{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_simulate_mode` has cognitive complexity 12 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_simulate_mode` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 12."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED073", "name": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of ", "shortDescription": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter (and 1 more): Same pattern found in 1 additional files. Review if n", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build ti", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production ima"}, "fullDescription": {"text": "Replace with: `FROM python:3.11-slim@sha256:`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolv", "shortDescription": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files "}, "fullDescription": {"text": "Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # 1.95.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `headroom-ai` pulled from URL/Git: `dependencies.headroom-ai` = `file:../sdk/typescript` byp", "shortDescription": {"text": "[MINED122] package.json dep `headroom-ai` pulled from URL/Git: `dependencies.headroom-ai` = `file:../sdk/typescript` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is comp"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.14.1`: `.pre-commit-co", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.14.1`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-mypy` at `rev: v1.14.1`. If `{rev}` is a branch or version "}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /v1beta/models/{model}:batchGenerateContent has no auth: Handler `gemini_batch_create` is regist", "shortDescription": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:batchGenerateContent has no auth: Handler `gemini_batch_create` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function "}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `test_eviction_prefers_low_importance_then_old`: `time.sleep", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_eviction_prefers_low_importance_then_old`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other "}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_query_injection_in_search: Test function `test_query_injection_in_search` runs co", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_query_injection_in_search: Test function `test_query_injection_in_search` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifyi"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.percentile` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads ", "shortDescription": {"text": "[MINED108] `self.percentile` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads `self.percentile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError "}, "fullDescription": {"text": "Initialize `self.percentile = ` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /v1beta/cachedContents/{cac"}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Validate extracted facts with a schema, enforce length and count limits, reject code-fence/prompt-looking content, and discard facts that contain instruction-like phrases or raw JSON prompt fragments."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED020", "name": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / s", "shortDescription": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, whic", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/684"}, "properties": {"repository": "chopratejas/headroom", "repoUrl": "https://github.com/chopratejas/headroom", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52880, "scanner": "repobility-ast-engine", "fingerprint": "fce9797d5c24ccbe468b043cfa136d7fc5510ada861b8507527f08668b04cf63", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fce9797d5c24ccbe468b043cfa136d7fc5510ada861b8507527f08668b04cf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/headroom_worst_case_benchmark.py"}, "region": {"startLine": 676}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52879, "scanner": "repobility-ast-engine", "fingerprint": "fb180a6752e0c60c0908d9f818e3c4c26042740b2de701e79778dc15efb3ba67", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb180a6752e0c60c0908d9f818e3c4c26042740b2de701e79778dc15efb3ba67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/prefix_cache_benchmark.py"}, "region": {"startLine": 586}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52878, "scanner": "repobility-ast-engine", "fingerprint": "5b7d68e9cd2824fbce826339ef4ea298a6da5c04b5fcf7035711f500ac7b4cab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b7d68e9cd2824fbce826339ef4ea298a6da5c04b5fcf7035711f500ac7b4cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/replay_codex_ws_load.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52877, "scanner": "repobility-ast-engine", "fingerprint": "af070143188b2036f750287fe3e233e9cbe2ccd98264d0b4dfcce11cb3397462", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af070143188b2036f750287fe3e233e9cbe2ccd98264d0b4dfcce11cb3397462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 682}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52876, "scanner": "repobility-ast-engine", "fingerprint": "2a6801f91896b5943c8120116548d1f166557730c5729c8b5a5a05b312373029", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a6801f91896b5943c8120116548d1f166557730c5729c8b5a5a05b312373029"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52871, "scanner": "repobility-ast-engine", "fingerprint": "9cce754f9b5106e30e0dd502744c440367cd5ec12c62e146994f9aefc71b9e69", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cce754f9b5106e30e0dd502744c440367cd5ec12c62e146994f9aefc71b9e69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke_issue_327.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52867, "scanner": "repobility-ast-engine", "fingerprint": "8e66b32b5ba379fbfb13146524a8be6dab2e85e157013f738c961ac547816150", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e66b32b5ba379fbfb13146524a8be6dab2e85e157013f738c961ac547816150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 952}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52866, "scanner": "repobility-ast-engine", "fingerprint": "bbdb25fc8eca7444b296db581b5a771052c733f74ebe2675af2c93f92551c491", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbdb25fc8eca7444b296db581b5a771052c733f74ebe2675af2c93f92551c491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 943}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52865, "scanner": "repobility-ast-engine", "fingerprint": "5f2ff7b0bf0c707223bad6dff602fef42f0270674052694136e13fe72d9ab1d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f2ff7b0bf0c707223bad6dff602fef42f0270674052694136e13fe72d9ab1d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 931}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52864, "scanner": "repobility-ast-engine", "fingerprint": "9b97faefa642c3d2a0cd00887030da8716e3d22aec4a10336b1b9692806f7689", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b97faefa642c3d2a0cd00887030da8716e3d22aec4a10336b1b9692806f7689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 922}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52845, "scanner": "repobility-ast-engine", "fingerprint": "771deddd34b7944b89458e0c72c4f02cd62f6b113a4172b22bad66131d2d298a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|771deddd34b7944b89458e0c72c4f02cd62f6b113a4172b22bad66131d2d298a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/_version.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52844, "scanner": "repobility-ast-engine", "fingerprint": "3b1c807f8e8c260ab53babc70d325aa16ee9b97ecd4ba621d5c38baf6db20e1a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b1c807f8e8c260ab53babc70d325aa16ee9b97ecd4ba621d5c38baf6db20e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/onnx_runtime.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52843, "scanner": "repobility-ast-engine", "fingerprint": "4c93929ec916b89bdb4fbab387e10979d832815dcf16a0cdeff55d714f95f57d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c93929ec916b89bdb4fbab387e10979d832815dcf16a0cdeff55d714f95f57d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bedrock_demo.py"}, "region": {"startLine": 981}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52842, "scanner": "repobility-ast-engine", "fingerprint": "de9c47b196e6c9f5a0552ea1a9c08f2ae831efd7436f5502fb11681dc3a258d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de9c47b196e6c9f5a0552ea1a9c08f2ae831efd7436f5502fb11681dc3a258d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bundle_demo.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52841, "scanner": "repobility-ast-engine", "fingerprint": "c210ef4e2b50847537c22b16c88ddaed7eea124d8788fb432f660fbb61ad492f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c210ef4e2b50847537c22b16c88ddaed7eea124d8788fb432f660fbb61ad492f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bundle_demo.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52840, "scanner": "repobility-ast-engine", "fingerprint": "0ee3c51a65b0e99d315d09581af6ade40121e13e7c7256cfd013b1638e323c38", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ee3c51a65b0e99d315d09581af6ade40121e13e7c7256cfd013b1638e323c38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bundle_demo.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52839, "scanner": "repobility-ast-engine", "fingerprint": "d97a5390410d02f8e9409aba1cedd88aa71bc390253ca2e83d67959f2eb87ed2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d97a5390410d02f8e9409aba1cedd88aa71bc390253ca2e83d67959f2eb87ed2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_mcp_dispatch_test.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52838, "scanner": "repobility-ast-engine", "fingerprint": "3ff4c29ebf40c2a8e198a489621b5fbd7b06af0621bbe778bea09075a86d847f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ff4c29ebf40c2a8e198a489621b5fbd7b06af0621bbe778bea09075a86d847f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_mcp_dispatch_test.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52837, "scanner": "repobility-ast-engine", "fingerprint": "d8583d2036f33ea8b3e1dfa645dcd89f04e9a5b3ae1bee9b3cb6b0caac5f6b21", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8583d2036f33ea8b3e1dfa645dcd89f04e9a5b3ae1bee9b3cb6b0caac5f6b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_mcp_dispatch_test.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52836, "scanner": "repobility-ast-engine", "fingerprint": "de80493b012cec6f78e7ebec66f1c5daa6f2d573f638029b321158d6a47e74b4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de80493b012cec6f78e7ebec66f1c5daa6f2d573f638029b321158d6a47e74b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/test_intelligent_context_toin_ccr.py"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52834, "scanner": "repobility-ast-engine", "fingerprint": "07e46d3a9c902aeb086a64c4be6ebecb32c3326d5c86daad5f4b2962d08e7a50", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07e46d3a9c902aeb086a64c4be6ebecb32c3326d5c86daad5f4b2962d08e7a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52833, "scanner": "repobility-ast-engine", "fingerprint": "110630f5bb6f1a36d2405488e5ec9b6f771ce85ae693cb32a98b670faefef14c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|110630f5bb6f1a36d2405488e5ec9b6f771ce85ae693cb32a98b670faefef14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52828, "scanner": "repobility-ast-engine", "fingerprint": "49acc3c5572b8d1f8ff2a9824dcc1e80d7d19aa74faf4ac8f391423888692eb3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49acc3c5572b8d1f8ff2a9824dcc1e80d7d19aa74faf4ac8f391423888692eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "claude_analysis_ttl.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52827, "scanner": "repobility-ast-engine", "fingerprint": "3a871f5eeed01561163b63ed32bcc45269fbbaf847c93881a3a0da07ac1d1c17", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a871f5eeed01561163b63ed32bcc45269fbbaf847c93881a3a0da07ac1d1c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "claude_analysis_ttl.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 52826, "scanner": "repobility-ast-engine", "fingerprint": "9cb5d34d209d655b5b7fbedfec4fdf5778f4c38b96d45a9c320c3c7ae280f8b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cb5d34d209d655b5b7fbedfec4fdf5778f4c38b96d45a9c320c3c7ae280f8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "claude_analysis_ttl.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 52824, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 52823, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 73, "file_path": "tests/test_scripts/test_repro_codex_replay_smoke.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 1496, "file_path": "headroom/proxy/server.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /v1beta/batches/{batch_name}."}, "properties": {"repobilityId": 52822, "scanner": "repobility-access-control", "fingerprint": "12d711e3a24d1eee0a3fdbf10c2ad4f97d6c265c8f4297469dd01bd9261c4f7a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/batches/{batch_name}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|599|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 599}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1beta/batches/{batch_name}:cancel."}, "properties": {"repobilityId": 52821, "scanner": "repobility-access-control", "fingerprint": "70700d7ad8c624675926e9e874c289ca35996a48d05312e10d725d4cb600abcd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/batches/{batch_name}:cancel", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|595|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 595}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/v1internal:streamGenerateContent."}, "properties": {"repobilityId": 52820, "scanner": "repobility-access-control", "fingerprint": "d55e96d86fe86ac4fa4ee1e2d5e5cd4d0dd01ba3105f60ddf217f2e0a3656287", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/v1internal:streamGenerateContent", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|466|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 466}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1internal:streamGenerateContent."}, "properties": {"repobilityId": 52819, "scanner": "repobility-access-control", "fingerprint": "7a391a8bfad5b22920f365fd9ac579c1a5cafa6002290885ccb1f3a9f5721fdd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1internal:streamGenerateContent", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|462|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 462}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1beta/models/{model}:countTokens."}, "properties": {"repobilityId": 52818, "scanner": "repobility-access-control", "fingerprint": "34e8a51861dc21b74a1360cfecfb537b599a57779dd2a8e7f3cc9dc237b578a2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/models/{model}:countTokens", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|458|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1beta/models/{model}:streamGenerateContent."}, "properties": {"repobilityId": 52817, "scanner": "repobility-access-control", "fingerprint": "5e8dad8deced9181db0d81141dc49aff4b23b6ad9286784f80a781e6f163b637", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/models/{model}:streamGenerateContent", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|454|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 454}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/batches."}, "properties": {"repobilityId": 52816, "scanner": "repobility-access-control", "fingerprint": "233ad87269e39f6a6b2d83e8d470f6f0472393023f1414094eb0d27a4d704cde", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/batches", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|434|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages/batches."}, "properties": {"repobilityId": 52815, "scanner": "repobility-access-control", "fingerprint": "582e29c18e85021451156317b21d1d714d261b8b37d0636ae6bec7423c6decb9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages/batches", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|331|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 331}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages/count_tokens."}, "properties": {"repobilityId": 52814, "scanner": "repobility-access-control", "fingerprint": "b2e3655c84a378ce253de3c83c06b52e42d0af8203b9c77fbd77f16e42661435", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages/count_tokens", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|322|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 322}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages."}, "properties": {"repobilityId": 52813, "scanner": "repobility-access-control", "fingerprint": "a58c0bcad25e702be4cba5915b95ebeeb7588b193fda0d14725a5280dfda822b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|318|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 52804, "scanner": "repobility-access-control", "fingerprint": "c5d6da0f5a56b68ab6702bbe178cb70a56966c3b131a60fa4af10949175bde76", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 78, "correlation_key": "fp|c5d6da0f5a56b68ab6702bbe178cb70a56966c3b131a60fa4af10949175bde76", "auth_visible_percent": 15.4}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 52803, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI", "Next.js", "Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 52802, "scanner": "repobility-docker", "fingerprint": "15e61d4b154ba937479346a18d4ed4de11af76556e180924c41fc19326021984", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "neo4j", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|15e61d4b154ba937479346a18d4ed4de11af76556e180924c41fc19326021984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 52793, "scanner": "repobility-docker", "fingerprint": "346697c8d97f93fe709c69e4b068f84c26e7ae25ab472ebc5081b0df50534362", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|346697c8d97f93fe709c69e4b068f84c26e7ae25ab472ebc5081b0df50534362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 52788, "scanner": "repobility-docker", "fingerprint": "f844604be6da5cedfcf99f383357e0f62d185a859c2a7cb36a06ded34e3ac842", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/pypa/manylinux_2_28_x86_64", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f844604be6da5cedfcf99f383357e0f62d185a859c2a7cb36a06ded34e3ac842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 52787, "scanner": "repobility-docker", "fingerprint": "34c7c2959eb347f0eeeb81d89cff0d5e56509e2cb7fe4f8aba5906798f738f84", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|34c7c2959eb347f0eeeb81d89cff0d5e56509e2cb7fe4f8aba5906798f738f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 52783, "scanner": "repobility-docker", "fingerprint": "a6be7b17977fc680b6b339886bfd4fefa4e73f20ac5d603156937a635708fe54", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/pypa/manylinux_2_28_x86_64", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a6be7b17977fc680b6b339886bfd4fefa4e73f20ac5d603156937a635708fe54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 52782, "scanner": "repobility-docker", "fingerprint": "c142bcbd99bc45d3ab1360225ea4a92c90d8d384313b9548773bc4b25b10a0eb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "runtime-slim-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c142bcbd99bc45d3ab1360225ea4a92c90d8d384313b9548773bc4b25b10a0eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 52775, "scanner": "repobility-docker", "fingerprint": "4da6bec71d31c7c85504298a31927f47fb8a01850be5732c44c0ca0e80e3a8fc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/python:1-${VARIANT}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4da6bec71d31c7c85504298a31927f47fb8a01850be5732c44c0ca0e80e3a8fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 52773, "scanner": "repobility-agent-runtime", "fingerprint": "38b8e292eb47136adc64427dd9954bb9f6ee3e7b2eef828dbd95deb450964679", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|38b8e292eb47136adc64427dd9954bb9f6ee3e7b2eef828dbd95deb450964679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/replay_codex_ws_load.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 52772, "scanner": "repobility-agent-runtime", "fingerprint": "d07a02766d44d13cc2b70581e4c8b3f64d39088085a6f5019c390508d20bf9f3", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d07a02766d44d13cc2b70581e4c8b3f64d39088085a6f5019c390508d20bf9f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/subscription/tracker.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 52770, "scanner": "repobility-agent-runtime", "fingerprint": "2767e68792eca00c507ec7a18f42118a71a30db708f312ee81efc773930ff4d8", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2767e68792eca00c507ec7a18f42118a71a30db708f312ee81efc773930ff4d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/learn/plugins/codex.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 52769, "scanner": "repobility-agent-runtime", "fingerprint": "5f8ba7212343ce62b1a66b8253b3002d100d1f2d6f3794be90385d73d1c3c4fc", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5f8ba7212343ce62b1a66b8253b3002d100d1f2d6f3794be90385d73d1c3c4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/run.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 52768, "scanner": "repobility-agent-runtime", "fingerprint": "98993a7ca9e21afef6bf0db15d20683901c1363ee965efa4e057624d5667c5f9", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|98993a7ca9e21afef6bf0db15d20683901c1363ee965efa4e057624d5667c5f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/docker-install.mdx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 52767, "scanner": "repobility-agent-runtime", "fingerprint": "9ebf692a122f3ff0a77dc72e0a30eb00362ef507a79eeba0d99dd0be3896c42c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9ebf692a122f3ff0a77dc72e0a30eb00362ef507a79eeba0d99dd0be3896c42c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 286}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 52729, "scanner": "repobility-threat-engine", "fingerprint": "aa600d3a48def22fa5be741d7e9542e7db5078ee1f8f8e862d0d1ee8c16a1a4e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 30 * 86400000).toISOString(),\n activ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa600d3a48def22fa5be741d7e9542e7db5078ee1f8f8e862d0d1ee8c16a1a4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/tool-calling-agent.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 52728, "scanner": "repobility-threat-engine", "fingerprint": "10d94c9756ec890e6e2e90a8d4efcea7699b5b088236d04197035aa2c83f0a90", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive=100, waiting=47\"\n : `Processing transaction txn_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10d94c9756ec890e6e2e90a8d4efcea7699b5b088236d04197035aa2c83f0a90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/simulation-dry-run.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 52727, "scanner": "repobility-threat-engine", "fingerprint": "e6adf601fe8c794890ee1756893173fc1b8cf687407114881f4508946d9b4275", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 8760),\n activ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6adf601fe8c794890ee1756893173fc1b8cf687407114881f4508946d9b4275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/basic-compress.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 52726, "scanner": "repobility-threat-engine", "fingerprint": "0f295e6a9cadee54df55a60c1cf1597785f27ffcd7aff90e9271a1739c881190", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|189|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit_wheel_glibc_symbols.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 52715, "scanner": "repobility-threat-engine", "fingerprint": "a223de329ab2fa375fcaa215c788b5c89e5c16e63b33fa1938d14a8dc9a32930", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.chmod(tmp_dir, 0o700)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|183|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/proxy/interceptors/astgrep.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 52714, "scanner": "repobility-threat-engine", "fingerprint": "425f946d3c496fd49fbd6049dd8275d4e614c90a0593e631a8da7449b9ae69d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n size = path.stat().st_size\n read_size = min(size, _MAX_FILE_BYTES)\n with", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|425f946d3c496fd49fbd6049dd8275d4e614c90a0593e631a8da7449b9ae69d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/subscription/session_tracking.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 52713, "scanner": "repobility-threat-engine", "fingerprint": "890050146781f82b5de0c0dafcda72e10aaee94d59b831aabf002cd93535f531", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n coro = task.get_coro()\n except Exception:\n return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|890050146781f82b5de0c0dafcda72e10aaee94d59b831aabf002cd93535f531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/proxy/debug_introspection.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 52690, "scanner": "repobility-threat-engine", "fingerprint": "4e962ca2297f8836a612861139bc8d755d288b2efd073bce12e4723bc76a01a7", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"[{req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4e962ca2297f8836a612861139bc8d755d288b2efd073bce12e4723bc76a01a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/proxy/stage_timer.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 52689, "scanner": "repobility-threat-engine", "fingerprint": "3f52cbe38cc120bbfea03a42c9a7df11cec63f5aa7a65e136c1c2af3274a13f6", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(f\"HeadroomPreHook tracking request {req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3f52cbe38cc120bbfea03a42c9a7df11cec63f5aa7a65e136c1c2af3274a13f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/agno/hooks.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 52688, "scanner": "repobility-threat-engine", "fingerprint": "bd355b6bcedda1fd1df80727ab46d41a62af6a7f5bbeb4c4f0b4c7eabec21236", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(f\"Cost: ${cost:.4f} ({benchmark}, {input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd355b6bcedda1fd1df80727ab46d41a62af6a7f5bbeb4c4f0b4c7eabec21236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/evals/cost_tracker.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 52686, "scanner": "repobility-threat-engine", "fingerprint": "826f89774f01209540677ef20999bb72cf4e398f889707610c6348a47d4205bd", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|826f89774f01209540677ef20999bb72cf4e398f889707610c6348a47d4205bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/cohere.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 52685, "scanner": "repobility-threat-engine", "fingerprint": "2f91310eeca82a68d22bc268fbd9c3b35876af2fb4cebb403c2f8e7101a44a2c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f91310eeca82a68d22bc268fbd9c3b35876af2fb4cebb403c2f8e7101a44a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/strands/providers.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 52684, "scanner": "repobility-threat-engine", "fingerprint": "b2d9ab41fcdc2bd8398e8fa42b7eb50ecf6d44009d7b98156db32195e6741f98", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2d9ab41fcdc2bd8398e8fa42b7eb50ecf6d44009d7b98156db32195e6741f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/graph/installer.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 52669, "scanner": "repobility-threat-engine", "fingerprint": "3505b4af0ec4c23a29646df0db56f505fbecb56af1b8ad327ea5b96d426e014e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3505b4af0ec4c23a29646df0db56f505fbecb56af1b8ad327ea5b96d426e014e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp_demo/mock_mcp_servers.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 52825, "scanner": "repobility-web-presence", "fingerprint": "cc1fe51459bc8b5696641bff9554b0aed94a00ba281442825aa42616d35078b7", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|cc1fe51459bc8b5696641bff9554b0aed94a00ba281442825aa42616d35078b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/benches/auth_mode.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 52800, "scanner": "repobility-docker", "fingerprint": "5a5932709f2025ea042aa2c842a087fb0b196c0bf227eddbe399f6c0355d6aa5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "neo4j", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5a5932709f2025ea042aa2c842a087fb0b196c0bf227eddbe399f6c0355d6aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 52799, "scanner": "repobility-docker", "fingerprint": "c3f4e9b1d867e69d4dc3522482acc5c7bca0c96602aa3ea97e5a2bbef48f76ab", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "neo4j", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c3f4e9b1d867e69d4dc3522482acc5c7bca0c96602aa3ea97e5a2bbef48f76ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 52798, "scanner": "repobility-docker", "fingerprint": "e915f6012968b98d15df7a137caa11b55c1431b9bde797009da94fb300052590", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e915f6012968b98d15df7a137caa11b55c1431b9bde797009da94fb300052590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 52797, "scanner": "repobility-docker", "fingerprint": "53bed6fa83e0b20dca01338bdc0eff1bbbd7c85980ddf8e92e8b78dee9e3f33b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|53bed6fa83e0b20dca01338bdc0eff1bbbd7c85980ddf8e92e8b78dee9e3f33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 52796, "scanner": "repobility-docker", "fingerprint": "f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "headroom-proxy", "dependency": "neo4j", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 52795, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "headroom-proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 52794, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "headroom-proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 52792, "scanner": "repobility-docker", "fingerprint": "31cad9d88933d1d1bf8e2e17d8b6c4b0cdb8a1926f11ef71396019480b90bc92", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|31cad9d88933d1d1bf8e2e17d8b6c4b0cdb8a1926f11ef71396019480b90bc92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 104}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 52790, "scanner": "repobility-docker", "fingerprint": "df4b2ec2f781f48eb72c3b6b802b43b1c863de2438176ab2fae75964697f1349", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|df4b2ec2f781f48eb72c3b6b802b43b1c863de2438176ab2fae75964697f1349"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 52786, "scanner": "repobility-docker", "fingerprint": "62a887823f315eb5aaebf4d851a94c810883668d1ed29a4560404dc286f69a54", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|62a887823f315eb5aaebf4d851a94c810883668d1ed29a4560404dc286f69a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 74}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 52785, "scanner": "repobility-docker", "fingerprint": "e40c08917f3b4e612146d13f294a9510e1846a3f4565edcc55e01dc861e54206", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e40c08917f3b4e612146d13f294a9510e1846a3f4565edcc55e01dc861e54206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 52779, "scanner": "repobility-docker", "fingerprint": "e0d8e7e784c3145f8fda26c37b5aed4615509463e9738485df333587400a12f7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e0d8e7e784c3145f8fda26c37b5aed4615509463e9738485df333587400a12f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 52776, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "457efd0adb125ef1aa8edf3725486138079fede11c3d264ac55185935b308ae3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/cache/__init__.py", "duplicate_line": 103, "correlation_key": "fp|457efd0adb125ef1aa8edf3725486138079fede11c3d264ac55185935b308ae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/models/__init__.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72e7947ddac76c6c75cfede9ab34ae47209f609bbd873cab7120329e5ac749e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/writers/claude_writer.py", "duplicate_line": 30, "correlation_key": "fp|72e7947ddac76c6c75cfede9ab34ae47209f609bbd873cab7120329e5ac749e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/writers/generic_writer.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0b83a6be274167890bb6144aad5ea9674560a46589893bab86d74f0fce627d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/writers/claude_writer.py", "duplicate_line": 30, "correlation_key": "fp|b0b83a6be274167890bb6144aad5ea9674560a46589893bab86d74f0fce627d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/writers/codex_writer.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb5c4eb4517c2de64e0c19b7c9810675175a90c366924bc6d370ad1f9dfbb57d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/backends/mem0_system_adapter.py", "duplicate_line": 110, "correlation_key": "fp|eb5c4eb4517c2de64e0c19b7c9810675175a90c366924bc6d370ad1f9dfbb57d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/system.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d757216a3ce372b0107e7683404866b50f2969e3abecc7408d11e69e32ffe91", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/backends/direct_mem0.py", "duplicate_line": 417, "correlation_key": "fp|9d757216a3ce372b0107e7683404866b50f2969e3abecc7408d11e69e32ffe91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/system.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "724af828c368d8c4765338f731172efcfa8f88e896b90a7412aafed9e6cc83ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/adapters/sqlite.py", "duplicate_line": 543, "correlation_key": "fp|724af828c368d8c4765338f731172efcfa8f88e896b90a7412aafed9e6cc83ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/core.py"}, "region": {"startLine": 439}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b9381c890e0aff709d66a4121adc0c780cc1fa4767f2afafd1bd0d774ad6bba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/backends/direct_mem0.py", "duplicate_line": 585, "correlation_key": "fp|2b9381c890e0aff709d66a4121adc0c780cc1fa4767f2afafd1bd0d774ad6bba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/backends/mem0_system_adapter.