{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /br"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT008", "name": "Ollama audio payload path may mislead users about direct model audio", "shortDescription": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "fullDescription": {"text": "Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 66 more): Same pattern found in 66 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@screenpipe/sdk` pulled from URL/Git: `dependencies.@screenpipe/sdk` = `file:../..` bypasse", "shortDescription": {"text": "[MINED122] package.json dep `@screenpipe/sdk` pulled from URL/Git: `dependencies.@screenpipe/sdk` = `file:../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromi"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build ti", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production ima"}, "fullDescription": {"text": "Replace with: `FROM python:3.11-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /filter has no auth: Handler `filter_pii` is registered with router/app.post(...) but no Depends", "shortDescription": {"text": "[MINED112] FastAPI POST /filter has no auth: Handler `filter_pii` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/test."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT003", "name": "User-editable role instructions are inserted into the system prompt", "shortDescription": {"text": "User-editable role instructions are inserted into the system prompt"}, "fullDescription": {"text": "Limit role instruction length, strip control characters, store it as quoted untrusted role description, and append a non-overridable safety/policy footer after the user-editable section."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC019", "name": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or servic", "shortDescription": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "fullDescription": {"text": "Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1142"}, "properties": {"repository": "screenpipe/screenpipe", "repoUrl": "https://github.com/screenpipe/screenpipe", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 113756, "scanner": "repobility-journey-contract", "fingerprint": "0565c048d2a588036e723ff9c94dd90186f8643a0797f4a6e08adbfe4d2c9e6c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/enterprise/policy", "correlation_key": "fp|0565c048d2a588036e723ff9c94dd90186f8643a0797f4a6e08adbfe4d2c9e6c", "backend_endpoint_count": 63}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/utils/tauri.ts"}, "region": {"startLine": 1758}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /browsers/:id/snapshot."}, "properties": {"repobilityId": 113755, "scanner": "repobility-access-control", "fingerprint": "aa8baa4baa0d7ae7c2efa3850e7bd870c0f9dac2457ea61339be438cce712eb9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/browsers/:id/snapshot", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2500|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2500}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /browsers/:id/navigate."}, "properties": {"repobilityId": 113754, "scanner": "repobility-access-control", "fingerprint": "d697032d56b850f3007d2960855fff5b7c681e1e176ab09e1fec0162947117a7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/browsers/:id/navigate", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2499|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2499}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /browsers."}, "properties": {"repobilityId": 113753, "scanner": "repobility-access-control", "fingerprint": "fc8157f3a9ef37ee4e1aa0168ca6d5a8cf2f1a843b10e14308bacaa1b5c6d69a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/browsers", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2497|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2497}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:id."}, "properties": {"repobilityId": 113752, "scanner": "repobility-access-control", "fingerprint": "d8d72d61243d6518b59b61a465126e86a181a1ce5159575397477e7412988730", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|808|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 808}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:id."}, "properties": {"repobilityId": 113751, "scanner": "repobility-access-control", "fingerprint": "c90432439cbdeb0fdc8035e58986d727dd85548dc8879b32ff521be33b4428d1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|807|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 807}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /window-size."}, "properties": {"repobilityId": 113750, "scanner": "repobility-access-control", "fingerprint": "5a13ed26186a6aa2d0916cfff8579f5c0cd310544c2700fbdc90314821d959f5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/window-size", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|260|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 260}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /app-icon."}, "properties": {"repobilityId": 113749, "scanner": "repobility-access-control", "fingerprint": "c371fedf84bc613c67e3011cb1472ae2811c6d52a25b2c4411e99728d957f41f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/app-icon", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|259|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 259}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth."}, "properties": {"repobilityId": 113748, "scanner": "repobility-access-control", "fingerprint": "f5e4800cc3180839c03c45aa2ce3b02019427b79e5d5762d838bb90c1d1ed47b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|258|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 258}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /log."