{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /sr"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/reviews/:id/rou"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 54 more): Same pattern found in 54 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 54 more): Same pattern found in 54 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 48 more): Same pattern found in 48 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/530"}, "properties": {"repository": "mercurjs/mercur", "repoUrl": "https://github.com/mercurjs/mercur", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 32431, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 32430, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/api/store/custom/route."}, "properties": {"repobilityId": 32426, "scanner": "repobility-access-control", "fingerprint": "c014e053a54fe3e17b1609df187b2d7b785e3feb8e934d50e0b733828dd4ebd5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/src/api/store/custom/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|3|auc009", "duplicate_count": 2, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["0539f2660467cfc6db8e3daab76f8ef964fad69c738ab47c20a53c6e75497d67", "9378aee4b603fcda1b92619a3729fdbfdaf748bae15cc2d4b3bef0079edb5958", "c014e053a54fe3e17b1609df187b2d7b785e3feb8e934d50e0b733828dd4ebd5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api/store/custom/route.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/reviews/:id/route."}, "properties": {"repobilityId": 32425, "scanner": "repobility-access-control", "fingerprint": "79bef522a6b74fb94a1bbd9b9a1cf483f65ae035d6f9e0a218a626383256560f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/reviews/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|6|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/reviews/api/admin/reviews/[id]/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/reviews/route."}, "properties": {"repobilityId": 32424, "scanner": "repobility-access-control", "fingerprint": "986fdadfad29354b7ba281c22787a6948e67e7f83adc9cbbf85b57c0dfea18f9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/reviews/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/reviews/api/admin/reviews/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/requests/:type/:id/accept/route."}, "properties": {"repobilityId": 32423, "scanner": "repobility-access-control", "fingerprint": "915ca861bfe94c9ed2aa8631e5147c5ce4d17f09a7c330803712a319c2d48028", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/requests/:type/:id/accept/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / type / id /accept/route.ts|8|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/requests/api/admin/requests/[type]/[id]/accept/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/requests/:type/:id/reject/route."}, "properties": {"repobilityId": 32422, "scanner": "repobility-access-control", "fingerprint": "79a34677ed9b56aab3f5923eb9abf6de558ba786cfff15e594cd66556ad4535f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/requests/:type/:id/reject/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / type / id /reject/route.ts|8|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/requests/api/admin/requests/[type]/[id]/reject/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/requests/:type/:id/route."}, "properties": {"repobilityId": 32421, "scanner": "repobility-access-control", "fingerprint": "84aa7fcd3a868c44807ae0dae8c0424e4196eba9eb1f7ad11c25545d1dbe6895", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/requests/:type/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / type / id /route.ts|6|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/requests/api/admin/requests/[type]/[id]/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/requests/:type/route."}, "properties": {"repobilityId": 32420, "scanner": "repobility-access-control", "fingerprint": "126fb6bbfc1705089607eb298711e412482b13efef7858d66a14321d5a079114", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/requests/:type/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / type /route.ts|7|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/registry/src/requests/api/admin/requests/[type]/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /src/api/admin/custom/route."}, "properties": {"repobilityId": 32419, "scanner": "repobility-access-control", "fingerprint": "bfc5d465d804abce7cb7f0ba414a5f34512d317c07dc9c63555ca29a011cff5f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/src/api/admin/custom/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|3|auc004", "duplicate_count": 2, "identity_targets": ["unknown", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["780f027c8e0ee6e31438753f681627b94e5d4d4cf656a6d83faf37aab2eabf8e", "bfc5d465d804abce7cb7f0ba414a5f34512d317c07dc9c63555ca29a011cff5f", "caf878138d517cd7d0929018d60330e0904accb63c219f9d65196731158244c7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api/admin/custom/route.