml.mjs"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 48185, "scanner": "repobility-threat-engine", "fingerprint": "6af4dba49b9615705c4eb6f91e3873105590f9ccdef0977e7b58aa6ba4ada5d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(masked", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6af4dba49b9615705c4eb6f91e3873105590f9ccdef0977e7b58aa6ba4ada5d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/utils/thinking-parser.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 48184, "scanner": "repobility-threat-engine", "fingerprint": "f468e8501a3ad2d3056891d2ca9fba92c682eed4deba3fadd70e9ee332f8dd8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f468e8501a3ad2d3056891d2ca9fba92c682eed4deba3fadd70e9ee332f8dd8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/utils/thinking-parser.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48162, "scanner": "repobility-threat-engine", "fingerprint": "b2bb15da8d211ab052100d7b6cc719b86ce76fdb68c5be2c2424ab076e09849a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2bb15da8d211ab052100d7b6cc719b86ce76fdb68c5be2c2424ab076e09849a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/hermes/files.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48161, "scanner": "repobility-threat-engine", "fingerprint": "f3e6a4649ae55a74c9be14d5dc0c9bebae45dc3d24621c4c58bc481001fb3ee1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3e6a4649ae55a74c9be14d5dc0c9bebae45dc3d24621c4c58bc481001fb3ee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/hermes/download.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48160, "scanner": "repobility-threat-engine", "fingerprint": "255580d685cff49de0d7a53ebd3a48d8f521efbcaae754ba31fe1486a9ec729c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|255580d685cff49de0d7a53ebd3a48d8f521efbcaae754ba31fe1486a9ec729c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/client.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 7088, "scanner": "repobility-docker", "fingerprint": "661728bbbde68b2fc989ca9a2c32466473602016d4d931cd8b1f463c86a42452", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|661728bbbde68b2fc989ca9a2c32466473602016d4d931cd8b1f463c86a42452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7074, "scanner": "repobility-threat-engine", "fingerprint": "db4f8ca70e6c44a0567f2c3fe01f06aa7d473029d58f3ac4a5aca1075e2493b8", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.error(err, 'Copilot OAuth: failed to persist token')", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|7|logger.error err copilot oauth: failed to persist token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/copilot-auth.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7073, "scanner": "repobility-threat-engine", "fingerprint": "fb06369263a4374827cee512d5a53d993f60b29b9a9e449c3328f262e9a54b0d", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.error('Token exchange failed: %d %s', tokenRes.status, errText)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|12|logger.error token exchange failed: d s tokenres.status errtext"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/hermes/codex-auth.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 7071, "scanner": "repobility-threat-engine", "fingerprint": "7a12231548c3418e685c0f3fc9c4821373115976c9bfaed2a5c91aa0fc48f6e7", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|54|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/i18n/locales/en.ts"}, "region": {"startLine": 545}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 7070, "scanner": "repobility-threat-engine", "fingerprint": "39d1e8a361788d99a8e1fd696ce6f1fdac6c3809ae4973b7c1c0aab957b266c0", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|41|gh auth token", "duplicate_count": 1, "duplicate_rule_ids": ["SEC018"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["39d1e8a361788d99a8e1fd696ce6f1fdac6c3809ae4973b7c1c0aab957b266c0", "d17a31d926703e6e260a47caededca5db63314ca430369d4358020c191616efa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/i18n/locales/fr.ts"}, "region": {"startLine": 415}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_PORT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WEBSITE_SSH_PORT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 48312, "scanner": "repobility-supply-chain", "fingerprint": "1c9eaa60ea2d2945384e28c711e924cc029da9f7ca06962c92dd224a764e01c6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c9eaa60ea2d2945384e28c711e924cc029da9f7ca06962c92dd224a764e01c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WEBSITE_SSH_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 48311, "scanner": "repobility-supply-chain", "fingerprint": "91e1f287f050eda9b0f2ff214f5fca96e2ed01fb8182885604524a231690d22e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91e1f287f050eda9b0f2ff214f5fca96e2ed01fb8182885604524a231690d22e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_KNOWN_HOSTS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WEBSITE_SSH_KNOWN_HOSTS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 48310, "scanner": "repobility-supply-chain", "fingerprint": "8eb964670a903800e52f9302917b2c2b291fa98396b4577b1ccd122dcc05c70b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8eb964670a903800e52f9302917b2c2b291fa98396b4577b1ccd122dcc05c70b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WEBSITE_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WEBSITE_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 48309, "scanner": "repobility-supply-chain", "fingerprint": "62bc6406720ab7681585393d15ddb05898c63337cf48cc302f07dc7627974c3c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62bc6406720ab7681585393d15ddb05898c63337cf48cc302f07dc7627974c3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/website-deploy.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 48204, "scanner": "repobility-threat-engine", "fingerprint": "f2c0844157b9e66e6622cbeb5b6b33368d83201a15bd2c68a0dfe41220b67c73", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2c0844157b9e66e6622cbeb5b6b33368d83201a15bd2c68a0dfe41220b67c73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/safe-file-store.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 48203, "scanner": "repobility-threat-engine", "fingerprint": "e50733d22ec003867c5bf94a9a16ab621dc0320e441102d9cea9cf455f11cbb8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e50733d22ec003867c5bf94a9a16ab621dc0320e441102d9cea9cf455f11cbb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/profile-credentials.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 48202, "scanner": "repobility-threat-engine", "fingerprint": "9f94be0b1c3b944f0cc694b0363480e8db18d99c6556f6e2484ab23e8a9c5270", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|78|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/safe-file-store.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 48201, "scanner": "repobility-threat-engine", "fingerprint": "f147bbad6de7f05a17b87cef7afc646d6eb8e59a8492e55213966069faf6eb29", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|118|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/profile-credentials.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 48200, "scanner": "repobility-threat-engine", "fingerprint": "e5345c302641d3d1005ba19856d99753013e0a1bfafdc3aabeab4097116f2073", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(raw, { json: true })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5345c302641d3d1005ba19856d99753013e0a1bfafdc3aabeab4097116f2073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/safe-file-store.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 48199, "scanner": "repobility-threat-engine", "fingerprint": "1fb8bb26f13470f1a3e59a48978318dca298a954f009ba8548d0a91115004583", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(original, { json: true })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1fb8bb26f13470f1a3e59a48978318dca298a954f009ba8548d0a91115004583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/hermes/profile-credentials.ts"}, "region": {"startLine": 118}}}]}]}]}