}, "properties": {"repobilityId": 113747, "scanner": "repobility-access-control", "fingerprint": "58d50bece90dad95d745a3aab94ae53bc3843d1311880a95e694f073e60c9864", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/log", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|257|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 257}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /inbox."}, "properties": {"repobilityId": 113746, "scanner": "repobility-access-control", "fingerprint": "4d3c389e442669577e23dc10c2a34dfacf78580442a612ccecf23606379426aa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/inbox", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|256|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 256}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /."}, "properties": {"repobilityId": 113745, "scanner": "repobility-access-control", "fingerprint": "7543d6b08d50a1fb527c8a3edc2803431d5a263d1ff4a90ab63eeccc1eda1696", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|796|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 796}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /ai/status."}, "properties": {"repobilityId": 113744, "scanner": "repobility-access-control", "fingerprint": "d87dc2590798ce8982c0b21375ea9a50447f8e7e520c11ff92650bf086ecbc6a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/ai/status", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|787|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 787}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 113736, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 113734, "scanner": "repobility-docker", "fingerprint": "63e9a1832e9a5a2a3605c5f346eadbc28b7776927816771e60c978e04e75c398", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|63e9a1832e9a5a2a3605c5f346eadbc28b7776927816771e60c978e04e75c398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-test/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 113731, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 113727, "scanner": "repobility-agent-runtime", "fingerprint": "f7a97627ec4e13c2e7084c75f76e2064c249b640645b7b02de7a75174b0f1ddc", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f7a97627ec4e13c2e7084c75f76e2064c249b640645b7b02de7a75174b0f1ddc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/privacy-filter/server.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113726, "scanner": "repobility-agent-runtime", "fingerprint": "9a59369618b211babe4c2ad6b79868fb0776cb3350fdcc780f81504051de0c7e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9a59369618b211babe4c2ad6b79868fb0776cb3350fdcc780f81504051de0c7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ee/desktop/lib/license-validation.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113725, "scanner": "repobility-agent-runtime", "fingerprint": "b70d7e542327b8aeca963a1592e4b8ee18815568b5a40574a309b268741944c0", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b70d7e542327b8aeca963a1592e4b8ee18815568b5a40574a309b268741944c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ee/desktop/lib/admin-policy.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 113724, "scanner": "repobility-agent-runtime", "fingerprint": "dc3346003b3ce1e2279b8c32274a13b9681baae9eeb32360449c52b11931862d", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|dc3346003b3ce1e2279b8c32274a13b9681baae9eeb32360449c52b11931862d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/utils/validation.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113723, "scanner": "repobility-agent-runtime", "fingerprint": "e66178dacf1a7713c6ef84e5c844e320c392a2035697e9a353d12e108951a249", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e66178dacf1a7713c6ef84e5c844e320c392a2035697e9a353d12e108951a249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/hooks/use-sidebar-width.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 113721, "scanner": "repobility-agent-runtime", "fingerprint": "f4e6778534bfd7e9304e460c685d05f035ae3cc15093876546d80ececfff5c9b", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|f4e6778534bfd7e9304e460c685d05f035ae3cc15093876546d80ececfff5c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/hooks/use-running-pipes.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113720, "scanner": "repobility-agent-runtime", "fingerprint": "927e6c18feb2a83550e4427d4c6c12d541c92c1f145e89ed42751653a40308c7", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|927e6c18feb2a83550e4427d4c6c12d541c92c1f145e89ed42751653a40308c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/hooks/use-enterprise-policy.ts"}, "region": {"startLine": 267}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113719, "scanner": "repobility-agent-runtime", "fingerprint": "d6a184a0d0320ecd37b7cb0d8147ee2c2ceff99a406f0801e887239a4778a23d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|d6a184a0d0320ecd37b7cb0d8147ee2c2ceff99a406f0801e887239a4778a23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/chat-utils.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113718, "scanner": "repobility-agent-runtime", "fingerprint": "4aaad5c1ebc67c387eb8254b83ba9ae0f00fb91c57fe926c8dad6f2bc1b65fde", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4aaad5c1ebc67c387eb8254b83ba9ae0f00fb91c57fe926c8dad6f2bc1b65fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/hooks/use-chat-conversations.