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62913d25f71b3da9098f73c22e4f1ec46a12164948f78a7076079b6e8ae8a8c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/__init__.py", "duplicate_line": 92, "correlation_key": "fp|62913d25f71b3da9098f73c22e4f1ec46a12164948f78a7076079b6e8ae8a8c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/backends/__init__.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "892f4bb99cbb29fbc42d5a4d9f880baf69b54a3c355c090f18187025f4259f59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/adapters/hnsw.py", "duplicate_line": 114, "correlation_key": "fp|892f4bb99cbb29fbc42d5a4d9f880baf69b54a3c355c090f18187025f4259f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/sqlite_vector.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2decb17d4b6867c809144647ac53a54805ac218ee9b99b059260f0b375831d93", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/adapters/graph.py", "duplicate_line": 143, "correlation_key": "fp|2decb17d4b6867c809144647ac53a54805ac218ee9b99b059260f0b375831d93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/sqlite_graph.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c37355da572b6b0e01e26c41f35fc3f9ffe2b2d0388c05f2539b65959db78f31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/cli/memory.py", "duplicate_line": 146, "correlation_key": "fp|c37355da572b6b0e01e26c41f35fc3f9ffe2b2d0388c05f2539b65959db78f31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/sqlite.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e9a1f37f6106479a1e7d74abd662249095cc6d384efb3169fc63e7e46b87628", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/memory/adapters/fts5.py", "duplicate_line": 48, "correlation_key": "fp|2e9a1f37f6106479a1e7d74abd662249095cc6d384efb3169fc63e7e46b87628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/sqlite.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9674c54c4fdb8d1482e24da7f7042bf7ab4371197d991b72b5953cef5395463d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/mcp_registry/claude.py", "duplicate_line": 161, "correlation_key": "fp|9674c54c4fdb8d1482e24da7f7042bf7ab4371197d991b72b5953cef5395463d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/mcp_registry/codex.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf5ef5c7bac7c5ea83848031f6938c165ff90ca9d7581ed2815c856ce4d7227c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/learn/plugins/codex.py", "duplicate_line": 72, "correlation_key": "fp|bf5ef5c7bac7c5ea83848031f6938c165ff90ca9d7581ed2815c856ce4d7227c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/learn/plugins/gemini.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "895f719dc9e8f470b12cf20103f4a68fc43639c8f1ecbf2ba74b1dbd6d4d81e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/integrations/agno/model.py", "duplicate_line": 189, "correlation_key": "fp|895f719dc9e8f470b12cf20103f4a68fc43639c8f1ecbf2ba74b1dbd6d4d81e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/strands/model.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15a57646bf72030c90d70215c074f8c42ebc60ddbe49aeec82c4d7b9363c00b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/integrations/asgi.py", "duplicate_line": 139, "correlation_key": "fp|15a57646bf72030c90d70215c074f8c42ebc60ddbe49aeec82c4d7b9363c00b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/litellm_callback.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6325012f435265e218cb2caf4a03ad37a118483d55edf2ac95c53a28d00c2dd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/integrations/agno/model.py", "duplicate_line": 431, "correlation_key": "fp|6325012f435265e218cb2caf4a03ad37a118483d55edf2ac95c53a28d00c2dd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/langchain/chat_model.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8704104622e7afaf4e9a98dd675e234986cc8b69c89bf4cab022652ccb1cfa13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/integrations/__init__.py", "duplicate_line": 78, "correlation_key": "fp|8704104622e7afaf4e9a98dd675e234986cc8b69c89bf4cab022652ccb1cfa13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/langchain/__init__.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fc9859b8a962e8f5ce1aac6e16b0010784b24dba8eee15e34ff42e4aa1338d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/evals/core.py", "duplicate_line": 262, "correlation_key": "fp|9fc9859b8a962e8f5ce1aac6e16b0010784b24dba8eee15e34ff42e4aa1338d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/evals/runners/before_after.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0afa4db2c18831c409afffeb15ed996454d42111539022afcf76a3c15ecb4bbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/evals/memory/runner.py", "duplicate_line": 79, "correlation_key": "fp|0afa4db2c18831c409afffeb15ed996454d42111539022afcf76a3c15ecb4bbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/evals/memory/runner_v2.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a49bedd76a799f3a5b62bdc5cf7c5bdbd034ff83c680ecf5ca1d97958a729f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headroom/compression/detector.py", "duplicate_line": 282, "correlation_key": "fp|1a49bedd76a799f3a5b62bdc5cf7c5bdbd034ff83c680ecf5ca1d97958a729f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/compression/handlers/code_handler.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d93ec7fd8fe3e9d24a568b264c94e4a867da32680651be5c6378e7d4165a4814", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-proxy/src/sse/anthropic.rs", "duplicate_line": 244, "correlation_key": "fp|d93ec7fd8fe3e9d24a568b264c94e4a867da32680651be5c6378e7d4165a4814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/sse/openai_responses.rs"}, "region": {"startLine": 317}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0915d3e4fd73c2eea854396a99d52b12b505b0ff4eb64b7379585611ad5ccc32", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-proxy/src/sse/anthropic.rs", "duplicate_line": 244, "correlation_key": "fp|0915d3e4fd73c2eea854396a99d52b12b505b0ff4eb64b7379585611ad5ccc32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/sse/openai_chat.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7fe20053d43b2743678d15270b2484eabf8a69fbf6161835f1a3577e222d449", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-proxy/src/handlers/chat_completions.rs", "duplicate_line": 25, "correlation_key": "fp|c7fe20053d43b2743678d15270b2484eabf8a69fbf6161835f1a3577e222d449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/handlers/responses.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9537f82462c730904eeb1957ee116ca65064189853d6d56be9549bb0b3e3834e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-proxy/src/compression/live_zone_openai.rs", "duplicate_line": 92, "correlation_key": "fp|9537f82462c730904eeb1957ee116ca65064189853d6d56be9549bb0b3e3834e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/compression/live_zone_responses.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d3989026daf1def210cc33733b2e95f3fbe92948d74e7d6ecc073c527c54e6b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-proxy/src/bedrock/invoke.rs", "duplicate_line": 21, "correlation_key": "fp|5d3989026daf1def210cc33733b2e95f3fbe92948d74e7d6ecc073c527c54e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/bedrock/invoke_streaming.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62664560266f654bcd4c6ae820792d7103a3e4f3c9fb9a44d487202ae12e3820", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-core/src/transforms/pipeline/offloads/log_offload.rs", "duplicate_line": 90, "correlation_key": "fp|62664560266f654bcd4c6ae820792d7103a3e4f3c9fb9a44d487202ae12e3820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/transforms/pipeline/offloads/search_offload.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88e57623fb5afe21e98d1643752789d380a895dc4aa3f8dd88158220cfbad4a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-core/src/transforms/pipeline/offloads/diff_offload.rs", "duplicate_line": 91, "correlation_key": "fp|88e57623fb5afe21e98d1643752789d380a895dc4aa3f8dd88158220cfbad4a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/transforms/pipeline/offloads/log_offload.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3b39ca12c50f772e39cf7b08190758b72d2f6b6469145990080c5a602742d3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-core/src/transforms/pipeline/offloads/diff_noise.rs", "duplicate_line": 221, "correlation_key": "fp|f3b39ca12c50f772e39cf7b08190758b72d2f6b6469145990080c5a602742d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/transforms/pipeline/offloads/json_offload.rs"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91c4874c790a2c24ae42fbadbed206ed92f9ecb6ad70aa8b3bff97b46ea40b98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/headroom-core/src/tokenizer/hf_impl.rs", "duplicate_line": 84, "correlation_key": "fp|91c4874c790a2c24ae42fbadbed206ed92f9ecb6ad70aa8b3bff97b46ea40b98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/tokenizer/registry.rs"}, "region": {"startLine": 77}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_simulate_mode` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=5, nested_bonus=5."}, "properties": {"repobilityId": 52640, "scanner": "repobility-threat-engine", "fingerprint": "0aad35e2f5ef9a90f29b0ee28e91563bb0b41c5b0f0dca5c3e6ae2c759a77a88", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_simulate_mode", "breakdown": {"if": 5, "for": 2, "nested_bonus": 5}, "complexity": 12, "correlation_key": "fp|0aad35e2f5ef9a90f29b0ee28e91563bb0b41c5b0f0dca5c3e6ae2c759a77a88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/proxy_mode_benchmark.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `print_results` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=1, nested_bonus=4, ternary=3."}, "properties": {"repobilityId": 52639, "scanner": "repobility-threat-engine", "fingerprint": "a7d7b5cb0f23111bcab34acfa4339ccbac785a84b7371cebc63a6cab75ea9016", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_results", "breakdown": {"if": 1, "for": 1, "ternary": 3, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|a7d7b5cb0f23111bcab34acfa4339ccbac785a84b7371cebc63a6cab75ea9016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/dynamic_detector_benchmark.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `print_comparison` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=5, if=1, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 52638, "scanner": "repobility-threat-engine", "fingerprint": "42e7a527d41d6826eb9bb4ae379312ed91216037a7ecfdf1e9621f28cc6ed66c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_comparison", "breakdown": {"if": 1, "for": 5, "else": 1, "ternary": 1, "nested_bonus": 5}, "complexity": 13, "correlation_key": "fp|42e7a527d41d6826eb9bb4ae379312ed91216037a7ecfdf1e9621f28cc6ed66c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/dynamic_detector_benchmark.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 52781, "scanner": "repobility-docker", "fingerprint": "a77862792e55a645e0041225eab343d95a0031b4dd071e03fdb0967570166033", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${DISTROLESS_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a77862792e55a645e0041225eab343d95a0031b4dd071e03fdb0967570166033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 101}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 52780, "scanner": "repobility-docker", "fingerprint": "5a84617762d186265108aa36ef75e81b6cb3039be7930377b71eb200ac66dde5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_VERSION}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5a84617762d186265108aa36ef75e81b6cb3039be7930377b71eb200ac66dde5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 52777, "scanner": "repobility-docker", "fingerprint": "6fdc0a88ae1af05ced8a32a5b568067a1d9823dd2fde853c5b011d64ced86d7b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_VERSION}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6fdc0a88ae1af05ced8a32a5b568067a1d9823dd2fde853c5b011d64ced86d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 52774, "scanner": "repobility-docker", "fingerprint": "f8e2a0b93bb1e88b9039c8f1c1595fe3aaa009f366c66babb78cf807cf25b907", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/python:1-${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f8e2a0b93bb1e88b9039c8f1c1595fe3aaa009f366c66babb78cf807cf25b907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 52736, "scanner": "repobility-threat-engine", "fingerprint": "79fb0293c727ce4cf34b20d6a747be49a4c2fbfcc8322cf11b37a3a40c58aae9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79fb0293c727ce4cf34b20d6a747be49a4c2fbfcc8322cf11b37a3a40c58aae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/utils/stream.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 52735, "scanner": "repobility-threat-engine", "fingerprint": "9f2d1520b58df94a658c4b300d422e6246cda7a212f3a61387c4395f45d583a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f2d1520b58df94a658c4b300d422e6246cda7a212f3a61387c4395f45d583a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/utils/case.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 52734, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52733, "scanner": "repobility-threat-engine", "fingerprint": "f052cdbb631b3cd74eb3871a1cc7b39c4f22a7f740edacd0a872392d1d2391fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f052cdbb631b3cd74eb3871a1cc7b39c4f22a7f740edacd0a872392d1d2391fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/hooks-custom-compression.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52732, "scanner": "repobility-threat-engine", "fingerprint": "532c90cc74d091c35ae182fd75e840737f5493b9b93e4076dafd1013a9bba638", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|532c90cc74d091c35ae182fd75e840737f5493b9b93e4076dafd1013a9bba638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/ccr-retrieve.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52731, "scanner": "repobility-threat-engine", "fingerprint": "0ed16ac706cb6b460d5cbac7b34d19eb8c996a9fa9a3ff2f06cf735208fe802e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ed16ac706cb6b460d5cbac7b34d19eb8c996a9fa9a3ff2f06cf735208fe802e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/basic-compress.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 52730, "scanner": "repobility-threat-engine", "fingerprint": "07858a0dd31ac85f95ed95bbe2ad6e5c01414bdc2286bcfa4d29ab4c4eaef0e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|07858a0dd31ac85f95ed95bbe2ad6e5c01414bdc2286bcfa4d29ab4c4eaef0e9"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 52725, "scanner": "repobility-threat-engine", "fingerprint": "21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "aggregated_count": 4}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 52724, "scanner": "repobility-threat-engine", "fingerprint": "d8e52f64310fc741b2e6287edd4bdb96003eefc1c16f3a780468bd222c6d628b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8e52f64310fc741b2e6287edd4bdb96003eefc1c16f3a780468bd222c6d628b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/examples/ccr-retrieve.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 52723, "scanner": "repobility-threat-engine", "fingerprint": "207074846d39f1825d5d51b8af53aacdf0543297e9411af2d7ef004347f93703", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|207074846d39f1825d5d51b8af53aacdf0543297e9411af2d7ef004347f93703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/openclaw/src/gateway-config.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 52722, "scanner": "repobility-threat-engine", "fingerprint": "402515ecb2a9cc669d916195008785a1a0aca54bc424da8dee492c0aa17a2f70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|402515ecb2a9cc669d916195008785a1a0aca54bc424da8dee492c0aa17a2f70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/openclaw/src/engine.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 52721, "scanner": "repobility-threat-engine", "fingerprint": "052066f358c8dc375880eece2d5fd2353810d2ef960e03135315617c4cc9f563", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|052066f358c8dc375880eece2d5fd2353810d2ef960e03135315617c4cc9f563", "aggregated_count": 8}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 52720, "scanner": "repobility-threat-engine", "fingerprint": "f5ea91059e7c6971205d7b49ff40dc5c946b9d1ace5f52af0fa23266ce25cf8f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5ea91059e7c6971205d7b49ff40dc5c946b9d1ace5f52af0fa23266ce25cf8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/openclaw/src/plugin/index.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 52719, "scanner": "repobility-threat-engine", "fingerprint": "1baee5e0b2540faa4d8507028b62a84208c2f34e4d12cdcb526275e0e5d96922", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1baee5e0b2540faa4d8507028b62a84208c2f34e4d12cdcb526275e0e5d96922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/openclaw/src/gateway-config.