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 32418, "scanner": "repobility-access-control", "fingerprint": "361e1b70dfadcbc3057eb58f0af036e9f2959d20e4419e951fbcc27c2cb18eaa", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 12, "correlation_key": "fp|361e1b70dfadcbc3057eb58f0af036e9f2959d20e4419e951fbcc27c2cb18eaa", "auth_visible_percent": 41.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 32417, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 32385, "scanner": "repobility-threat-engine", "fingerprint": "436403d9ead980153218f93e0e30b3babd6112fca2b2bcce1a600b3d67c66902", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|436403d9ead980153218f93e0e30b3babd6112fca2b2bcce1a600b3d67c66902"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/create-db.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 32383, "scanner": "repobility-threat-engine", "fingerprint": "61024a4ac81a03368a956ef755f94a78ff6f3290371e1dbd2350446880bcbbc1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|8|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/registry/env.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 32368, "scanner": "repobility-threat-engine", "fingerprint": "56c53d5633c7a1edcf2fb7799b62a9099fac29d99613f3abb8b4cc5de4988a36", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(hrefWithBasePath, \"_blank\", \"noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|295|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-table/data-table.tsx"}, "region": {"startLine": 295}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 32429, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 32428, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 32427, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32416, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab9b5a82702e70f8562b5c45dd6002ead3f1bc4513aedc6617377eb1b44b0b13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|ab9b5a82702e70f8562b5c45dd6002ead3f1bc4513aedc6617377eb1b44b0b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/regions.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32415, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64464b798ffc2116d271d808d38cfcdd3c3b7519936fb4521d835c792ca819c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|64464b798ffc2116d271d808d38cfcdd3c3b7519936fb4521d835c792ca819c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/product-types.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "373dcdef54e60d1d1e5f111d0e80dc1eb4ad2405567c7445d6b85cb31b454fc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|373dcdef54e60d1d1e5f111d0e80dc1eb4ad2405567c7445d6b85cb31b454fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/price-preferences.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "528d8eda607b8da582e149bf0db34b44a66833066600b1b416f0ef6406022550", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/customers.tsx", "duplicate_line": 5, "correlation_key": "fp|528d8eda607b8da582e149bf0db34b44a66833066600b1b416f0ef6406022550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/price-lists.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b2ec1a978b77d82ed40955b6c3cce318a5c6fefb1853a9f9a028073a4b3fda1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|5b2ec1a978b77d82ed40955b6c3cce318a5c6fefb1853a9f9a028073a4b3fda1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/price-lists.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba447f18e62887eb47110f69f4075f97946d08a7924bd70c013391178276042c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/orders.tsx", "duplicate_line": 373, "correlation_key": "fp|ba447f18e62887eb47110f69f4075f97946d08a7924bd70c013391178276042c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/payments.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32410, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad545e38a6a74fffb160a24b9c6e74ac4c7cff882670b9f5e95cdbb1a1738d98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/claims.tsx", "duplicate_line": 119, "correlation_key": "fp|ad545e38a6a74fffb160a24b9c6e74ac4c7cff882670b9f5e95cdbb1a1738d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/order-edits.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32409, "scanner": "repobility-ai-code-hygiene", "fingerprint": "568a431fa88466734906d7e435897d174c4a0a45f4bfccd98acbe574b25bbf5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|568a431fa88466734906d7e435897d174c4a0a45f4bfccd98acbe574b25bbf5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/invites.