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113717, "scanner": "repobility-agent-runtime", "fingerprint": "fc177f37651887dacfde1f6efa600327b8f59dcc0b75d642d7e612248b3414b8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|fc177f37651887dacfde1f6efa600327b8f59dcc0b75d642d7e612248b3414b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/chat-sidebar.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113716, "scanner": "repobility-agent-runtime", "fingerprint": "f8a289a64cbd4093fccabf4880999220b9cf1034daa2e294b739ebffa5196509", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f8a289a64cbd4093fccabf4880999220b9cf1034daa2e294b739ebffa5196509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/layout.tsx"}, "region": {"startLine": 282}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 113686, "scanner": "repobility-threat-engine", "fingerprint": "bbb2835f31969b61b8e10a70da36fc55bad217e43e125e3c14c15dab5df83b17", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return true\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbb2835f31969b61b8e10a70da36fc55bad217e43e125e3c14c15dab5df83b17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ee/sdk/index.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 113629, "scanner": "repobility-threat-engine", "fingerprint": "59bc69bab2365466c120569afb042fbd839039a07b6cde7222ac99cf787c20d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key={Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59bc69bab2365466c120569afb042fbd839039a07b6cde7222ac99cf787c20d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/changelog-dialog.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113626, "scanner": "repobility-threat-engine", "fingerprint": "8c375438e39417b1f81e34ce9ede6156b673405163a0d0e8645b1d7365cd49a8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|36|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-connect/src/connections/browser/owned.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113625, "scanner": "repobility-threat-engine", "fingerprint": "d9068cf48b8d537db60e60473cba87056ecbd55bd130f9f6b0ff4eb850cbfc78", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|69|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-connect/src/connections/browser/mod.rs"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113624, "scanner": "repobility-threat-engine", "fingerprint": "0ac008f0960d9e4c301339a3c7412c911de2b91c729f7c8256591625d1ca3512", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|177|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/changelog-dialog.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 113623, "scanner": "repobility-threat-engine", "fingerprint": "ce11e45d1854924f7565764ab765c21be43ac297cbe5853ac819506accd74838", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key={Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|187|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/changelog-dialog.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 113618, "scanner": "repobility-threat-engine", "fingerprint": "12c66dad19572d001dcad52798a46d7b60fc3cd30f17a9f50544d7c39379aed3", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\"https://discord.com/invite/screenpipe\", \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|85|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/global-error.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113616, "scanner": "repobility-threat-engine", "fingerprint": "a59fd3b6b6d2304a9c547e84bfb63d1e5ac957a5bc25909f2124f8e64f027908", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a59fd3b6b6d2304a9c547e84bfb63d1e5ac957a5bc25909f2124f8e64f027908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/providers.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113615, "scanner": "repobility-threat-engine", "fingerprint": "5a22c6aab3b035755d6f88bc259c69cbd11cd6befd2d0c6caaa669c7bc001ede", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a22c6aab3b035755d6f88bc259c69cbd11cd6befd2d0c6caaa669c7bc001ede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/global-error.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113614, "scanner": "repobility-threat-engine", "fingerprint": "3a747a76a96623b62f9e64977d7f322a5dd68e89246822bdec6b5ee5996e5826", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a747a76a96623b62f9e64977d7f322a5dd68e89246822bdec6b5ee5996e5826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/error.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 113735, "scanner": "repobility-docker", "fingerprint": "417c9f98fa31c1a7465162ab936f0af9c20538e5da5f14a3a08de55210de38da", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|417c9f98fa31c1a7465162ab936f0af9c20538e5da5f14a3a08de55210de38da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/privacy-filter/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 113732, "scanner": "repobility-docker", "fingerprint": "f68287fe5096335d2b93366454c61d9904f55286fa3bdea49a14ab6af01907ab", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f68287fe5096335d2b93366454c61d9904f55286fa3bdea49a14ab6af01907ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-test/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 113729, "scanner": "repobility-docker", "fingerprint": "8967ccdc209d42f78b638222f52650771c7a3f689781f0a73ed022e92ce22027", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8967ccdc209d42f78b638222f52650771c7a3f689781f0a73ed022e92ce22027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "694bd3fc396decd9c008212096dddff9df4ec048aa49e1b4435800171329feae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/screenpipe-audio/src/meeting_streaming/deepgram_live.rs", "duplicate_line": 371, "correlation_key": "fp|694bd3fc396decd9c008212096dddff9df4ec048aa49e1b4435800171329feae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-audio/src/meeting_streaming/selected_engine.rs"}, "region": {"startLine": 260}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f862bcf5ff4f15c07664aa405d62fb19a37a39079ff1c2624aa69e719376615", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/screenpipe-a11y/src/tree/macos_lines.rs", "duplicate_line": 150, "correlation_key": "fp|6f862bcf5ff4f15c07664aa405d62fb19a37a39079ff1c2624aa69e719376615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-a11y/src/tree/windows_lines.