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 52718, "scanner": "repobility-threat-engine", "fingerprint": "a4bb4628d5696080da5f837ef853e3a414aa81127b7f5cde00a66a2065e8a941", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4bb4628d5696080da5f837ef853e3a414aa81127b7f5cde00a66a2065e8a941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/openclaw/src/engine.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 52716, "scanner": "repobility-threat-engine", "fingerprint": "1680f97c0fde85d77271cc0079f5f63b5c50426042b07bf2685239ac48b9d143", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1680f97c0fde85d77271cc0079f5f63b5c50426042b07bf2685239ac48b9d143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/proxy/memory_injection.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 52712, "scanner": "repobility-threat-engine", "fingerprint": "ff1d6b2c772f82ff4e21c075fb468900becaf79c654b821527f2c1b0eeed6c49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff1d6b2c772f82ff4e21c075fb468900becaf79c654b821527f2c1b0eeed6c49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/tokenizers/huggingface.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 52711, "scanner": "repobility-threat-engine", "fingerprint": "af4b2204d96efb00613fabe16e13414c48d40f17461aab1d88013bc9a02cb937", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af4b2204d96efb00613fabe16e13414c48d40f17461aab1d88013bc9a02cb937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/prediction/__init__.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED073", "level": "none", "message": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "properties": {"repobilityId": 52710, "scanner": "repobility-threat-engine", "fingerprint": "bb5fd74f304b73fafa1b74ecc709bc9b76fd73e9a260891e47f9c20e4d5230d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "redos-greedy-quantifier", "owasp": "A06:2021", "cwe_ids": ["CWE-1333", "CWE-400"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348072+00:00", "triaged_in_corpus": 12, "observations_count": 12702, "ai_coder_pattern_id": 35}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb5fd74f304b73fafa1b74ecc709bc9b76fd73e9a260891e47f9c20e4d5230d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/budget.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 52709, "scanner": "repobility-threat-engine", "fingerprint": "78d14e584e8a66ba8e7fb7dd3bb96e1c9f4e0003c63eaf1fb799898f21133b03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78d14e584e8a66ba8e7fb7dd3bb96e1c9f4e0003c63eaf1fb799898f21133b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/install/runtime.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 52708, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 52704, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 52703, "scanner": "repobility-threat-engine", "fingerprint": "282650e8f886c4fbcd59271e8e86b7ced5cb6b6d432d1641457188d175b64c66", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|282650e8f886c4fbcd59271e8e86b7ced5cb6b6d432d1641457188d175b64c66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/codex/install.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 52702, "scanner": "repobility-threat-engine", "fingerprint": "ffb60e299e0e4d2040daaed3eb34b1962d759c782e7ceace5ef7ab8d13d6316f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffb60e299e0e4d2040daaed3eb34b1962d759c782e7ceace5ef7ab8d13d6316f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/lean_ctx/installer.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 52701, "scanner": "repobility-threat-engine", "fingerprint": "31194e4517ca1b723fdc2fc3b1eac93019dfae9bfbab6677b58397d43bbd3f6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31194e4517ca1b723fdc2fc3b1eac93019dfae9bfbab6677b58397d43bbd3f6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/graph/installer.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC103", "level": "none", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 52697, "scanner": "repobility-threat-engine", "fingerprint": "22508ccee32638f9ac364756933bbf6b1f3edd72383ba0881512139ec7cc5c09", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22508ccee32638f9ac364756933bbf6b1f3edd72383ba0881512139ec7cc5c09"}}}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 52687, "scanner": "repobility-threat-engine", "fingerprint": "8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 52683, "scanner": "repobility-threat-engine", "fingerprint": "eb470e0060c1aecfe76571b01b468c98afa215239b9d1976846fb331ba0345db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb470e0060c1aecfe76571b01b468c98afa215239b9d1976846fb331ba0345db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/ccr/batch_store.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 52681, "scanner": "repobility-threat-engine", "fingerprint": "73511d44b8361eefb9c933764519d3cf5dc2e974ce3bb6776bfaba9ba3044916", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|73511d44b8361eefb9c933764519d3cf5dc2e974ce3bb6776bfaba9ba3044916", "aggregated_count": 12}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 52677, "scanner": "repobility-threat-engine", "fingerprint": "a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "aggregated_count": 1}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 52676, "scanner": "repobility-threat-engine", "fingerprint": "f8acec401d0844a2d77fba7ad04e25cacec3454c36ab22b74b3aff6c37274cc9", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '#\\s*nosec' detected on same line", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8acec401d0844a2d77fba7ad04e25cacec3454c36ab22b74b3aff6c37274cc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/parser.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 52675, "scanner": "repobility-threat-engine", "fingerprint": "c8ee6ceaf6a30cdd2e16bb7b9d99c23429ec54b4747b22934d701f5fb14bb736", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '#\\s*nosec' detected on same line", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8ee6ceaf6a30cdd2e16bb7b9d99c23429ec54b4747b22934d701f5fb14bb736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/base.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 52673, "scanner": "repobility-threat-engine", "fingerprint": "a77cfc115167e00e948acf225442f23e885f0a4d1401d67df28a40b82428adee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a77cfc115167e00e948acf225442f23e885f0a4d1401d67df28a40b82428adee", "aggregated_count": 33}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 52672, "scanner": "repobility-threat-engine", "fingerprint": "0507e0b42edbca06d34240a4b1017d2528db749cc858d0ae7e4a7c68e9584fee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0507e0b42edbca06d34240a4b1017d2528db749cc858d0ae7e4a7c68e9584fee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/backends/base.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 52671, "scanner": "repobility-threat-engine", "fingerprint": "dc1d292be62d9ca7999b29aac269e0a1158501f205da0f7e73773113e569e8e9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc1d292be62d9ca7999b29aac269e0a1158501f205da0f7e73773113e569e8e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/backends/__init__.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 52670, "scanner": "repobility-threat-engine", "fingerprint": "127ab4e78944e808e1f39158a6a20964f27f275840dd06f2f166fd1f7867c66f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|127ab4e78944e808e1f39158a6a20964f27f275840dd06f2f166fd1f7867c66f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/backends/base.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 52668, "scanner": "repobility-threat-engine", "fingerprint": "9634c9b5f262caf16bcb665986323d3ee27cd4e3ccf49524006b5c103be1dfa3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9634c9b5f262caf16bcb665986323d3ee27cd4e3ccf49524006b5c103be1dfa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bundle_demo.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 52667, "scanner": "repobility-threat-engine", "fingerprint": "712885299fa3978bd539ed67e3e441b64ad159b75b4755f77829c5943d8c94d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|712885299fa3978bd539ed67e3e441b64ad159b75b4755f77829c5943d8c94d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/langchain_demo/mock_tools.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 52666, "scanner": "repobility-threat-engine", "fingerprint": "4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 52662, "scanner": "repobility-threat-engine", "fingerprint": "a8bbd00f775770ae4100168ccfcac4034761920fead06a1c6690141f0ac00837", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a8bbd00f775770ae4100168ccfcac4034761920fead06a1c6690141f0ac00837", "aggregated_count": 4}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 52661, "scanner": "repobility-threat-engine", "fingerprint": "ba4011e585dd1a42125e90a793a459cb8c35fe00ea55fc8d10dadadfd6af8878", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba4011e585dd1a42125e90a793a459cb8c35fe00ea55fc8d10dadadfd6af8878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/transforms/pipeline/offloads/log_offload.rs"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 52660, "scanner": "repobility-threat-engine", "fingerprint": "9757c88c5ec7a2c64d97c405ae76d29eb954bfdf88708bc5f9c8efe105e7f71d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9757c88c5ec7a2c64d97c405ae76d29eb954bfdf88708bc5f9c8efe105e7f71d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/transforms/pipeline/offloads/diff_offload.rs"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 52659, "scanner": "repobility-threat-engine", "fingerprint": "e8682d71e631ac9e6194499d8416a697f8f71bfb0f10dfb0dbb4e157552b7082", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8682d71e631ac9e6194499d8416a697f8f71bfb0f10dfb0dbb4e157552b7082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/tokenizer/tiktoken_impl.rs"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 52658, "scanner": "repobility-threat-engine", "fingerprint": "36fe3a5c806f490958bbddd0e81df776196cdb273df777dd017862584db17efd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|36fe3a5c806f490958bbddd0e81df776196cdb273df777dd017862584db17efd", "aggregated_count": 20}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 52657, "scanner": "repobility-threat-engine", "fingerprint": "e59c8dfad52e600c868abe26b2e7a14ce409a5018af53e3c83072dc0ab4e3b7f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e59c8dfad52e600c868abe26b2e7a14ce409a5018af53e3c83072dc0ab4e3b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/ccr/backends/sqlite.rs"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 52656, "scanner": "repobility-threat-engine", "fingerprint": "b8c2106ef6dc083373cc0c2f7c3059726e0bf206bf546ce97d89c94497984a38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8c2106ef6dc083373cc0c2f7c3059726e0bf206bf546ce97d89c94497984a38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/ccr/backends/in_memory.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 52655, "scanner": "repobility-threat-engine", "fingerprint": "6a57f6707a423c37c44eef3bfd7aedd83f4867c09065b7e7377a3d5d75d4f7b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a57f6707a423c37c44eef3bfd7aedd83f4867c09065b7e7377a3d5d75d4f7b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/benches/tokenizer.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 52654, "scanner": "repobility-threat-engine", "fingerprint": "87a995518e6b80ec572d3ec6cc4d17b264a4a743e180fe16235006f43fc55c08", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|87a995518e6b80ec572d3ec6cc4d17b264a4a743e180fe16235006f43fc55c08", "aggregated_count": 14}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 52649, "scanner": "repobility-threat-engine", "fingerprint": "fbf3aa8ddcba2a4c61fdc117af2ff05e6497244a4ab9e8f77fa12fd05fd71692", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbf3aa8ddcba2a4c61fdc117af2ff05e6497244a4ab9e8f77fa12fd05fd71692", "aggregated_count": 19}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 52648, "scanner": "repobility-threat-engine", "fingerprint": "e792f5d2e2842c23a2306966c6dbd7033ce6f8f21143d248fac1dce33b1e6461", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e792f5d2e2842c23a2306966c6dbd7033ce6f8f21143d248fac1dce33b1e6461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/langchain_demo/show_compression.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 52647, "scanner": "repobility-threat-engine", "fingerprint": "2a49b642b30b62e98e3c54d199a98eafd83695dd6b44d812c65083b23d5d8afd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a49b642b30b62e98e3c54d199a98eafd83695dd6b44d812c65083b23d5d8afd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/langchain_demo/mock_tools.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 52646, "scanner": "repobility-threat-engine", "fingerprint": "f0a81ddbf820a25b49b54935ef05463c6ab7bfd2c2c255f3851c772cf1db76e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0a81ddbf820a25b49b54935ef05463c6ab7bfd2c2c255f3851c772cf1db76e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/proxy_mode_benchmark.py"}, "region": {"startLine": 246}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 52645, "scanner": "repobility-threat-engine", "fingerprint": "31c2bde8259a439a58df84e0d6229e40e59c553cd5a92257a1d8b9643838d66c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|31c2bde8259a439a58df84e0d6229e40e59c553cd5a92257a1d8b9643838d66c"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 123 more): Same pattern found in 123 additional files. Review if needed."}, "properties": {"repobilityId": 52641, "scanner": "repobility-threat-engine", "fingerprint": "654db92a4eb5c7c50badfb7c108429ced64e51cc989413a0adb5591c0492f9b2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 123 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "print_comparison", "breakdown": {"if": 1, "for": 5, "else": 1, "ternary": 1, "nested_bonus": 5}, "aggregated": true, "complexity": 13, "correlation_key": "fp|654db92a4eb5c7c50badfb7c108429ced64e51cc989413a0adb5591c0492f9b2", "aggregated_count": 123}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 52637, "scanner": "repobility-threat-engine", "fingerprint": "822ea2d9db0c7e8f93d2105b7f477845f952be617d74ac6f0b80f449d48e3ca5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|822ea2d9db0c7e8f93d2105b7f477845f952be617d74ac6f0b80f449d48e3ca5", "aggregated_count": 47}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 52636, "scanner": "repobility-threat-engine", "fingerprint": "34052aa6db1fd9fe43e701d56068b692d14236e72d71bb400a6c02a694de3f19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34052aa6db1fd9fe43e701d56068b692d14236e72d71bb400a6c02a694de3f19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/base.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 52635, "scanner": "repobility-threat-engine", "fingerprint": "00aaf3baf98e6d186ea943b400dc4586f7283d0c91a88a08ad46204c8be4590a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00aaf3baf98e6d186ea943b400dc4586f7283d0c91a88a08ad46204c8be4590a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/backends/base.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 52634, "scanner": "repobility-threat-engine", "fingerprint": "d8d5d41a2a8a386ab120810c3f55b83bb340132f647fc5df6ebb0b2733e8f5a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8d5d41a2a8a386ab120810c3f55b83bb340132f647fc5df6ebb0b2733e8f5a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/dynamic_detector_benchmark.