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32408, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b448e40f8baf2eff0e1dd65f80bc47a5e4e6a69acf9407107aed09c36b62d86e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/claims.tsx", "duplicate_line": 254, "correlation_key": "fp|b448e40f8baf2eff0e1dd65f80bc47a5e4e6a69acf9407107aed09c36b62d86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/exchanges.tsx"}, "region": {"startLine": 169}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32407, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb8c19242a3cff283e60ee60a372c94eec031a5f38180459b97623d7964a21f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|bb8c19242a3cff283e60ee60a372c94eec031a5f38180459b97623d7964a21f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/customers.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32406, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ecf6cf8223a4ff1187277ec848512b2f8ea5d88823d282e122047e2d766952d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|ecf6cf8223a4ff1187277ec848512b2f8ea5d88823d282e122047e2d766952d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/customer-groups.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fcec1a839eed866cd0874db43c2b3a59f864dfec4ca4174692747afc8e70d687", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/hooks/api/campaigns.tsx", "duplicate_line": 1, "correlation_key": "fp|fcec1a839eed866cd0874db43c2b3a59f864dfec4ca4174692747afc8e70d687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/hooks/api/commission-rates.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1dd9c603577eb82048387f85f0757eb0376d2a7233ff600e42ac8916250f55e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/table/table-cells/common/name-cell/name-cell.tsx", "duplicate_line": 12, "correlation_key": "fp|c1dd9c603577eb82048387f85f0757eb0376d2a7233ff600e42ac8916250f55e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/table-cells/sales-channel/name-cell/name-cell.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32403, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b43949c76fd26d20a219624899f9d39cdb335cf986684d164132e0042f465db6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-table/components/data-table-status-cell/data-table-status-cell.tsx", "duplicate_line": 10, "correlation_key": "fp|b43949c76fd26d20a219624899f9d39cdb335cf986684d164132e0042f465db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/table-cells/common/status-cell/status-cell.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32402, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec74dca1a8ccdb2d2dee901a28382ecc6046d97017f1a320baf0afac5b62709d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/table/table-cells/common/created-at-cell/created-at-cell.tsx", "duplicate_line": 9, "correlation_key": "fp|ec74dca1a8ccdb2d2dee901a28382ecc6046d97017f1a320baf0afac5b62709d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/table-cells/common/date-cell/date-cell.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32401, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e8d39f714adab7556bc9f4be8554a8235919704f071c650632b050dffcf2c77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/table/data-table/data-table-filter/string-filter.tsx", "duplicate_line": 24, "correlation_key": "fp|4e8d39f714adab7556bc9f4be8554a8235919704f071c650632b050dffcf2c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/data-table/data-table-search/data-table-search.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32400, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c5cdf0b2da18889e4223e0f44bd545ae544995708ed4f10e908c4d649f076a7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/filtering/order-by/order-by.tsx", "duplicate_line": 20, "correlation_key": "fp|4c5cdf0b2da18889e4223e0f44bd545ae544995708ed4f10e908c4d649f076a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/data-table/data-table-order-by/data-table-order-by.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32399, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da6ae18f695b6d53ae050a4e12573643eb44336ff87e5545458a656f54302936", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/table/data-table/data-table-filter/select-filter.tsx", "duplicate_line": 90, "correlation_key": "fp|da6ae18f695b6d53ae050a4e12573643eb44336ff87e5545458a656f54302936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/data-table/data-table-filter/string-filter.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e06e721bc03b28d112207881027349a169b07a261a4ec28248df281df31ef86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/table/data-table/data-table-filter/date-filter.tsx", "duplicate_line": 111, "correlation_key": "fp|3e06e721bc03b28d112207881027349a169b07a261a4ec28248df281df31ef86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/table/data-table/data-table-filter/number-filter.