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "799904b2df68c4addc78c22f54f245a3b549850bb0df472ec7169c1df0962031", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/screenpipe-a11y/src/tree/linux_lines.rs", "duplicate_line": 37, "correlation_key": "fp|799904b2df68c4addc78c22f54f245a3b549850bb0df472ec7169c1df0962031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-a11y/src/tree/windows_lines.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48b926b27ddc64f866fe652696b0adcd9563dfcca37ac098e253d3d1759a86e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/screenpipe-a11y/src/tree/cache.rs", "duplicate_line": 93, "correlation_key": "fp|48b926b27ddc64f866fe652696b0adcd9563dfcca37ac098e253d3d1759a86e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-a11y/src/tree/mod.rs"}, "region": {"startLine": 322}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25314044c45933c964f0d42c3433ca629c487b2e65253a09d33e85d2fcae896a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/screenpipe-a11y/src/tree/linux_lines.rs", "duplicate_line": 9, "correlation_key": "fp|25314044c45933c964f0d42c3433ca629c487b2e65253a09d33e85d2fcae896a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-a11y/src/tree/macos_lines.rs"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b10bd1d09f52435428504967332b110ab9ba209f624ba93c979aaca7d1116a9a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/src-tauri/src/capture_session.rs", "duplicate_line": 261, "correlation_key": "fp|b10bd1d09f52435428504967332b110ab9ba209f624ba93c979aaca7d1116a9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server_core.rs"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7858bdfb52a797332ad3d57a81dc1fd85777ffa7c585f6453993a782a66fabf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/src-tauri/src/recording.rs", "duplicate_line": 706, "correlation_key": "fp|7858bdfb52a797332ad3d57a81dc1fd85777ffa7c585f6453993a782a66fabf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/server.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e13d35df73dfbf06777ae8b56f8862e15733951149b250ff35bdd2833c97932c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/src-tauri/src/ics_calendar.rs", "duplicate_line": 234, "correlation_key": "fp|e13d35df73dfbf06777ae8b56f8862e15733951149b250ff35bdd2833c97932c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/meeting_live_notes.rs"}, "region": {"startLine": 439}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29fbbe2ddb9b3d6676f862d05a545e4e729201482e93827b08c102b3067ccc1a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/lib/events/pipe-watch-writer.ts", "duplicate_line": 180, "correlation_key": "fp|29fbbe2ddb9b3d6676f862d05a545e4e729201482e93827b08c102b3067ccc1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/stores/pi-event-router.ts"}, "region": {"startLine": 316}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "79e1dcf45ae5140ea0431c9479eb4b362d8e951cb783179244a022f0d7315fd3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/lib/events/pipe-watch-writer.ts", "duplicate_line": 305, "correlation_key": "fp|79e1dcf45ae5140ea0431c9479eb4b362d8e951cb783179244a022f0d7315fd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/pipe-ndjson-to-chat.ts"}, "region": {"startLine": 307}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4aca4c108587b2ed629189614ccf912406e79f2acd3043fed8ba5c1bb8c3bec4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/app/shortcut-reminder/use-overlay-data.ts", "duplicate_line": 106, "correlation_key": "fp|4aca4c108587b2ed629189614ccf912406e79f2acd3043fed8ba5c1bb8c3bec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/hooks/use-health-check.tsx"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9630786b18d93b2f482a1a482b536e7b291bf0bc0ba6e3d0c5eb180dd68a5a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/e2e/helpers/runtime-coverage-reporter.ts", "duplicate_line": 10, "correlation_key": "fp|d9630786b18d93b2f482a1a482b536e7b291bf0bc0ba6e3d0c5eb180dd68a5a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/e2e/scripts/generate-coverage-report.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "513fa8c2541f99c38918129161e195f5bee6a8a1c2a486e895a719d5ac1bc1b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/ui/validated-input.tsx", "duplicate_line": 38, "correlation_key": "fp|513fa8c2541f99c38918129161e195f5bee6a8a1c2a486e895a719d5ac1bc1b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/ui/validated-textarea.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f1b14e8222c991682967cf41297e875ce23da0718e5240ce165995ee0ad9ec5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/archive-settings.tsx", "duplicate_line": 49, "correlation_key": "fp|5f1b14e8222c991682967cf41297e875ce23da0718e5240ce165995ee0ad9ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/retention-settings.