{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /c"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/302"}, "properties": {"repository": "thesysdev/openui", "repoUrl": "https://github.com/thesysdev/openui", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9566, "scanner": "repobility-journey-contract", "fingerprint": "78d0aaaf3164da9ab871b8eb8ece118fd18734978832f9ef238abac7a54d070c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/langgraph", "correlation_key": "fp|78d0aaaf3164da9ab871b8eb8ece118fd18734978832f9ef238abac7a54d070c", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-headless/src/stream/adapters/langgraph.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9565, "scanner": "repobility-journey-contract", "fingerprint": "a1aaaea5a5600c33e1a26b8fbcd27dc1f65f1aeff80e0f8edd8f6d612c8cfb17", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|a1aaaea5a5600c33e1a26b8fbcd27dc1f65f1aeff80e0f8edd8f6d612c8cfb17", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openui-cli/src/templates/openui-chat/src/app/page.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9564, "scanner": "repobility-journey-contract", "fingerprint": "f53d45405482e381b73dcce962e298085612de919c250bb995f6b83a28c56be0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|f53d45405482e381b73dcce962e298085612de919c250bb995f6b83a28c56be0", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lang-core/src/runtime/queryManager.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9563, "scanner": "repobility-journey-contract", "fingerprint": "a189cbf2aa21e2a4f662aba32fed5c852ad26959bd40c653cd4af014fe00949e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp", "correlation_key": "fp|a189cbf2aa21e2a4f662aba32fed5c852ad26959bd40c653cd4af014fe00949e", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lang-core/src/runtime/mcp.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9562, "scanner": "repobility-journey-contract", "fingerprint": "beb35daf2041febfefea0b7e5224aa0f823d1af67e896e629b8a202cb9068659", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|beb35daf2041febfefea0b7e5224aa0f823d1af67e896e629b8a202cb9068659", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/overview-components/overview-page.tsx"}, "region": {"startLine": 357}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9561, "scanner": "repobility-journey-contract", "fingerprint": "7914e39a7e0b3221aeb97b9f00b2039d4f963d94223d096a1a51e0f297d8b65e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|7914e39a7e0b3221aeb97b9f00b2039d4f963d94223d096a1a51e0f297d8b65e", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/overview-components/overview-page.tsx"}, "region": {"startLine": 261}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9560, "scanner": "repobility-journey-contract", "fingerprint": "18b2f841c8734957bad4a3422b905b98c31909909e16d94c82689a988cc664f7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|18b2f841c8734957bad4a3422b905b98c31909909e16d94c82689a988cc664f7", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/overview-components/chat-modal.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9559, "scanner": "repobility-journey-contract", "fingerprint": "388cba1028eaf950ee7a4556f01f00ab100db100bb3ad3ae23d76edc89cf42e5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/playground/stream", "correlation_key": "fp|388cba1028eaf950ee7a4556f01f00ab100db100bb3ad3ae23d76edc89cf42e5", "backend_endpoint_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/playground/page.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 9557, "scanner": "repobility-access-control", "fingerprint": "7607aa944211ec252932aeb4b7caff854893f1bf51595b2cac938c50aeb76388", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openui-cli/src/templates/openui-chat/src/app/api/chat/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /playground/stream/route."}, "properties": {"repobilityId": 9556, "scanner": "repobility-access-control", "fingerprint": "7c1b043ef02988c57a0f6c287bc3f865de2bed0241b80d1df8d67061d1e7cdb1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/playground/stream/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/api/playground/stream/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 9555, "scanner": "repobility-access-control", "fingerprint": "3791f24b4f9dadc029cdd7de6e4aaeab39afebf31764c7d1fce16296cd511c5f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/api/chat/route.ts|276|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/api/chat/route.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms-full.txt."}, "properties": {"repobilityId": 9554, "scanner": "repobility-access-control", "fingerprint": "eb19ecc529c57675fb0401b15f7b31a651c32b94cda1ea05f1f631de2ec19653", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms-full.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms-full.txt/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.txt."}, "properties": {"repobilityId": 9553, "scanner": "repobility-access-control", "fingerprint": "7e9db86c80068685c83ff9d4df69349196e934248b7411b0c71faf9ead81bd75", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/llms.txt/route.ts|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms.txt/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 9552, "scanner": "repobility-access-control", "fingerprint": "25879888583e47d8538ec26da9b0f7c60b1cb29b20c380f0b77b7e05144fdf50", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 6, "correlation_key": "fp|25879888583e47d8538ec26da9b0f7c60b1cb29b20c380f0b77b7e05144fdf50", "auth_visible_percent": 16.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9551, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9548, "scanner": "repobility-threat-engine", "fingerprint": "a7ca32a166861ef0461a8a8550ebb08e3f5d756f1f0cb1f6beed369798e1f8c2", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a7ca32a166861ef0461a8a8550ebb08e3f5d756f1f0cb1f6beed369798e1f8c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/brand-logo.tsx"}, "region": {"startLine": 205}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9545, "scanner": "repobility-agent-runtime", "fingerprint": "5b4c518705e27a6f09c3f125a39778b86946b9a202889f9209b40ec8cbec31e4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5b4c518705e27a6f09c3f125a39778b86946b9a202889f9209b40ec8cbec31e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/(home)/openclaw-os/page.