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 52978, "scanner": "repobility-supply-chain", "fingerprint": "c6b204fbaa9b032f291e49aca0b07c2633a0ef9fe10a858e21064705645ce865", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6b204fbaa9b032f291e49aca0b07c2633a0ef9fe10a858e21064705645ce865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/pypa/manylinux_2_28_x86_64 (no tag)` not pinned by digest: `FROM quay.io/pypa/manylinux_2_28_x86_64 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 52977, "scanner": "repobility-supply-chain", "fingerprint": "ce6bb61b5c3d71481640411cedfec0a7cb4da51a4f090dcafe6cfe8ec2f63376", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce6bb61b5c3d71481640411cedfec0a7cb4da51a4f090dcafe6cfe8ec2f63376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 52976, "scanner": "repobility-supply-chain", "fingerprint": "70c972db48b526c649333540245fa98a89833e89488ba6f2924e9f460bfebe1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70c972db48b526c649333540245fa98a89833e89488ba6f2924e9f460bfebe1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/pypa/manylinux_2_28_x86_64 (no tag)` not pinned by digest: `FROM quay.io/pypa/manylinux_2_28_x86_64 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 52975, "scanner": "repobility-supply-chain", "fingerprint": "e373aec86f887c8d8b25fadfb1e6640d19a7f6d70425a467579e458f4ae6258a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e373aec86f887c8d8b25fadfb1e6640d19a7f6d70425a467579e458f4ae6258a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52972, "scanner": "repobility-supply-chain", "fingerprint": "567c94b242ea4edc4d8464f0f572a2f5f99afa84edd11a048fc4885efda72027", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|567c94b242ea4edc4d8464f0f572a2f5f99afa84edd11a048fc4885efda72027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52971, "scanner": "repobility-supply-chain", "fingerprint": "631fe98f140d98f79968cf26618dca161126c0845ee36ad1ca90eb3f3483183e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|631fe98f140d98f79968cf26618dca161126c0845ee36ad1ca90eb3f3483183e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52970, "scanner": "repobility-supply-chain", "fingerprint": "35861b548118c697360a335a0cfd51a775045bf6889dc882f760c42bc8b2975a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35861b548118c697360a335a0cfd51a775045bf6889dc882f760c42bc8b2975a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v4`: `uses: codecov/codecov-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52969, "scanner": "repobility-supply-chain", "fingerprint": "709a6249795a120ce733ee3fcf926ff0529ddc19d3cf8088de7325acc0809e96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|709a6249795a120ce733ee3fcf926ff0529ddc19d3cf8088de7325acc0809e96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52968, "scanner": "repobility-supply-chain", "fingerprint": "acd91f2e0241f20d1a723a33f68c9aab5743a8d47eca2a9489a5cce7eadc6c55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acd91f2e0241f20d1a723a33f68c9aab5743a8d47eca2a9489a5cce7eadc6c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52967, "scanner": "repobility-supply-chain", "fingerprint": "3a1457b7b6548b0d9aee48eee400563698bec5f356c4341bd609a136c11ec559", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a1457b7b6548b0d9aee48eee400563698bec5f356c4341bd609a136c11ec559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52966, "scanner": "repobility-supply-chain", "fingerprint": "afeed388740652a397da0fbfcdce4463bb0f31d86b44f4c710fc9441463ec952", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afeed388740652a397da0fbfcdce4463bb0f31d86b44f4c710fc9441463ec952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52965, "scanner": "repobility-supply-chain", "fingerprint": "43c9d3c20f6bcf36458901ece30a8ac65c1927ee37c6caccb41797ef19aea215", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43c9d3c20f6bcf36458901ece30a8ac65c1927ee37c6caccb41797ef19aea215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52964, "scanner": "repobility-supply-chain", "fingerprint": "a11602f833e79c4a19fa4c706495fa3662e7098063f16e9bc171f349793ac718", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a11602f833e79c4a19fa4c706495fa3662e7098063f16e9bc171f349793ac718"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sigstore/cosign-installer` pinned to mutable ref `@v3`: `uses: sigstore/cosign-installer@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52963, "scanner": "repobility-supply-chain", "fingerprint": "29e38cf419e3043a1acf3d05d4e5931056fa3fcf8897ab82be88539fdfa3aeff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29e38cf419e3043a1acf3d05d4e5931056fa3fcf8897ab82be88539fdfa3aeff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52962, "scanner": "repobility-supply-chain", "fingerprint": "a3ff3f081e9c13867188e862fb1e613e5cfd0e5c96fa01672f8439f1a6e44079", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3ff3f081e9c13867188e862fb1e613e5cfd0e5c96fa01672f8439f1a6e44079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52961, "scanner": "repobility-supply-chain", "fingerprint": "b4faae112cb8d459decfe15ce0c5aa7791d5b42e5f00dfa04605d65443d8bdcc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4faae112cb8d459decfe15ce0c5aa7791d5b42e5f00dfa04605d65443d8bdcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52960, "scanner": "repobility-supply-chain", "fingerprint": "81fb20baa247c964f888aaf03e86699963d79c1ec801f7627e5294902630639a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81fb20baa247c964f888aaf03e86699963d79c1ec801f7627e5294902630639a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52959, "scanner": "repobility-supply-chain", "fingerprint": "21bcda55b4bc6ec3a34ec2b1c5b0f663df38a50222a57f672c8b23f10f566a5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21bcda55b4bc6ec3a34ec2b1c5b0f663df38a50222a57f672c8b23f10f566a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52958, "scanner": "repobility-supply-chain", "fingerprint": "9076b95cc3f5a51213ef908288b0c57e515c0ac1ef1039d94df0d01eb28eef32", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9076b95cc3f5a51213ef908288b0c57e515c0ac1ef1039d94df0d01eb28eef32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/init-e2e.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `googleapis/release-please-action` pinned to mutable ref `@v4`: `uses: googleapis/release-please-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52957, "scanner": "repobility-supply-chain", "fingerprint": "376a338a9b8de2faff0ba3948631f327110d6b3e8f825fa6a32129bc74698bbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|376a338a9b8de2faff0ba3948631f327110d6b3e8f825fa6a32129bc74698bbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-please.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52953, "scanner": "repobility-supply-chain", "fingerprint": "0c754c014cd0a2f066c147e14946b262701467b1fc866335cc73640683091c84", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c754c014cd0a2f066c147e14946b262701467b1fc866335cc73640683091c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52952, "scanner": "repobility-supply-chain", "fingerprint": "208c09a97363cee4b6bf3c2e41669084ce76fb506b0edab26940e03b2c99d6d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|208c09a97363cee4b6bf3c2e41669084ce76fb506b0edab26940e03b2c99d6d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52951, "scanner": "repobility-supply-chain", "fingerprint": "434c100fe1c0d0b15a4ad676bc3918e498cfb206c67c7666be4d3320ae41b8bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|434c100fe1c0d0b15a4ad676bc3918e498cfb206c67c7666be4d3320ae41b8bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52950, "scanner": "repobility-supply-chain", "fingerprint": "a3d256f9e778a2abace1bf79508f42868e8675ce0ba6096749ba4bc099e68d98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3d256f9e778a2abace1bf79508f42868e8675ce0ba6096749ba4bc099e68d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52949, "scanner": "repobility-supply-chain", "fingerprint": "bb3fd0df9d5d78611c53c65905a2567ac65774739e0de15e8d5647feb085f2dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb3fd0df9d5d78611c53c65905a2567ac65774739e0de15e8d5647feb085f2dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52948, "scanner": "repobility-supply-chain", "fingerprint": "538cd084c1d840e1083d3ff3c92ae70ad49955902220545f766af0585e16406c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|538cd084c1d840e1083d3ff3c92ae70ad49955902220545f766af0585e16406c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@1.95.0`: `uses: dtolnay/rust-toolchain@1.95.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52947, "scanner": "repobility-supply-chain", "fingerprint": "76bc575f799aef0cd032494768920324a67ad298526344526225c0082eda203f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76bc575f799aef0cd032494768920324a67ad298526344526225c0082eda203f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52946, "scanner": "repobility-supply-chain", "fingerprint": "03c192b015f32ec50c2cd230966a66bfd88db6dec89570ce81594e148ac49119", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03c192b015f32ec50c2cd230966a66bfd88db6dec89570ce81594e148ac49119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 52945, "scanner": "repobility-supply-chain", "fingerprint": "0353d4366d7ab45941bfd2c64a97fe0afa24acc66fdf65c36b342d5e55373dfb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0353d4366d7ab45941bfd2c64a97fe0afa24acc66fdf65c36b342d5e55373dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/python:1-` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/python:1-` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 52944, "scanner": "repobility-supply-chain", "fingerprint": "e2652caa4b11f4eb9021d26250651c347ea3c4636569d23c3fadf4ad179726bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2652caa4b11f4eb9021d26250651c347ea3c4636569d23c3fadf4ad179726bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `headroom-ai` pulled from URL/Git: `dependencies.headroom-ai` = `file:../sdk/typescript` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 52943, "scanner": "repobility-supply-chain", "fingerprint": "f7c859b058aee1387f71e555c9beb1af76e7132c1adf11d7e131f7dbd5c850ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7c859b058aee1387f71e555c9beb1af76e7132c1adf11d7e131f7dbd5c850ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.14.1`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-mypy` at `rev: v1.14.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 52942, "scanner": "repobility-supply-chain", "fingerprint": "53247afeabbd5d20ffd538e164762d8358303e48be599a234b3b9b311886e1d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53247afeabbd5d20ffd538e164762d8358303e48be599a234b3b9b311886e1d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.9.4`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.9.4`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 52941, "scanner": "repobility-supply-chain", "fingerprint": "b07da506497a9db06e5858fbf0f6a6b01cab0c9b0cc8c1bc4ddce125417f9ed1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b07da506497a9db06e5858fbf0f6a6b01cab0c9b0cc8c1bc4ddce125417f9ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:batchGenerateContent has no auth: Handler `gemini_batch_create` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52940, "scanner": "repobility-route-auth", "fingerprint": "bbf81120ac00968c845852d3068688d21611b59c64edf0b9902f756810990a78", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bbf81120ac00968c845852d3068688d21611b59c64edf0b9902f756810990a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 588}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:batchEmbedContents has no auth: Handler `gemini_batch_embed_contents` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52939, "scanner": "repobility-route-auth", "fingerprint": "c2b8372db76cd62da29d9708e7d52134da8edaa1634deb81c0f7967beb4ada35", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c2b8372db76cd62da29d9708e7d52134da8edaa1634deb81c0f7967beb4ada35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 579}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:embedContent has no auth: Handler `gemini_embed_content` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52938, "scanner": "repobility-route-auth", "fingerprint": "764d56ee863b560eeed2d09f61de575284d663e97c03c745b7598b5dca370f9d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|764d56ee863b560eeed2d09f61de575284d663e97c03c745b7598b5dca370f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/audio/speech has no auth: Handler `openai_audio_speech` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52937, "scanner": "repobility-route-auth", "fingerprint": "a529dbbfacef2aa9f32546082f8291404f7341bfadcc3f4a87b48b3cc549d085", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a529dbbfacef2aa9f32546082f8291404f7341bfadcc3f4a87b48b3cc549d085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 543}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/audio/transcriptions has no auth: Handler `openai_audio_transcriptions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52936, "scanner": "repobility-route-auth", "fingerprint": "30687da8572fa3ebcc53ed59fca75d3914f027434a912cd55708823e9b474895", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|30687da8572fa3ebcc53ed59fca75d3914f027434a912cd55708823e9b474895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 534}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/images/generations has no auth: Handler `openai_images_generations` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52935, "scanner": "repobility-route-auth", "fingerprint": "eae76eaa4e504f7b83ecaf8cd7290c2b4aa3d00fca9e2530d6ffea1a8483b418", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|eae76eaa4e504f7b83ecaf8cd7290c2b4aa3d00fca9e2530d6ffea1a8483b418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 525}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/moderations has no auth: Handler `openai_moderations` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52934, "scanner": "repobility-route-auth", "fingerprint": "1ac89a59bdfca205d7976d775eb0ce2d8e0bf65b8e80fbec9db17714c48ad6a6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1ac89a59bdfca205d7976d775eb0ce2d8e0bf65b8e80fbec9db17714c48ad6a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 516}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/embeddings has no auth: Handler `openai_embeddings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52933, "scanner": "repobility-route-auth", "fingerprint": "9eade2686633dd726c9ef16e90da0d2957eb6b70ea82b7fb71fd62fc1b813209", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|9eade2686633dd726c9ef16e90da0d2957eb6b70ea82b7fb71fd62fc1b813209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/v1internal:streamGenerateContent has no auth: Handler `google_cloudcode_stream_generate_content_v1` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52932, "scanner": "repobility-route-auth", "fingerprint": "cb9b7753ff1ea4c188869b230e60db5b4657c3c045094ca4321f5667ca0b8bff", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|cb9b7753ff1ea4c188869b230e60db5b4657c3c045094ca4321f5667ca0b8bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 467}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1internal:streamGenerateContent has no auth: Handler `google_cloudcode_stream_generate_content` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52931, "scanner": "repobility-route-auth", "fingerprint": "ad8905d3507e1512e4cef3bbe4dbf155e0cc25e9550c3099f55553d90885bd5a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ad8905d3507e1512e4cef3bbe4dbf155e0cc25e9550c3099f55553d90885bd5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 463}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:countTokens has no auth: Handler `gemini_count_tokens` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52930, "scanner": "repobility-route-auth", "fingerprint": "dcb7e1603602aee063634a2ccbc0595955269bce07f7b34a3e3439570e05b5d2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dcb7e1603602aee063634a2ccbc0595955269bce07f7b34a3e3439570e05b5d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:streamGenerateContent has no auth: Handler `gemini_stream_generate_content` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52929, "scanner": "repobility-route-auth", "fingerprint": "d6ecc235d7446c78c5bc54e6e8e53c00abff07a400524ac05315d94898938ac2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d6ecc235d7446c78c5bc54e6e8e53c00abff07a400524ac05315d94898938ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 455}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1beta/models/{model}:generateContent has no auth: Handler `gemini_generate_content` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52928, "scanner": "repobility-route-auth", "fingerprint": "143f3b53e58a31b05f7167701d5425ddaf39ef7f328bf6d0cf20871d22e38337", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|143f3b53e58a31b05f7167701d5425ddaf39ef7f328bf6d0cf20871d22e38337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 451}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/batches/{batch_id}/cancel has no auth: Handler `cancel_batch` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52927, "scanner": "repobility-route-auth", "fingerprint": "ae6ac60949e2adc442e4173ee9abd4882d9f9c7901e52e66f357a4237ec28c06", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ae6ac60949e2adc442e4173ee9abd4882d9f9c7901e52e66f357a4237ec28c06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 447}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/batches has no auth: Handler `create_batch` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52926, "scanner": "repobility-route-auth", "fingerprint": "c8d31c4a5ee6278d47c354b9c767492aa5d693fe4a22ee9a78777e7156e5557b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c8d31c4a5ee6278d47c354b9c767492aa5d693fe4a22ee9a78777e7156e5557b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /backend-api/codex/responses has no auth: Handler `openai_codex_nested_responses` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52925, "scanner": "repobility-route-auth", "fingerprint": "715aae82571689cf81e9448c8816e50fcd971123c67d0c4d5763d65c62eff0fc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|715aae82571689cf81e9448c8816e50fcd971123c67d0c4d5763d65c62eff0fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /backend-api/responses has no auth: Handler `openai_codex_responses` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52924, "scanner": "repobility-route-auth", "fingerprint": "74a2c656719120eeb57d0e013a34d8d4d3b1df124cc17a98e140ede537fef947", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|74a2c656719120eeb57d0e013a34d8d4d3b1df124cc17a98e140ede537fef947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/codex/responses has no auth: Handler `openai_v1_codex_responses` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52923, "scanner": "repobility-route-auth", "fingerprint": "4745ca5ec918b495de1afb1fe26c853a28c04efcb54e53a81128ac29a3020867", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4745ca5ec918b495de1afb1fe26c853a28c04efcb54e53a81128ac29a3020867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/responses has no auth: Handler `openai_responses` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52922, "scanner": "repobility-route-auth", "fingerprint": "8283c4d7cf539ff112880d866f624b0409743257a15aba05963e0e07dc2f181e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|8283c4d7cf539ff112880d866f624b0409743257a15aba05963e0e07dc2f181e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/chat/completions has no auth: Handler `openai_chat` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52921, "scanner": "repobility-route-auth", "fingerprint": "db2d8d075e376cb79294e6b47559dd2a21199ed827c734af4118270b74fd3f54", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|db2d8d075e376cb79294e6b47559dd2a21199ed827c734af4118270b74fd3f54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 352}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/messages/batches/{batch_id}/cancel has no auth: Handler `anthropic_batch_cancel` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52920, "scanner": "repobility-route-auth", "fingerprint": "37e3498e91e1231038cb9526bc2e04e698294533ae5fa3c3d529204e8a5bd2f9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|37e3498e91e1231038cb9526bc2e04e698294533ae5fa3c3d529204e8a5bd2f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/messages/batches has no auth: Handler `anthropic_batch_create` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52919, "scanner": "repobility-route-auth", "fingerprint": "d5c386b0c736621f0fca2664149b29fa9a549b1f797f903931da8e7cd86b4c46", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d5c386b0c736621f0fca2664149b29fa9a549b1f797f903931da8e7cd86b4c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/messages/count_tokens has no auth: Handler `anthropic_count_tokens` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52918, "scanner": "repobility-route-auth", "fingerprint": "7d5c34c0104d565557ab9ec18fb8c8aa7fc79ee998512212a520418543590dba", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7d5c34c0104d565557ab9ec18fb8c8aa7fc79ee998512212a520418543590dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/messages has no auth: Handler `anthropic_messages` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52917, "scanner": "repobility-route-auth", "fingerprint": "4ff8af0ba13ea0209c84a79ab1f9a7a0970c19962c955969b8d982b6bdc5beb8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4ff8af0ba13ea0209c84a79ab1f9a7a0970c19962c955969b8d982b6bdc5beb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/messages has no auth: Handler `messages` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 52916, "scanner": "repobility-route-auth", "fingerprint": "053dab1f2fb063adf88fe1af796384bc63738fd0e47690b47ea29b3ec5f053d5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|053dab1f2fb063adf88fe1af796384bc63738fd0e47690b47ea29b3ec5f053d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_scripts/test_repro_codex_replay_smoke.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_eviction_prefers_low_importance_then_old`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 52905, "scanner": "repobility-ast-engine", "fingerprint": "e657b44f7e8778d0bb614abd502fb5eccff996aa1dce2057cc28fd4f44257326", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e657b44f7e8778d0bb614abd502fb5eccff996aa1dce2057cc28fd4f44257326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_hnsw_only.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_query_injection_in_search: Test function `test_query_injection_in_search` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52904, "scanner": "repobility-ast-engine", "fingerprint": "19700edcbd81d3005780355c2bccea12e9b7ef9246ebad3053d8c14017545fc3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19700edcbd81d3005780355c2bccea12e9b7ef9246ebad3053d8c14017545fc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 719}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_extremely_long_strings: Test function `test_extremely_long_strings` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52903, "scanner": "repobility-ast-engine", "fingerprint": "29dd714bdb4f85eaa5e9dd78aa24278a64c4efa6445bc09801e6badbf73867f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29dd714bdb4f85eaa5e9dd78aa24278a64c4efa6445bc09801e6badbf73867f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 670}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unicode_and_emoji_handling: Test function `test_unicode_and_emoji_handling` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52902, "scanner": "repobility-ast-engine", "fingerprint": "d85e6bc8e4ee171581feae0cbbba08f69c3bced87794147c86b3e29e00e8523f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d85e6bc8e4ee171581feae0cbbba08f69c3bced87794147c86b3e29e00e8523f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 628}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_headroom_marker_collision: Test function `test_headroom_marker_collision` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52901, "scanner": "repobility-ast-engine", "fingerprint": "e4a74cb443ccbd956507e1c8fdf5e12cf9d0f2968a6a1b3aa101f53ff52337e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4a74cb443ccbd956507e1c8fdf5e12cf9d0f2968a6a1b3aa101f53ff52337e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_json_injection_in_content: Test function `test_json_injection_in_content` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52900, "scanner": "repobility-ast-engine", "fingerprint": "77ba4b8dc27b67995b0fee3fa6d4f01d830bf2efed98bde7086347543f64b0b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77ba4b8dc27b67995b0fee3fa6d4f01d830bf2efed98bde7086347543f64b0b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 550}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ttl_exact_boundary: Test function `test_ttl_exact_boundary` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52899, "scanner": "repobility-ast-engine", "fingerprint": "5a43c50f50fc9edcba21d829c05d905016732acf1244773a654cb4f0732d8507", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a43c50f50fc9edcba21d829c05d905016732acf1244773a654cb4f0732d8507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 502}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_hash_collision_attempt: Test function `test_hash_collision_attempt` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52898, "scanner": "repobility-ast-engine", "fingerprint": "7a65ab4474de7f634fbb94839c4b328e0b7f5363359425b13e3394452058f117", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a65ab4474de7f634fbb94839c4b328e0b7f5363359425b13e3394452058f117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 461}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_max_items_plus_one: Test function `test_max_items_plus_one` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52897, "scanner": "repobility-ast-engine", "fingerprint": "b6acd26e1bf5b0d6f3cf7cc16109e1a56f92689484f0c95875fcb0dddcfe099e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6acd26e1bf5b0d6f3cf7cc16109e1a56f92689484f0c95875fcb0dddcfe099e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_exactly_max_items: Test function `test_exactly_max_items` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52896, "scanner": "repobility-ast-engine", "fingerprint": "1618198add28c6a846c437a4289fd908db20bf72c50015c66e4ad180f0645414", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1618198add28c6a846c437a4289fd908db20bf72c50015c66e4ad180f0645414"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_single_item_array: Test function `test_single_item_array` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52895, "scanner": "repobility-ast-engine", "fingerprint": "30584b486c9475b102a6a798dd2f6a01152d0e8de478b2849e15fb6fdb5c94de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30584b486c9475b102a6a798dd2f6a01152d0e8de478b2849e15fb6fdb5c94de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_empty_array: Test function `test_empty_array` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52894, "scanner": "repobility-ast-engine", "fingerprint": "4e74d3e2eec41816a4795c6ba1a7698dd484aa53e76652472bb88ec7eaae81f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e74d3e2eec41816a4795c6ba1a7698dd484aa53e76652472bb88ec7eaae81f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_anomaly_in_string_not_number: Test function `test_anomaly_in_string_not_number` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52893, "scanner": "repobility-ast-engine", "fingerprint": "d48dc8410c94d71c5ca3c0e8651a4de8bfa8b438a9a246911eb0f402cd56afdc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d48dc8410c94d71c5ca3c0e8651a4de8bfa8b438a9a246911eb0f402cd56afdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_needle_looks_exactly_like_hay: Test function `test_needle_looks_exactly_like_hay` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52892, "scanner": "repobility-ast-engine", "fingerprint": "e551da9cbba51b63ab6839609c65887198a549aae52ad492c2c42f0e1f0ba459", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e551da9cbba51b63ab6839609c65887198a549aae52ad492c2c42f0e1f0ba459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_error_keyword_in_normal_data: Test function `test_error_keyword_in_normal_data` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52891, "scanner": "repobility-ast-engine", "fingerprint": "eb5275e8386e651f7ee41a625e9a18a37da43878a8f17365c6d4b8d03322bac1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb5275e8386e651f7ee41a625e9a18a37da43878a8f17365c6d4b8d03322bac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_all_items_are_errors: Test function `test_all_items_are_errors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52890, "scanner": "repobility-ast-engine", "fingerprint": "6c09c1da616de66d8a50c660b8bbc3346b38e04b04e86f3f61b5679b9cd90d6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c09c1da616de66d8a50c660b8bbc3346b38e04b04e86f3f61b5679b9cd90d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/adversarial_ccr_tests.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pipeline_simple: Test function `test_pipeline_simple` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52889, "scanner": "repobility-ast-engine", "fingerprint": "9b2e3b7f7a4afaaeaa2e762c56105accd938c4f7f437575ecc8c49555f3ae596", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b2e3b7f7a4afaaeaa2e762c56105accd938c4f7f437575ecc8c49555f3ae596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/bench_transforms.py"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_multiple_system_messages: Test function `test_multiple_system_messages` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52888, "scanner": "repobility-ast-engine", "fingerprint": "6f69bd7a40663e7e9fa425514b0a6e16f282dc7463c0542a32b43cf0db762f53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f69bd7a40663e7e9fa425514b0a6e16f282dc7463c0542a32b43cf0db762f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/bench_transforms.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ccr_end_to_end: Test function `test_ccr_end_to_end` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52887, "scanner": "repobility-ast-engine", "fingerprint": "91ec35f07021b02de60fa15176984363a926a299bf3b489a0430d37cd07470c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|91ec35f07021b02de60fa15176984363a926a299bf3b489a0430d37cd07470c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 575}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_search_accuracy: Test function `test_search_accuracy` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52886, "scanner": "repobility-ast-engine", "fingerprint": "c6e1a41de0faf6642bf3bc6e8368532c4f4fbb98286fbc8cfa1ee607e6729f05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6e1a41de0faf6642bf3bc6e8368532c4f4fbb98286fbc8cfa1ee607e6729f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_feedback_learning: Test function `test_feedback_learning` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52885, "scanner": "repobility-ast-engine", "fingerprint": "cfa16863f2487c1a28d1119f4383a8572c2d515d4c2ae7093828254302362980", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cfa16863f2487c1a28d1119f4383a8572c2d515d4c2ae7093828254302362980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_full_retrieval: Test function `test_full_retrieval` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52884, "scanner": "repobility-ast-engine", "fingerprint": "66e726b412a10a42a254cf114ab72fecb187973b8e3293c581e95ec4b6638324", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66e726b412a10a42a254cf114ab72fecb187973b8e3293c581e95ec4b6638324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_anomaly_retention: Test function `test_anomaly_retention` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52883, "scanner": "repobility-ast-engine", "fingerprint": "8183931025e1340a55671fffcf220d505567a3b871d222e0a4f46590689e5ec6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8183931025e1340a55671fffcf220d505567a3b871d222e0a4f46590689e5ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_uuid_retrieval: Test function `test_uuid_retrieval` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52882, "scanner": "repobility-ast-engine", "fingerprint": "5cb9c6db30c3c83e1ae2ad02fd980a70d5e117e56333890cce6819717a9da7c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cb9c6db30c3c83e1ae2ad02fd980a70d5e117e56333890cce6819717a9da7c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_error_retention: Test function `test_error_retention` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52881, "scanner": "repobility-ast-engine", "fingerprint": "3804ecd0d578fa1cfa34f575a6cad021f52776019dbbeab6377920c4c6e94ade", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3804ecd0d578fa1cfa34f575a6cad021f52776019dbbeab6377920c4c6e94ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/ccr_regression_benchmark.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.percentile` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads `self.percentile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52875, "scanner": "repobility-ast-engine", "fingerprint": "987c2d31732b01daa0f56fbc1947b0e7b9cec91099d3ea903a19020f71bd2d85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|987c2d31732b01daa0f56fbc1947b0e7b9cec91099d3ea903a19020f71bd2d85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.percentile` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads `self.percentile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52874, "scanner": "repobility-ast-engine", "fingerprint": "ef6fbe190548f53b3c8aee508cf101c8619b8280a905f165eceda3dcd6b8ed56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef6fbe190548f53b3c8aee508cf101c8619b8280a905f165eceda3dcd6b8ed56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.percentile` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads `self.percentile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52873, "scanner": "repobility-ast-engine", "fingerprint": "f33567150841d36e8cfb5a520a3c8e2cbe1e750f2a2c7cbb6f5a5123b06491f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f33567150841d36e8cfb5a520a3c8e2cbe1e750f2a2c7cbb6f5a5123b06491f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.count` used but never assigned in __init__: Method `as_summary` of class `LatencyHistogram` reads `self.count`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52872, "scanner": "repobility-ast-engine", "fingerprint": "fce9374417bc9af73bd7e8a4c7866a221631a3aa6010f36c6059bdff16f949c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fce9374417bc9af73bd7e8a4c7866a221631a3aa6010f36c6059bdff16f949c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repro_codex_replay.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._exchange_token_sync` used but never assigned in __init__: Method `_exchange_token` of class `CopilotTokenProvider` reads `self._exchange_token_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52870, "scanner": "repobility-ast-engine", "fingerprint": "ea23e4cab3f638b835663f01f10bfe5d28148420830ebd7fa68733151ead21a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea23e4cab3f638b835663f01f10bfe5d28148420830ebd7fa68733151ead21a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/copilot_auth.