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11457ad3ddbc81d7d29ded75f0023ccaeaf4dd06c4327e72c951bceec433861b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/google-calendar-card.tsx", "duplicate_line": 22, "correlation_key": "fp|11457ad3ddbc81d7d29ded75f0023ccaeaf4dd06c4327e72c951bceec433861b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/ics-calendar-card.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3de4d018453d6f274bb5ccf00b06a130886c8a457456510a107e859edd61d42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/gmail-card.tsx", "duplicate_line": 108, "correlation_key": "fp|c3de4d018453d6f274bb5ccf00b06a130886c8a457456510a107e859edd61d42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/google-sheets-card.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bca787b1a504c54eda8b1e85074a325c52b5fce8856e04d9fee739d27d4f7487", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/google-docs-card.tsx", "duplicate_line": 153, "correlation_key": "fp|bca787b1a504c54eda8b1e85074a325c52b5fce8856e04d9fee739d27d4f7487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/google-sheets-card.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94980a6a752b9df2c484f202f4ffb736904d6f1cd0af480fbe085339c00af95c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/post-install-connections-modal.tsx", "duplicate_line": 209, "correlation_key": "fp|94980a6a752b9df2c484f202f4ffb736904d6f1cd0af480fbe085339c00af95c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/google-docs-card.tsx"}, "region": {"startLine": 183}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa20531893e07564b6a3bf5787c6425013279b62c131fdafcef2f6b7857d627a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/gmail-card.tsx", "duplicate_line": 108, "correlation_key": "fp|fa20531893e07564b6a3bf5787c6425013279b62c131fdafcef2f6b7857d627a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/google-docs-card.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27882da9dd8431c6e2ff5b1561903219b762dc43f8be8fdcbfd875d3a6ea87ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/components/settings/gmail-card.tsx", "duplicate_line": 110, "correlation_key": "fp|27882da9dd8431c6e2ff5b1561903219b762dc43f8be8fdcbfd875d3a6ea87ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/google-calendar-card.tsx"}, "region": {"startLine": 262}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9953df02ffb8b0534fde4792b7deeeacb7b165d1d4259d3aafefed591bc452c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/app/notification-panel/page.tsx", "duplicate_line": 702, "correlation_key": "fp|b9953df02ffb8b0534fde4792b7deeeacb7b165d1d4259d3aafefed591bc452c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/notification-handler.tsx"}, "region": {"startLine": 227}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aaccb24abcc1f265b94b95c5eb600f1eed282d43d02f268e1120361333663e05", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/app/notification-panel/page.tsx", "duplicate_line": 45, "correlation_key": "fp|aaccb24abcc1f265b94b95c5eb600f1eed282d43d02f268e1120361333663e05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/notification-bell.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "530877244ad7e1643a90840ee1e993fe8398ae9de2a493ce0a8b6ed15b289f29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/screenpipe-app-tauri/app/shortcut-reminder/audio-equalizer.tsx", "duplicate_line": 62, "correlation_key": "fp|530877244ad7e1643a90840ee1e993fe8398ae9de2a493ce0a8b6ed15b289f29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/shortcut-reminder/screen-matrix.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 113692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88585a892345b459ecd0d37c38161f54d65d05893394faa0db28e8275ed109a3", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "coverage", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|88585a892345b459ecd0d37c38161f54d65d05893394faa0db28e8275ed109a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coverage"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC002", "level": "note", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 113681, "scanner": "repobility-threat-engine", "fingerprint": "2f8105c468e8c63e2064e4c51549cbed78b9ca9dfe2c3bd536e0464dcb82c60b", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Could not extract value for entropy analysis Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "AKIAIOSFODNN7EXAMPLE", "reason": "Could not extract value for entropy analysis", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "secret|token|27|akiaiosfodnn7example", "duplicate_count": 2, "duplicate_rule_ids": ["SEC002", "SEC010", "SEC048"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["2f8105c468e8c63e2064e4c51549cbed78b9ca9dfe2c3bd536e0464dcb82c60b", "49dcb0ab8d5eac3f22c58aca68974c7b20256e516273c5785b8e6402baaf0835", "e2e1eb3c566ed0d85bc6f0a511f56b920ab254343a82a50c9b6c95d2cfa30ac4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-redact/src/adapters/regex.rs"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 113689, "scanner": "repobility-threat-engine", "fingerprint": "203c031c36f0094cbe4fb4f111952e3eed2939ed43b7cabfead8a68fc961dc0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|203c031c36f0094cbe4fb4f111952e3eed2939ed43b7cabfead8a68fc961dc0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/providers/index.