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9544, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b89110210e9c656d224b548f2a102800f60fba15135f3a60262dd9aa0435af1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lang-core/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|7b89110210e9c656d224b548f2a102800f60fba15135f3a60262dd9aa0435af1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-lang/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9543, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e9b32b047e73894e8d3cb76706f401122530e3586203143a728c7fc4499233c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lang-core/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|8e9b32b047e73894e8d3cb76706f401122530e3586203143a728c7fc4499233c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-headless/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9542, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f8cd01dc27ce1d75317cf2d4b7dd8698acf4cbbc325962b86da65bb34990499", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-headless/src/index.ts", "duplicate_line": 32, "correlation_key": "fp|3f8cd01dc27ce1d75317cf2d4b7dd8698acf4cbbc325962b86da65bb34990499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-headless/src/types/message.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9541, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e95f72fff201a528aae4448e19d6ee654f405a58fd42311be61194ffeb54bdc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-headless/src/stream/adapters/openai-completions.ts", "duplicate_line": 20, "correlation_key": "fp|4e95f72fff201a528aae4448e19d6ee654f405a58fd42311be61194ffeb54bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-headless/src/stream/adapters/openai-readable-stream.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe72633216b73e94be295b1ed4d417dc4eca0be001165aafd7ff3d996438b93f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-headless/src/stream/adapters/langgraph.ts", "duplicate_line": 30, "correlation_key": "fp|fe72633216b73e94be295b1ed4d417dc4eca0be001165aafd7ff3d996438b93f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-headless/src/stream/adapters/openai-readable-stream.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d73d3ecad92e300762f3b5f13044cf45a2c765cfb96ba4d5c597b0c8e413093", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lang-core/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|2d73d3ecad92e300762f3b5f13044cf45a2c765cfb96ba4d5c597b0c8e413093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-email/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bd5937c6413c7f167839858781eb804d7dd1faede112e997b5b885f361c5caf", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-email/src/components/Article.tsx", "duplicate_line": 19, "correlation_key": "fp|4bd5937c6413c7f167839858781eb804d7dd1faede112e997b5b885f361c5caf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-email/src/components/ProductCard.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6dbcd188b4dd0607933529dadd2eed757cbcb2647ff262bddccf00d3499feb7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-email/src/components/HeaderCenteredNav.tsx", "duplicate_line": 32, "correlation_key": "fp|d6dbcd188b4dd0607933529dadd2eed757cbcb2647ff262bddccf00d3499feb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-email/src/components/HeaderSideNav.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f12d32a7cd7ee0de328a16dcc2d43d8a92beb07ee07a71003c6582cabc724c6d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-email/src/components/FooterCentered.tsx", "duplicate_line": 37, "correlation_key": "fp|f12d32a7cd7ee0de328a16dcc2d43d8a92beb07ee07a71003c6582cabc724c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-email/src/components/FooterTwoColumn.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f7553606a72102af993d79a3b0bf2c56eab27b510fdc90048945b8bac584093", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-email/src/components/FeatureGrid.tsx", "duplicate_line": 19, "correlation_key": "fp|5f7553606a72102af993d79a3b0bf2c56eab27b510fdc90048945b8bac584093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-email/src/components/FeatureList.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61d77e42280ac142a9e4b160a40b7a6db241a5f097fddb4a3e6c668b40a74f19", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lang-core/src/parser/merge.ts", "duplicate_line": 18, "correlation_key": "fp|61d77e42280ac142a9e4b160a40b7a6db241a5f097fddb4a3e6c668b40a74f19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lang-core/src/parser/statements.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "378e74243445138b60bff42667db9a2869897742527a6b7e61eca6c0134db6f1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lang-core/src/parser/merge.ts", "duplicate_line": 20, "correlation_key": "fp|378e74243445138b60bff42667db9a2869897742527a6b7e61eca6c0134db6f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lang-core/src/parser/parser.ts"}, "region": {"startLine": 349}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 9558, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 9550, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9549, "scanner": "repobility-threat-engine", "fingerprint": "8e7d62fad845c82bb8898d6fc1b26cadf4ffae90141a176b877d7531d3410876", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|docs/app/api/chat/route.ts|58|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/api/chat/route.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9547, "scanner": "repobility-threat-engine", "fingerprint": "1198632e786084bea0bca32775e7a4f3599ba2e12b1f2bbf0701f970db9f878a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.info(getStartedMessage(name, devCmd, installSkill, apiKeyWritten)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|console.info getstartedmessage name devcmd installskill apikeywritten"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openui-cli/src/commands/create-chat-app.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9546, "scanner": "repobility-threat-engine", "fingerprint": "d2146505f8acbfb017ee2aced80e4f5d89fc399b219ae35f6484369711a050b3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`  Done! ${completionTokens} tokens @ ${tps.toFixed(1)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.log done completiontokens tokens tps.tofixed 1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/generate-samples.ts"}, "region": {"startLine": 104}}}]}]}]}