{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "AGT003", "name": "User-editable role instructions are inserted into the system prompt", "shortDescription": {"text": "User-editable role instructions are inserted into the system prompt"}, "fullDescription": {"text": "Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/303"}, "properties": {"repository": "nikolai-vysotskyi/trace-mcp", "repoUrl": "https://github.com/nikolai-vysotskyi/trace-mcp", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 9696, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9695, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 9691, "scanner": "repobility-threat-engine", "fingerprint": "f7deaa84f8a03b20f30a2a32ed1f4ff568562127fc53b3b867d57cc413188f89", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/cli/daemon-stats.ts|32|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/daemon-stats.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9684, "scanner": "repobility-threat-engine", "fingerprint": "ab3f2b9b0466fc0164baf0739ae444056fa2d7abcddf3a7a71dc7c76065fa1bd", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|src/session/resume.ts|102|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/session/resume.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9682, "scanner": "repobility-threat-engine", "fingerprint": "6210f6e4dc4725cf2ed2655b602ef5519b86f85f454869f121c099a208020af3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6210f6e4dc4725cf2ed2655b602ef5519b86f85f454869f121c099a208020af3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/telemetry/otlp.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9681, "scanner": "repobility-threat-engine", "fingerprint": "71885ce0d662805099d54e5e3e211baf1f41fe0f2aa6b55f7de0d90587b71cd6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71885ce0d662805099d54e5e3e211baf1f41fe0f2aa6b55f7de0d90587b71cd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/AskTab.tsx"}, "region": {"startLine": 1028}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9680, "scanner": "repobility-threat-engine", "fingerprint": "17dd1b62ab86e32f356971131fe2ead9037eeed5b9cb2e602e48ed9e14b3e4fa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17dd1b62ab86e32f356971131fe2ead9037eeed5b9cb2e602e48ed9e14b3e4fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 2504}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 9679, "scanner": "repobility-agent-runtime", "fingerprint": "84971a5a6db17366c94133a3b5c2866fbf5d5d3fe13170b5e77c0888865fda22", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|84971a5a6db17366c94133a3b5c2866fbf5d5d3fe13170b5e77c0888865fda22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/quality/code-smells.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 9678, "scanner": "repobility-agent-runtime", "fingerprint": "d7e3ba661e3076b0442326252cd3dd4627f7ff743b255d77308838b347bdcce3", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d7e3ba661e3076b0442326252cd3dd4627f7ff743b255d77308838b347bdcce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/session/providers/codex.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9677, "scanner": "repobility-agent-runtime", "fingerprint": "61f93fec33e80f32f017df42249ac327afc6bec080ddcd26e48447736464d13b", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|61f93fec33e80f32f017df42249ac327afc6bec080ddcd26e48447736464d13b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/GraphExplorerGPU.tsx"}, "region": {"startLine": 3812}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9676, "scanner": "repobility-agent-runtime", "fingerprint": "5f5f90fb46e47a9fa5f9d73dc47afe9b5c5419c0e5cc59d199e613eb80eb67da", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|5f5f90fb46e47a9fa5f9d73dc47afe9b5c5419c0e5cc59d199e613eb80eb67da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/AskTab.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9675, "scanner": "repobility-agent-runtime", "fingerprint": "dc00712212dbe9935e8249e69de1a8430b04b3566812f995aabdcbc6652afb6f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|dc00712212dbe9935e8249e69de1a8430b04b3566812f995aabdcbc6652afb6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/components/GuardOnboarding.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9674, "scanner": "repobility-agent-runtime", "fingerprint": "1e5fe1c16a7a591771b112a849e33eb9ebb4a40dfb9f5361697c204828460857", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|1e5fe1c16a7a591771b112a849e33eb9ebb4a40dfb9f5361697c204828460857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/components/FilterBar.tsx"}, "region": {"startLine": 136}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9673, "scanner": "repobility-agent-runtime", "fingerprint": "284c35ad8aacc981751d34f41260da3cb4649792e5708bf25c1276327ef0819e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|284c35ad8aacc981751d34f41260da3cb4649792e5708bf25c1276327ef0819e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/App.