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._exchange_token` used but never assigned in __init__: Method `get_api_token` of class `CopilotTokenProvider` reads `self._exchange_token`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52869, "scanner": "repobility-ast-engine", "fingerprint": "3e2ebef228c0a051380d51ab71ab937118f1c1c33ae48bfd3b864b0b272b11a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e2ebef228c0a051380d51ab71ab937118f1c1c33ae48bfd3b864b0b272b11a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/copilot_auth.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._evict_if_needed` used but never assigned in __init__: Method `put` of class `SharedContext` reads `self._evict_if_needed`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52868, "scanner": "repobility-ast-engine", "fingerprint": "415277358772d4320b92a7f2486346160409b4f0090807d90d78e17f03d9b5db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|415277358772d4320b92a7f2486346160409b4f0090807d90d78e17f03d9b5db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/shared_context.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52863, "scanner": "repobility-ast-engine", "fingerprint": "d7e9b4db567d892174824843c535491a98b2da1f0abb8ba875e21d412d36c817", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7e9b4db567d892174824843c535491a98b2da1f0abb8ba875e21d412d36c817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1043}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52862, "scanner": "repobility-ast-engine", "fingerprint": "cab473a8f6417c9be525891bb2bd8c408f745e889165db5f267c4ba8b81e9726", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cab473a8f6417c9be525891bb2bd8c408f745e889165db5f267c4ba8b81e9726"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1040}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52861, "scanner": "repobility-ast-engine", "fingerprint": "24085b94f44927f70dd8db3fd6c7d54d9801b503be7c68346a2e636fb6aa5ab9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24085b94f44927f70dd8db3fd6c7d54d9801b503be7c68346a2e636fb6aa5ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1038}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52860, "scanner": "repobility-ast-engine", "fingerprint": "7740fa553223907e36a9b6bec9faaf9c6a51082925f56aff8b7a32b636e1c65f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7740fa553223907e36a9b6bec9faaf9c6a51082925f56aff8b7a32b636e1c65f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1037}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52859, "scanner": "repobility-ast-engine", "fingerprint": "9550b34a64d98c01bf76477fb21b73d3a99b8bc2ef0d8166af97092ddb56d1d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9550b34a64d98c01bf76477fb21b73d3a99b8bc2ef0d8166af97092ddb56d1d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1034}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `_update_session_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52858, "scanner": "repobility-ast-engine", "fingerprint": "f11ee83829e016d5d25f78484fb7ae976eee136b428b15a1476a0c73bcd85cb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f11ee83829e016d5d25f78484fb7ae976eee136b428b15a1476a0c73bcd85cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1026}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `get_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52857, "scanner": "repobility-ast-engine", "fingerprint": "de5d9e6bc9dd933a12cceac13dd57e14fc0ce8a8ab2e13b9dd9674b631965025", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de5d9e6bc9dd933a12cceac13dd57e14fc0ce8a8ab2e13b9dd9674b631965025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 1004}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_stats` used but never assigned in __init__: Method `get_stats` of class `HeadroomClient` reads `self._session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52856, "scanner": "repobility-ast-engine", "fingerprint": "2295798505ee7f571522bc91f749ccbb891a509b3541e4ddb2534a3da3b89d31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2295798505ee7f571522bc91f749ccbb891a509b3541e4ddb2534a3da3b89d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 995}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_tokenizer` used but never assigned in __init__: Method `validate_setup` of class `HeadroomClient` reads `self._get_tokenizer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52855, "scanner": "repobility-ast-engine", "fingerprint": "2603130f147a1573fc015ddfcb0e725f44edfd303f82791193562bcca93d3bf5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2603130f147a1573fc015ddfcb0e725f44edfd303f82791193562bcca93d3bf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 915}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.close` used but never assigned in __init__: Method `__exit__` of class `HeadroomClient` reads `self.close`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52854, "scanner": "repobility-ast-engine", "fingerprint": "6330d3aec24f68f1a154977caa3f5a20abfbbe516933f1c93aed9e8356b3f34f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6330d3aec24f68f1a154977caa3f5a20abfbbe516933f1c93aed9e8356b3f34f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 872}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_context_limit` used but never assigned in __init__: Method `_simulate` of class `HeadroomClient` reads `self._get_context_limit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52853, "scanner": "repobility-ast-engine", "fingerprint": "e2fbba92c99576b3642d497450e6da9a5d296134c6062087e99501e90cc09910", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2fbba92c99576b3642d497450e6da9a5d296134c6062087e99501e90cc09910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 776}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_tokenizer` used but never assigned in __init__: Method `_simulate` of class `HeadroomClient` reads `self._get_tokenizer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52852, "scanner": "repobility-ast-engine", "fingerprint": "58a280ac37cbdf2f7f58e26134eac9d57421a17daff719409f7c070cce45f306", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58a280ac37cbdf2f7f58e26134eac9d57421a17daff719409f7c070cce45f306"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 763}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_query` used but never assigned in __init__: Method `_store_response_in_semantic_cache` of class `HeadroomClient` reads `self._extract_query`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52851, "scanner": "repobility-ast-engine", "fingerprint": "ddb45298590f86f880ef9b68da7aaf174b9f099b65a17b89265025fcb7132c60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ddb45298590f86f880ef9b68da7aaf174b9f099b65a17b89265025fcb7132c60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 725}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_response_content` used but never assigned in __init__: Method `_store_response_in_semantic_cache` of class `HeadroomClient` reads `self._extract_response_content`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52850, "scanner": "repobility-ast-engine", "fingerprint": "524fa5341339c83130aebdd64014d39a92e7120dd98ef5486631f1b0a1b3f30b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|524fa5341339c83130aebdd64014d39a92e7120dd98ef5486631f1b0a1b3f30b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 728}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_query` used but never assigned in __init__: Method `_create` of class `HeadroomClient` reads `self._extract_query`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52849, "scanner": "repobility-ast-engine", "fingerprint": "c4278b6f9b8dddcc5f621ec618d34a3ae7752d701d14eada923c0e52694fe38a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4278b6f9b8dddcc5f621ec618d34a3ae7752d701d14eada923c0e52694fe38a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 484}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_context_limit` used but never assigned in __init__: Method `_create` of class `HeadroomClient` reads `self._get_context_limit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52848, "scanner": "repobility-ast-engine", "fingerprint": "dd73792c15f34677eec70ce72975e3c3f31ccfbfeaaba375f3c254b4f9e2c2fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd73792c15f34677eec70ce72975e3c3f31ccfbfeaaba375f3c254b4f9e2c2fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 448}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._update_session_stats` used but never assigned in __init__: Method `_create` of class `HeadroomClient` reads `self._update_session_stats`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52847, "scanner": "repobility-ast-engine", "fingerprint": "ed534d9d899173bb550e0cf574c6e9cfe41a97197527704187cb918f9d2f9bd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed534d9d899173bb550e0cf574c6e9cfe41a97197527704187cb918f9d2f9bd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 592}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_tokenizer` used but never assigned in __init__: Method `_create` of class `HeadroomClient` reads `self._get_tokenizer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 52846, "scanner": "repobility-ast-engine", "fingerprint": "58deb13b5e5ba1de592c73f18a19a4b8c7011f91608c3920ad1e35ab19d2e13e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58deb13b5e5ba1de592c73f18a19a4b8c7011f91608c3920ad1e35ab19d2e13e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/client.py"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_with_real_llm: Test function `test_with_real_llm` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 52835, "scanner": "repobility-ast-engine", "fingerprint": "83254935c90ee67f9c9519817e20a57748b7cb95883e8863d61965817ec339ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83254935c90ee67f9c9519817e20a57748b7cb95883e8863d61965817ec339ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/test_intelligent_context_toin_ccr.py"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `run_demo`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 52832, "scanner": "repobility-ast-engine", "fingerprint": "a4b997bff7b9cf5e72dc24c2bdb29c9fe453bc242b07753671999ce72d070d8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4b997bff7b9cf5e72dc24c2bdb29c9fe453bc242b07753671999ce72d070d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 506}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `run_demo`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 52831, "scanner": "repobility-ast-engine", "fingerprint": "fa932211ecf12de1a341a2c8055b91ea123b6af57c1a9b64f824f7516c6a630f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa932211ecf12de1a341a2c8055b91ea123b6af57c1a9b64f824f7516c6a630f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.Request` inside async function `run_demo`: `urllib.request.Request` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 52830, "scanner": "repobility-ast-engine", "fingerprint": "241ee9349944e5bb4ed4a1bf725ab404df5b94f2a1a561f65848f63bccecf23d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|241ee9349944e5bb4ed4a1bf725ab404df5b94f2a1a561f65848f63bccecf23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.Request` inside async function `run_demo`: `urllib.request.Request` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 52829, "scanner": "repobility-ast-engine", "fingerprint": "a101c8fb4b188d96cf0773ec4d1115dfad6c03653d314276a02e2be8f448e3f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a101c8fb4b188d96cf0773ec4d1115dfad6c03653d314276a02e2be8f448e3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_via_proxy_demo.py"}, "region": {"startLine": 493}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /v1beta/cachedContents/{cache_id}."}, "properties": {"repobilityId": 52812, "scanner": "repobility-access-control", "fingerprint": "dd4048de13ec6ae6fa3f92c1dfdd5713fce77046c0795b32a7dff73f265e28ca", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/cachedContents/{cache_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|630|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 630}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1beta/cachedContents/{cache_id}."}, "properties": {"repobilityId": 52811, "scanner": "repobility-access-control", "fingerprint": "9967938a0a8feba09a00233fb7b16c14a5acf6b2b2f9b48914aa24748d8d3a5d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1beta/cachedContents/{cache_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|621|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 621}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/models/{model_id}."}, "properties": {"repobilityId": 52810, "scanner": "repobility-access-control", "fingerprint": "8e120934c7b9f4a833718c34477f91fe82c91b97c65f2c1fe3bd67ac62e6de9b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/models/{model_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|488|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 488}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/batches/{batch_id}/cancel."}, "properties": {"repobilityId": 52809, "scanner": "repobility-access-control", "fingerprint": "1cb1fdf4476a71f2ff85032912732a19fa0598e1808450255c6cd040b938c1f9", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/batches/{batch_id}/cancel", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|446|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 446}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/batches/{batch_id}."}, "properties": {"repobilityId": 52808, "scanner": "repobility-access-control", "fingerprint": "39f9cae2c751dceae24c606a026c587f0a518374ccf5e4951758aa5a5da2f600", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/batches/{batch_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|442|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 442}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /v1/messages/batches/{batch_id}/cancel."}, "properties": {"repobilityId": 52807, "scanner": "repobility-access-control", "fingerprint": "1c89558a94136194c66f66780be92e90672ef01683560d4a52246eb22a2cedbc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages/batches/{batch_id}/cancel", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|347|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/messages/batches/{batch_id}/results."}, "properties": {"repobilityId": 52806, "scanner": "repobility-access-control", "fingerprint": "ab8a3ee729e4dc956c451ddc4cf5c54505b99b642ab767a8695da37d6195e518", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages/batches/{batch_id}/results", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|343|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /v1/messages/batches/{batch_id}."}, "properties": {"repobilityId": 52805, "scanner": "repobility-access-control", "fingerprint": "1b4286c4f353b824182c08f189804bb90188fe9df5d7c362263337ba7831f22a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/messages/batches/{batch_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|339|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/providers/proxy_routes.py"}, "region": {"startLine": 339}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 52801, "scanner": "repobility-docker", "fingerprint": "48e9280682b0b7bdb38dc438d3928cc14be7d1a4a660f0366ce3341d90aedc81", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "7474:7474", "target": "7474", "host_ip": "", "published": "7474"}, {"raw": "7687:7687", "target": "7687", "host_ip": "", "published": "7687"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "neo4j", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|48e9280682b0b7bdb38dc438d3928cc14be7d1a4a660f0366ce3341d90aedc81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 52791, "scanner": "repobility-docker", "fingerprint": "ff596dd71e9db87fabb13b5ea37e56ec23ef133bd3e5c21c9ccf13cc7bb955ff", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ff596dd71e9db87fabb13b5ea37e56ec23ef133bd3e5c21c9ccf13cc7bb955ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 52789, "scanner": "repobility-docker", "fingerprint": "1262910a34ec6ac537768f138c4b1c6f4e6f329075722ad708fbb2b4da6e5e2b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1262910a34ec6ac537768f138c4b1c6f4e6f329075722ad708fbb2b4da6e5e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/wrap/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 52784, "scanner": "repobility-docker", "fingerprint": "5b51da789e5ffd705401bcef49de1106643c97defc53d05dec46b9de481f6b3f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5b51da789e5ffd705401bcef49de1106643c97defc53d05dec46b9de481f6b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/init/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 52778, "scanner": "repobility-docker", "fingerprint": "f8bf707b86e89fab9602518b8277dc1d123d3142d23d5af219df64902d5c7ca3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f8bf707b86e89fab9602518b8277dc1d123d3142d23d5af219df64902d5c7ca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 52771, "scanner": "repobility-agent-runtime", "fingerprint": "53f8822402a009742be1e81ab97bce6ca7eb7621fef53abaf87ae198c135a7a8", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|53f8822402a009742be1e81ab97bce6ca7eb7621fef53abaf87ae198c135a7a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/proxy/handlers/gemini.