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e3a7def7a627d9578013ef9834ead7ce4abc25e307a072833e8eb69f68314d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-grid/components/data-grid-keyboard-shortcut-modal.tsx", "duplicate_line": 225, "correlation_key": "fp|5e3a7def7a627d9578013ef9834ead7ce4abc25e307a072833e8eb69f68314d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/layout/user-menu/user-menu.tsx"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41bd170d1758469cb3d8c75933e69323b1365672e054716ab797d55c17921258", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/layout/main-layout/main-layout.tsx", "duplicate_line": 359, "correlation_key": "fp|41bd170d1758469cb3d8c75933e69323b1365672e054716ab797d55c17921258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/layout/settings-layout/settings-layout.tsx"}, "region": {"startLine": 227}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32395, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af6edb2c44b2b89a5c4b747b304a231181263db2754b7f97d69aacb5de30b0b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/layout/pages/single-column-page/single-column-page.tsx", "duplicate_line": 12, "correlation_key": "fp|af6edb2c44b2b89a5c4b747b304a231181263db2754b7f97d69aacb5de30b0b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/layout/pages/two-column-page/two-column-page.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32394, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a44cc1ad38f6fe44347ef27bf8512056ebc6e9117dd855b3583b0f5e206648e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-grid/components/data-grid-number-cell.tsx", "duplicate_line": 15, "correlation_key": "fp|4a44cc1ad38f6fe44347ef27bf8512056ebc6e9117dd855b3583b0f5e206648e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-toggleable-number-cell.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32393, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f078f4aaeb401000c579ab7710fb9d6226b0e625697dcd05ef6934e83447dbd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-grid/components/data-grid-boolean-cell.tsx", "duplicate_line": 11, "correlation_key": "fp|3f078f4aaeb401000c579ab7710fb9d6226b0e625697dcd05ef6934e83447dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-text-cell.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32392, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbda41b053abc426e317b3efa0811b257419064067b49198f5b0eece765f5d35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-grid/components/data-grid-multiline-cell.tsx", "duplicate_line": 9, "correlation_key": "fp|dbda41b053abc426e317b3efa0811b257419064067b49198f5b0eece765f5d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-text-cell.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32391, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a796381beb49348750302d4427fead52405c4c67eb1f591a8bdccdc0bfebb46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/src/components/data-grid/components/data-grid-boolean-cell.tsx", "duplicate_line": 11, "correlation_key": "fp|9a796381beb49348750302d4427fead52405c4c67eb1f591a8bdccdc0bfebb46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-number-cell.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32390, "scanner": "repobility-ai-code-hygiene", "fingerprint": "478b9ccf5eed810d5a08950abfafffeafc35275792a886527a1a971a52098995", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/medusa-config.ts", "duplicate_line": 20, "correlation_key": "fp|478b9ccf5eed810d5a08950abfafffeafc35275792a886527a1a971a52098995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/medusa-config.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32389, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97a2b7afe6328c56af66258c5285e1fb5ea3b62d4a274cae3f4a1dd1bb124f87", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/helpers/create-admin-user.ts", "duplicate_line": 34, "correlation_key": "fp|97a2b7afe6328c56af66258c5285e1fb5ea3b62d4a274cae3f4a1dd1bb124f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/helpers/create-seller-user.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32388, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6979fbde245b23b421e996b387490d31afb6a1b1d41c56138ebb54cd17cec204", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/helpers/create-admin-user.ts", "duplicate_line": 32, "correlation_key": "fp|6979fbde245b23b421e996b387490d31afb6a1b1d41c56138ebb54cd17cec204"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/helpers/create-customer-user.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 32387, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f252f7695c2b4df57623bee4b63fed16428bbc47a0ce65ca00f92380cfbba90d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".mercur/_generated/index.ts", "duplicate_line": 1, "correlation_key": "fp|f252f7695c2b4df57623bee4b63fed16428bbc47a0ce65ca00f92380cfbba90d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/.mercur/_generated/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 32386, "scanner": "repobility-threat-engine", "fingerprint": "34665f37ae9e1725c5409d07fd7121156785cb038e72bc462b2004e64fd7ee0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34665f37ae9e1725c5409d07fd7121156785cb038e72bc462b2004e64fd7ee0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/dashboard/dashboard-base.