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9671, "scanner": "repobility-agent-runtime", "fingerprint": "2fa0075d4bf33cc581e091bf4a02838d34310aacb0b7e84814a3f2929819a7e7", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2fa0075d4bf33cc581e091bf4a02838d34310aacb0b7e84814a3f2929819a7e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/index.html"}, "region": {"startLine": 2872}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9670, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2125b811eaa8a9a51c42ef0c7e1b4887f10011f8837dbfdde1611a1862430828", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/db/repositories/symbol-repository.ts", "duplicate_line": 251, "correlation_key": "fp|2125b811eaa8a9a51c42ef0c7e1b4887f10011f8837dbfdde1611a1862430828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/db/store.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9669, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4aea6717e16898fdc4b1535b0e64cdae3e31094693709c6305e7e76417070ea", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/eval.ts", "duplicate_line": 74, "correlation_key": "fp|c4aea6717e16898fdc4b1535b0e64cdae3e31094693709c6305e7e76417070ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/search.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9668, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f10038033d7dbeffe5fe5f103fb6c62abc953289775f23aa4429f6e5a5b4a4fb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/add.ts", "duplicate_line": 34, "correlation_key": "fp|f10038033d7dbeffe5fe5f103fb6c62abc953289775f23aa4429f6e5a5b4a4fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/init.ts"}, "region": {"startLine": 594}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9667, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a182246fdf03ae26896ecaf64cf106b15acf6ef35d41d3d56d4fc69018f16a4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/ci.ts", "duplicate_line": 72, "correlation_key": "fp|3a182246fdf03ae26896ecaf64cf106b15acf6ef35d41d3d56d4fc69018f16a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/export-security-context.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9666, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88e0a239555b0f1885de49345dbfacb58b151b9d826302dcce58a7d173013d9d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/renderer/tabs/Dashboard.tsx", "duplicate_line": 5, "correlation_key": "fp|88e0a239555b0f1885de49345dbfacb58b151b9d826302dcce58a7d173013d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/dashboard-routes.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9665, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97d37b353a442b33a8b4a4981380051d83d39f7aad45cda586ad8cea35ea40cb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/ai/gemini.ts", "duplicate_line": 138, "correlation_key": "fp|97d37b353a442b33a8b4a4981380051d83d39f7aad45cda586ad8cea35ea40cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ai/vertex.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9664, "scanner": "repobility-ai-code-hygiene", "fingerprint": "443ffd7162001671eee696e3a138de2cf801d200fc5100f817f7a556d88eddbb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/ai/ollama.ts", "duplicate_line": 16, "correlation_key": "fp|443ffd7162001671eee696e3a138de2cf801d200fc5100f817f7a556d88eddbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ai/openai.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9663, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f309abde51bea9e11043646ff0324fb2723b5103a7b97ad117ff73290a40ba1d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/ai/anthropic.ts", "duplicate_line": 12, "correlation_key": "fp|f309abde51bea9e11043646ff0324fb2723b5103a7b97ad117ff73290a40ba1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ai/fallback.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9662, "scanner": "repobility-ai-code-hygiene", "fingerprint": "169a6823f265168fad44dc7b3d936a8d8df5221629150e9096a654239aba2a48", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/renderer/tabs/insights-runtime.ts", "duplicate_line": 158, "correlation_key": "fp|169a6823f265168fad44dc7b3d936a8d8df5221629150e9096a654239aba2a48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/notebook-runtime.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9661, "scanner": "repobility-ai-code-hygiene", "fingerprint": "342b7a9ab419271f987bf5df27a6bc59e20d4cbe08b277542f65e009a2085596", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/renderer/tabs/Insights.tsx", "duplicate_line": 329, "correlation_key": "fp|342b7a9ab419271f987bf5df27a6bc59e20d4cbe08b277542f65e009a2085596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/Notebook.tsx"}, "region": {"startLine": 360}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9660, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3ab94b1ebe4d6fc52afd183b9fef0493c52150830240467a04ef830e86b6a8a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/renderer/tabs/Clients.tsx", "duplicate_line": 329, "correlation_key": "fp|e3ab94b1ebe4d6fc52afd183b9fef0493c52150830240467a04ef830e86b6a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/Indexes.