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 52717, "scanner": "repobility-threat-engine", "fingerprint": "57f7d62e6565f45f5ad776a944ebe5683194cf0305a2bab99caf2ea17eab1339", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57f7d62e6565f45f5ad776a944ebe5683194cf0305a2bab99caf2ea17eab1339"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/utils.py"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52707, "scanner": "repobility-threat-engine", "fingerprint": "988731d95e74830be774e475fd49a5be4dc5e8bef181314ae2efb158b0e47217", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "env.update(manifest.base_env)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|988731d95e74830be774e475fd49a5be4dc5e8bef181314ae2efb158b0e47217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/install/runtime.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52706, "scanner": "repobility-threat-engine", "fingerprint": "fd3b5a2726817a2da28d466ca1bedff0269adad73d90101e92c19694357d4e72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "merged.update(env_map)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd3b5a2726817a2da28d466ca1bedff0269adad73d90101e92c19694357d4e72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/install/providers.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52705, "scanner": "repobility-threat-engine", "fingerprint": "0ed5a7d591507fcc2db18b9fefd7fe78a3db00e6477d63c25748a15c7fe5ade4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "resized.save(buf, format=\"JPEG\", quality=85, optimize=True)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ed5a7d591507fcc2db18b9fefd7fe78a3db00e6477d63c25748a15c7fe5ade4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/image/tile_optimizer.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 52700, "scanner": "repobility-threat-engine", "fingerprint": "2844597e872cf59e5ff3169b908fd45657a0c3f6ccac255ea93772297fabbdaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extract(member, RTK_BIN_DIR)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2844597e872cf59e5ff3169b908fd45657a0c3f6ccac255ea93772297fabbdaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/rtk/installer.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 52699, "scanner": "repobility-threat-engine", "fingerprint": "b840f43460dace66772b17e253591537a8e4bf17b29736e787e13223cf673384", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extract(member, LEAN_CTX_BIN_DIR)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b840f43460dace66772b17e253591537a8e4bf17b29736e787e13223cf673384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/lean_ctx/installer.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 52698, "scanner": "repobility-threat-engine", "fingerprint": "61875d78d4d2db1590ca69adea5a16c4b0f4c8f0355da073b188cdfc7475f287", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extract(member, CBM_BIN_DIR)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61875d78d4d2db1590ca69adea5a16c4b0f4c8f0355da073b188cdfc7475f287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/graph/installer.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 52696, "scanner": "repobility-threat-engine", "fingerprint": "ff1d7d2c29c03f989bc5f56c404ea5ba006ebd7b10424bb12a1d05ac9cd410fa", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"class\\s+(\\w+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|234|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/transforms/compression_summary.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 52695, "scanner": "repobility-threat-engine", "fingerprint": "6e31aeb01199bf6b1343f4679ee9c1c78e5ed2509f89ae6a4c0966d035104fcc", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"changed=(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|headroom/graph/watcher.py|243|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/graph/watcher.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 52694, "scanner": "repobility-threat-engine", "fingerprint": "0faaa8011a9036af3b36ac72a5b65a413034cf052721a77d0c76de3c0abe0384", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"(\\d+(?:\\.\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|220|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/evals/memory/judge.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 52693, "scanner": "repobility-threat-engine", "fingerprint": "7e4675c6c8f3e38b98f4891eac5b96a4a78d6f45c7ce426c8b8af278dc1a600f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e4675c6c8f3e38b98f4891eac5b96a4a78d6f45c7ce426c8b8af278dc1a600f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/tokenizers/huggingface.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 52692, "scanner": "repobility-threat-engine", "fingerprint": "87722d36f3b898ee79c2ce46d978a6c1d5c7b4455ede336d1d2205dbc94ac928", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87722d36f3b898ee79c2ce46d978a6c1d5c7b4455ede336d1d2205dbc94ac928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/integrations/langchain/memory.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 52691, "scanner": "repobility-threat-engine", "fingerprint": "d615c22ea417850e0b00cad26a872d3971deff0504f27e0743bb3fea419967c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d615c22ea417850e0b00cad26a872d3971deff0504f27e0743bb3fea419967c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/evals/cost_tracker.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 52682, "scanner": "repobility-threat-engine", "fingerprint": "bc7ad262f410737b8ac6281dbbb84c6f286bbabcb8cb1379fd87dc68e473e641", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc7ad262f410737b8ac6281dbbb84c6f286bbabcb8cb1379fd87dc68e473e641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/ccr/batch_store.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 52680, "scanner": "repobility-threat-engine", "fingerprint": "e38ea345e4caec8e8c1e4907778154c243964e51bd685e9128f81d8e2123f9a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e38ea345e4caec8e8c1e4907778154c243964e51bd685e9128f81d8e2123f9a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cli/install.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 52679, "scanner": "repobility-threat-engine", "fingerprint": "9f76503ddb5b949905fb21976f840624704c9d9ff5b6f403b880cbe74a63a6ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f76503ddb5b949905fb21976f840624704c9d9ff5b6f403b880cbe74a63a6ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cli/__init__.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 52678, "scanner": "repobility-threat-engine", "fingerprint": "ad62a966234d8d16a36025d5ad29193d0a87630277662e53eb4ca006ff6c7760", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ad62a966234d8d16a36025d5ad29193d0a87630277662e53eb4ca006ff6c7760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/registry.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 52674, "scanner": "repobility-threat-engine", "fingerprint": "547e890292c46dcb398f916f7cbd1955ac2f85a59b125663ca811677e3a21d62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|547e890292c46dcb398f916f7cbd1955ac2f85a59b125663ca811677e3a21d62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/utils.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 52665, "scanner": "repobility-threat-engine", "fingerprint": "ba856915258c210a494a1f153734c93d8c0c9b9dbb3c618c3e78af31c13e2649", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba856915258c210a494a1f153734c93d8c0c9b9dbb3c618c3e78af31c13e2649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/layout.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 52664, "scanner": "repobility-threat-engine", "fingerprint": "eb1d0f6f7753b6aee6e8518bb472ef2e2274fbb9ee11530596ba2660fae741f5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb1d0f6f7753b6aee6e8518bb472ef2e2274fbb9ee11530596ba2660fae741f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/docs/[[...slug]]/page.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 52663, "scanner": "repobility-threat-engine", "fingerprint": "f0e6d467d7798178c3e50a6aec125f56ead9af595d53a3b3544a138739ef6f9e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0e6d467d7798178c3e50a6aec125f56ead9af595d53a3b3544a138739ef6f9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-proxy/src/websocket.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 52653, "scanner": "repobility-threat-engine", "fingerprint": "a2b7e8f6871d0306118815b3378c0b0af4e76f7f6af11d3bbf45fb154f6e8868", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2b7e8f6871d0306118815b3378c0b0af4e76f7f6af11d3bbf45fb154f6e8868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/src/auth_mode.rs"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 52652, "scanner": "repobility-threat-engine", "fingerprint": "f5af0b59b86bde6ef577b884841988c409a94ab4c7024f4f7281f2e4bd531ae5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5af0b59b86bde6ef577b884841988c409a94ab4c7024f4f7281f2e4bd531ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/benches/ccr_store.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 52651, "scanner": "repobility-threat-engine", "fingerprint": "e37f013790e3b3fd4b17263b5c030c3cd1c6eba7229a86bf032d2df02b59d58d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e37f013790e3b3fd4b17263b5c030c3cd1c6eba7229a86bf032d2df02b59d58d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/benches/auth_mode.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 52650, "scanner": "repobility-threat-engine", "fingerprint": "a3ae00bcc50b456433affddf7a989fd6bb33318c7ba9c6113a5980e343607034", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE1MTYyMzk", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|4|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/headroom-core/benches/auth_mode.rs"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 52644, "scanner": "repobility-threat-engine", "fingerprint": "78c7a2aad36f66f4d3d982269b98e04f4cab1ad49194b93ac85955c72b60e27f", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\" total_tokens_removed: {comp.get('total_tokens_removed', 0)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|11|print f total_tokens_removed: comp.get total_tokens_removed 0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/strands_bundle_demo.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 52643, "scanner": "repobility-threat-engine", "fingerprint": "b0eff8064123845c1d9b128a046bc086246b83e4f08a67afaec6966e7610ca3e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"\\n Original tokens: {result.original_tokens:>8,}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|8|print f n original tokens: result.original_tokens: 8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp_demo/show_compression.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 52642, "scanner": "repobility-threat-engine", "fingerprint": "ca4a6f69e999d769322e1a85a360eb9ddaf9b9b23a85f17ff33d9f3395442614", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"Tokens saved: {compression.tokens_saved}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|print f tokens saved: compression.tokens_saved"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp_demo/show_before_after.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 52974, "scanner": "repobility-supply-chain", "fingerprint": "f5f50819a422b17b5c83d76f0dea17956474d5114cc135e078e9741a4db91bb8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5f50819a422b17b5c83d76f0dea17956474d5114cc135e078e9741a4db91bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 724}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 52973, "scanner": "repobility-supply-chain", "fingerprint": "bcd20a834083d212bc155ff8eefb2825d270926c67d7d835933133032505f0c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcd20a834083d212bc155ff8eefb2825d270926c67d7d835933133032505f0c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 712}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 52956, "scanner": "repobility-supply-chain", "fingerprint": "1109478e385ccf4cf89e731c9e7225a6f03e37ec73a3aa682323e9773bc15c86", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1109478e385ccf4cf89e731c9e7225a6f03e37ec73a3aa682323e9773bc15c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 52955, "scanner": "repobility-supply-chain", "fingerprint": "7442587f08f3ce77352559626bbbcf29d1b965f392d5004b89e2aa37ab60a613", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7442587f08f3ce77352559626bbbcf29d1b965f392d5004b89e2aa37ab60a613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 52954, "scanner": "repobility-supply-chain", "fingerprint": "1118843d78d0dd4c777648080e35dee7abe626785ce88f220f89ed85c01f17ce", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1118843d78d0dd4c777648080e35dee7abe626785ce88f220f89ed85c01f17ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52915, "scanner": "repobility-ast-engine", "fingerprint": "8c2af0c94678586052ff4319b34ec1a52cd0039d3fe85575a1cd2117bfda891b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c2af0c94678586052ff4319b34ec1a52cd0039d3fe85575a1cd2117bfda891b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/graph.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52914, "scanner": "repobility-ast-engine", "fingerprint": "900f9c72886884bdffe5ef2d007bb6632414b68042a83fb9c2d66b9bb7d0e6be", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|900f9c72886884bdffe5ef2d007bb6632414b68042a83fb9c2d66b9bb7d0e6be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/memory/adapters/sqlite_graph.py"}, "region": {"startLine": 551}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52913, "scanner": "repobility-ast-engine", "fingerprint": "4af0d90836892bc3ce387cf7e5b052eb0a3d7fe2a90ba14f6468448b1fe5cc7f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4af0d90836892bc3ce387cf7e5b052eb0a3d7fe2a90ba14f6468448b1fe5cc7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/transforms/html_extractor.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52912, "scanner": "repobility-ast-engine", "fingerprint": "c6b0ccdaab105664c72a79879503c3a931e6a85f8433121920b9710bc64884a8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6b0ccdaab105664c72a79879503c3a931e6a85f8433121920b9710bc64884a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/transforms/cache_aligner.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52911, "scanner": "repobility-ast-engine", "fingerprint": "06cd0e57924566f170a8d35533cec42af593cad682d7740f3414ade8697c913e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06cd0e57924566f170a8d35533cec42af593cad682d7740f3414ade8697c913e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/transforms/code_compressor.py"}, "region": {"startLine": 1819}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52910, "scanner": "repobility-ast-engine", "fingerprint": "c126d9f3e5c54ffa2b36a1dfa07851ccc655b8813aed9907103e9cd54fea0ef2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c126d9f3e5c54ffa2b36a1dfa07851ccc655b8813aed9907103e9cd54fea0ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/transforms/log_compressor.py"}, "region": {"startLine": 339}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52909, "scanner": "repobility-ast-engine", "fingerprint": "d96217c8aeb29537b98f85f901d300af0322af0912a2d9163deb48b0af16d5eb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d96217c8aeb29537b98f85f901d300af0322af0912a2d9163deb48b0af16d5eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/dynamic_detector.py"}, "region": {"startLine": 923}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52908, "scanner": "repobility-ast-engine", "fingerprint": "28745909cdd53588be3a3b03e182f1999037b549209f22714c934bf2ecd3be8c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28745909cdd53588be3a3b03e182f1999037b549209f22714c934bf2ecd3be8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/google.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52907, "scanner": "repobility-ast-engine", "fingerprint": "48a7b73231be1517656e584a707f976033498f412dbdd424f5ee52be099613ff", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48a7b73231be1517656e584a707f976033498f412dbdd424f5ee52be099613ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/anthropic.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 52906, "scanner": "repobility-ast-engine", "fingerprint": "ae1f7e1d7ec29d86cf93b084d421c1d138c62bbad76eeca0d2c399adad3fdab7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae1f7e1d7ec29d86cf93b084d421c1d138c62bbad76eeca0d2c399adad3fdab7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headroom/cache/openai.py"}, "region": {"startLine": 315}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 52633, "scanner": "repobility-threat-engine", "fingerprint": "ea96ca9706301a4b64ffdb01a22db820f94d52fcdbff37483b20d56a084d7489", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:pass@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|9|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/dynamic_detector_benchmark.py"}, "region": {"startLine": 97}}}]}]}]}