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 32382, "scanner": "repobility-threat-engine", "fingerprint": "5ecd051af3e9a09b657b47c3a61a1498d4a4f3c7abdbeb3ba451443ee7530a16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ecd051af3e9a09b657b47c3a61a1498d4a4f3c7abdbeb3ba451443ee7530a16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/profile/profile-edit/components/edit-profile-form/edit-profile-form.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 32381, "scanner": "repobility-threat-engine", "fingerprint": "34b82609f9986098f36413a4b1fe3bd13f7db50265b9f5f592320362f1f96352", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34b82609f9986098f36413a4b1fe3bd13f7db50265b9f5f592320362f1f96352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/profile/profile-detail/components/profile-general-section/profile-general-section.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 32380, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 32376, "scanner": "repobility-threat-engine", "fingerprint": "1f598da1a7c222354e0b50332194c89ced9c24adf7a7c7ec3200edaeb9aecf09", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|215|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/modules/seller/service.ts"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 32375, "scanner": "repobility-threat-engine", "fingerprint": "ffaf6c906242a716bc75babe2aaeceb3d4398a2b60b21a25f68ac31e6aed39aa", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|24|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/modules/payout/providers/system.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 32374, "scanner": "repobility-threat-engine", "fingerprint": "ab66008a6a0e8965d9867a07da88d0cf9ed2cd330570442671a13b512021deea", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|191|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/attributes/attribute-create-possible-value/attribute-create-possible-value.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 32373, "scanner": "repobility-threat-engine", "fingerprint": "50718505c86873178282574e1d78b272ac98bc95aae8b47cb47304a06f16aa20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50718505c86873178282574e1d78b272ac98bc95aae8b47cb47304a06f16aa20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/i18n/languages.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 32372, "scanner": "repobility-threat-engine", "fingerprint": "b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 32367, "scanner": "repobility-threat-engine", "fingerprint": "f922f4f13d4219e470422812906b99d2e69dcf0dbe44404db6fb52eebaf73cdd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f922f4f13d4219e470422812906b99d2e69dcf0dbe44404db6fb52eebaf73cdd", "aggregated_count": 15}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 32366, "scanner": "repobility-threat-engine", "fingerprint": "c17e44eba93ce8a8f9b265bccb2c66d1c50efaa16cd8c2bda2da56fd9c6d8813", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c17e44eba93ce8a8f9b265bccb2c66d1c50efaa16cd8c2bda2da56fd9c6d8813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/layout/pages/two-column-page/two-column-page.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 32365, "scanner": "repobility-threat-engine", "fingerprint": "3f926c95fb92b49386fc509da446c141bd78a77ad31d8afd78d77e9de4387772", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f926c95fb92b49386fc509da446c141bd78a77ad31d8afd78d77e9de4387772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/layout/pages/single-column-page/single-column-page.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 32364, "scanner": "repobility-threat-engine", "fingerprint": "fe786fc1a067f4ccf3125cdbe777423deb2dd15ed20e14cf4951ca4874d311d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe786fc1a067f4ccf3125cdbe777423deb2dd15ed20e14cf4951ca4874d311d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/hooks/use-data-grid-column-visibility.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 54 more): Same pattern found in 54 additional files. Review if needed."}, "properties": {"repobilityId": 32363, "scanner": "repobility-threat-engine", "fingerprint": "85f5fede23d607131d8c59d6ab67af41d72116922690cfc0aa6989b70b7afbb2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 54 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|85f5fede23d607131d8c59d6ab67af41d72116922690cfc0aa6989b70b7afbb2", "aggregated_count": 54}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 32362, "scanner": "repobility-threat-engine", "fingerprint": "79b2154f3b197f3db372a5068ca6f59d29fe092362b81f26e73adbed15bf66a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79b2154f3b197f3db372a5068ca6f59d29fe092362b81f26e73adbed15bf66a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/hooks/use-data-grid-cell-handlers.