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9659, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02bcf3f937a6fc35ced7ca90074587be52afe44c605046cfd56b3f278f7b88be", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/main/api-client.ts", "duplicate_line": 15, "correlation_key": "fp|02bcf3f937a6fc35ced7ca90074587be52afe44c605046cfd56b3f278f7b88be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/hooks/useDaemon.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 9658, "scanner": "repobility-ai-code-hygiene", "fingerprint": "736261cf53058ca72c31601d5a6e0a0a13896324fd6c762c86d53ece7836c3af", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v2", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/indexer/plugins/language/regex-base.ts", "correlation_key": "fp|736261cf53058ca72c31601d5a6e0a0a13896324fd6c762c86d53ece7836c3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/indexer/plugins/language/regex-base-v2.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9694, "scanner": "repobility-docker", "fingerprint": "ef57a28066777809ce67632896ef02fadfc0be3ccb0821d8b74a945913fe93b7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ef57a28066777809ce67632896ef02fadfc0be3ccb0821d8b74a945913fe93b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ops/telemetry/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9693, "scanner": "repobility-docker", "fingerprint": "ea137c23daa36ef6496c89186217aee0ca08f62a76fd6c03f07d7af0c4b79acd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea137c23daa36ef6496c89186217aee0ca08f62a76fd6c03f07d7af0c4b79acd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ops/telemetry/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 9692, "scanner": "repobility-threat-engine", "fingerprint": "b9b0ce9e64603443e4eab4d3abf9b224ed47f6f607eda21d6b2b73826831bdc9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = '<strong>' + e", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|1844|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/analysis/visualize.ts"}, "region": {"startLine": 1844}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9690, "scanner": "repobility-threat-engine", "fingerprint": "ea9c62ea102b88b1dcb1c0c16e174f36e967b75731f885c63c6d07864cd760f5", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warn('Gemini provider selected but no api_key configured \u2014 falling back')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/ai/index.ts|37|logger.warn gemini provider selected but no api_key configured falling back"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ai/index.ts"}, "region": {"startLine": 378}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9689, "scanner": "repobility-threat-engine", "fingerprint": "c28bf7f2432810c1ae302952e484cc52cb1cae3d693b87b7eb3c629be004314c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`Estimated tokens: ${wakeUp.estimated_tokens}`)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/memory.ts|30|console.log estimated tokens: wakeup.estimated_tokens"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/memory.ts"}, "region": {"startLine": 304}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9688, "scanner": "repobility-threat-engine", "fingerprint": "a3a75af4455018bfabfab4e02e034b5e2edf78486e323546244fc40d5018fa3e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`Input tokens: ${result.totals.inputTokens.toLocaleString()", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/analytics.ts|13|console.log input tokens: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/analytics.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 9687, "scanner": "repobility-threat-engine", "fingerprint": "a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9686, "scanner": "repobility-threat-engine", "fingerprint": "b27b53555f61e5fccbbd98a000d5513c688073bc0a5eebc967847e6c030396dc", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1677|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/GraphExplorerGPU.tsx"}, "region": {"startLine": 1677}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9685, "scanner": "repobility-threat-engine", "fingerprint": "4ac745cbd611e5b0e07960548876ad0de05d1f16130a191203f27c83a4f6437a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|39|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/renderer/tabs/Notebook.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 9683, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 9672, "scanner": "repobility-agent-runtime", "fingerprint": "8b1274c4f84ab3ab0faf4803de791428184813a7b44cdd9ceaa556f8afa2caae", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|8b1274c4f84ab3ab0faf4803de791428184813a7b44cdd9ceaa556f8afa2caae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/main/index.ts"}, "region": {"startLine": 94}}}]}]}]}