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 32361, "scanner": "repobility-threat-engine", "fingerprint": "a4143e20700d7e57828ba562c43b26f2453ca5fcb6a21ee480f321669fb81893", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4143e20700d7e57828ba562c43b26f2453ca5fcb6a21ee480f321669fb81893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/context/data-grid-context.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 32360, "scanner": "repobility-threat-engine", "fingerprint": "b0cc3cc70159662031e7ea96f03ea533c65f0e4af321c85f1c7ea29e236e38e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0cc3cc70159662031e7ea96f03ea533c65f0e4af321c85f1c7ea29e236e38e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-textarea-modal-cell.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 32359, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 32355, "scanner": "repobility-threat-engine", "fingerprint": "d3082ca9823d9ea57017bd18348c85d9a8bec464c5453e2741dca5a07fb24bed", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d3082ca9823d9ea57017bd18348c85d9a8bec464c5453e2741dca5a07fb24bed", "aggregated_count": 17}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 32354, "scanner": "repobility-threat-engine", "fingerprint": "33d44099979ed3f4c478d96c95026b4a99874118a2bbcd16f4fb919ba731f672", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33d44099979ed3f4c478d96c95026b4a99874118a2bbcd16f4fb919ba731f672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-grid/components/data-grid-keyboard-shortcut-modal.tsx"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 32353, "scanner": "repobility-threat-engine", "fingerprint": "a8a8831f34a0bd1acc0bf2cc9be16fe7edf1811044d08f2a9bd57e742073fa85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8a8831f34a0bd1acc0bf2cc9be16fe7edf1811044d08f2a9bd57e742073fa85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/common/customer-info/customer-info.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 32352, "scanner": "repobility-threat-engine", "fingerprint": "0d8a78743615f194a6b15abe57743a7c53400e1e1332db350c70f3ae7940ff8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d8a78743615f194a6b15abe57743a7c53400e1e1332db350c70f3ae7940ff8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/common/action-menu/action-menu.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 32351, "scanner": "repobility-threat-engine", "fingerprint": "a487643220759f9325e52cfa5427e244d26fcea4d49a75ff8065790763a19ff4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a487643220759f9325e52cfa5427e244d26fcea4d49a75ff8065790763a19ff4", "aggregated_count": 40}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 32350, "scanner": "repobility-threat-engine", "fingerprint": "2eb5d9ee0e516db96e7bca02e18003f0435d1caa419f54c23f16323dd2c7fa47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2eb5d9ee0e516db96e7bca02e18003f0435d1caa419f54c23f16323dd2c7fa47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/tabbed-form/tabbed-form.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 32349, "scanner": "repobility-threat-engine", "fingerprint": "1cdbb222c056aaf5c59391d6750848f35efda278c7335a4e5aaa4bcd39f32b73", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cdbb222c056aaf5c59391d6750848f35efda278c7335a4e5aaa4bcd39f32b73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/inputs/percentage-input/percentage-input.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 32348, "scanner": "repobility-threat-engine", "fingerprint": "dc24fa88ad8c02c18364a0f86b7896db8389b6574f8ede8deba091ff3009201a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc24fa88ad8c02c18364a0f86b7896db8389b6574f8ede8deba091ff3009201a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/helpers/create-seller-user.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "properties": {"repobilityId": 32347, "scanner": "repobility-threat-engine", "fingerprint": "c5f9e3f1fba7db838fceba807bd60f23953907c356507bb215e0a1c70525ee2e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 48 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c5f9e3f1fba7db838fceba807bd60f23953907c356507bb215e0a1c70525ee2e", "aggregated_count": 48}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 32346, "scanner": "repobility-threat-engine", "fingerprint": "144bfb7b24b8a0b7d92ddd135e325fd9802c9b3b1108fa6530968c3396937f35", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|144bfb7b24b8a0b7d92ddd135e325fd9802c9b3b1108fa6530968c3396937f35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/common/sortable-tree/sortable-tree-item.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 32345, "scanner": "repobility-threat-engine", "fingerprint": "ce191a9160fa71086cb71de7da2e2c6a6c9aa4c2067a9337729e3e95baf6e6e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce191a9160fa71086cb71de7da2e2c6a6c9aa4c2067a9337729e3e95baf6e6e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/common/metadata-section/metadata-section.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 32344, "scanner": "repobility-threat-engine", "fingerprint": "7e8b60b4c2b94493bd61a597de800ed814fd208661b1025910541e1ad69084dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e8b60b4c2b94493bd61a597de800ed814fd208661b1025910541e1ad69084dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/scripts/seed.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 32384, "scanner": "repobility-threat-engine", "fingerprint": "519b921f51d6dacda4fc0dfce64de8ac84ea87459f5b44a4df449901b7dc37f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|519b921f51d6dacda4fc0dfce64de8ac84ea87459f5b44a4df449901b7dc37f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/registry/env.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 32379, "scanner": "repobility-threat-engine", "fingerprint": "a37b57e822020c43da693f98ff739e143da73d4a75af0c5dcf47caa541b0a94d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((modName) => `node:${modName}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a37b57e822020c43da693f98ff739e143da73d4a75af0c5dcf47caa541b0a94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/build-vendor-extensions.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 32378, "scanner": "repobility-threat-engine", "fingerprint": "23200602e2458b8d44145dcf35678dd2a0caf0685906e354b92838bb0c395c8c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e) => `  - ${e.path.join(\".\")}: ${e.message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23200602e2458b8d44145dcf35678dd2a0caf0685906e354b92838bb0c395c8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/registry/errors.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 32377, "scanner": "repobility-threat-engine", "fingerprint": "5e774877b5f4fbe7ac7a2ef553ba69850614a81794ccadc195ef0c5a9365c67b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((o: any) => `#${o.display_id}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5e774877b5f4fbe7ac7a2ef553ba69850614a81794ccadc195ef0c5a9365c67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/orders/order-list/components/order-list-table/order-list-data-table.tsx"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 32371, "scanner": "repobility-threat-engine", "fingerprint": "675ea286eda596042fb322ca29e8b6c257279845947121e9ee9818963b3ee951", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "prev.delete(\"q\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|675ea286eda596042fb322ca29e8b6c257279845947121e9ee9818963b3ee951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/filtering/query/query.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 32370, "scanner": "repobility-threat-engine", "fingerprint": "b7367f95abf5d208d00d1a91ffd2c70864d2000c8bd6055c0cc4b138f77f3094", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "prev.delete(\"order\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7367f95abf5d208d00d1a91ffd2c70864d2000c8bd6055c0cc4b138f77f3094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/filtering/order-by/order-by.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 32369, "scanner": "repobility-threat-engine", "fingerprint": "8b7b62fee33b6143e4371e3a8632deb0762f006d06068c7c690c98b89de4f125", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "prev.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b7b62fee33b6143e4371e3a8632deb0762f006d06068c7c690c98b89de4f125"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/data-table/data-table.tsx"}, "region": {"startLine": 239}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 32358, "scanner": "repobility-threat-engine", "fingerprint": "4c4304cffece4d2a4af48e4fe1492c40e0ae4cabbdb5d18829ca0e5e3727ccc1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c4304cffece4d2a4af48e4fe1492c40e0ae4cabbdb5d18829ca0e5e3727ccc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/product-tags/product-tag-list/loader.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 32357, "scanner": "repobility-threat-engine", "fingerprint": "25ed9d95f4d9ddfdcd86937420031f09851f9016bab3d0f97042cf059bbfa0a9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25ed9d95f4d9ddfdcd86937420031f09851f9016bab3d0f97042cf059bbfa0a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/pages/orders/order-detail/components/order-fulfillment-section/order-fulfillment-section.tsx"}, "region": {"startLine": 414}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 32356, "scanner": "repobility-threat-engine", "fingerprint": "0567bea0e293925e40bfa909e8451eeb6f42029bb0a82576e4b2788f364461df", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0567bea0e293925e40bfa909e8451eeb6f42029bb0a82576e4b2788f364461df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/src/components/common/file-upload/file-upload.tsx"}, "region": {"startLine": 80}}}]}]}]}