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 113685, "scanner": "repobility-threat-engine", "fingerprint": "0c7921aed72ea86d6795c453bb5f69b62d10d94ef94d9a6877b03f792f9af241", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c7921aed72ea86d6795c453bb5f69b62d10d94ef94d9a6877b03f792f9af241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-redact/src/adapters/regex.rs"}, "region": {"startLine": 273}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 113680, "scanner": "repobility-threat-engine", "fingerprint": "60bf43ce2555f37d81297202774a271c28a53f700ab05fde1fedcb0ab93d5f7d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|24|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-core/src/sync/keys.rs"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 113679, "scanner": "repobility-threat-engine", "fingerprint": "51725514744ccca89cea2e7c133cb9d800678f544e818865dac3bc277940c7cf", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|23|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-core/src/sync/crypto.rs"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 113677, "scanner": "repobility-threat-engine", "fingerprint": "b0811e157f5b25ff0defe39bccf8a2060dfa8263d6723148ebe692d678a977e7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b0811e157f5b25ff0defe39bccf8a2060dfa8263d6723148ebe692d678a977e7", "aggregated_count": 2}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 113676, "scanner": "repobility-threat-engine", "fingerprint": "ffa888b42164351320faaae66f3840367bf3f24464b5e5651d41aff4990e2f00", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffa888b42164351320faaae66f3840367bf3f24464b5e5651d41aff4990e2f00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-audio/src/speaker/mod.rs"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 113675, "scanner": "repobility-threat-engine", "fingerprint": "ddef514e21dc7024c0b809b32388ea3853cf3d41338a33bf16254cd1f3b2d43a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddef514e21dc7024c0b809b32388ea3853cf3d41338a33bf16254cd1f3b2d43a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-audio/build.rs"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 113674, "scanner": "repobility-threat-engine", "fingerprint": "ec9136bc182e18bdc4c505c7939d0bd400f6e73e14543f22f02e17ce230645fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec9136bc182e18bdc4c505c7939d0bd400f6e73e14543f22f02e17ce230645fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-apple-intelligence/build.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 113673, "scanner": "repobility-threat-engine", "fingerprint": "6ac04b78c4b3c37dca8c6c4206d4b9a516ac0f7cc75664fedb72ef9ef5fefd45", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ac04b78c4b3c37dca8c6c4206d4b9a516ac0f7cc75664fedb72ef9ef5fefd45", "aggregated_count": 28}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 113672, "scanner": "repobility-threat-engine", "fingerprint": "adcb6eca0d7916350a3919cd0322eb51e1a380a1978742bb8c580270bd119c7a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|adcb6eca0d7916350a3919cd0322eb51e1a380a1978742bb8c580270bd119c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-a11y/src/tree/linux_lines.rs"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 113671, "scanner": "repobility-threat-engine", "fingerprint": "c32c32a4a09443fb9613435152e05ecc3702f22ec9a801c54e87ed6ad3cb70b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c32c32a4a09443fb9613435152e05ecc3702f22ec9a801c54e87ed6ad3cb70b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/specta_bindings.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 113670, "scanner": "repobility-threat-engine", "fingerprint": "90861c9d09891be183a74de91b1e3404dc35792e2af1c665d2fc49e7868b2e7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90861c9d09891be183a74de91b1e3404dc35792e2af1c665d2fc49e7868b2e7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/notifications/rewrite.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 113669, "scanner": "repobility-threat-engine", "fingerprint": "1dabb798b70ee3bf4cf2062cbab8e896b19928b131ff3cadb1279bc847f66e40", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1dabb798b70ee3bf4cf2062cbab8e896b19928b131ff3cadb1279bc847f66e40", "aggregated_count": 18}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 113668, "scanner": "repobility-threat-engine", "fingerprint": "4d3e144a2c8aa1716f5f74f212254a13dfa643789ff6432dfd2f927976288e71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d3e144a2c8aa1716f5f74f212254a13dfa643789ff6432dfd2f927976288e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/native_notification.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 113667, "scanner": "repobility-threat-engine", "fingerprint": "8e0dcbf9ee4eb70970b7fcc53e32b351b51b3d651949172f9e9a07c6f0780b72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e0dcbf9ee4eb70970b7fcc53e32b351b51b3d651949172f9e9a07c6f0780b72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/dock_menu.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 113666, "scanner": "repobility-threat-engine", "fingerprint": "c3109346f29eb7d092198f1c244c0940d6dd0a5dc9b9e43966371e15e4a669c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3109346f29eb7d092198f1c244c0940d6dd0a5dc9b9e43966371e15e4a669c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/audio_exclusions.rs"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "properties": {"repobilityId": 113665, "scanner": "repobility-threat-engine", "fingerprint": "20a134b4090cf77f192ccd5d495a8741fef35539f0b00d6e4ecaafbf94afb0d2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 66 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|20a134b4090cf77f192ccd5d495a8741fef35539f0b00d6e4ecaafbf94afb0d2", "aggregated_count": 66}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113659, "scanner": "repobility-threat-engine", "fingerprint": "a2ad771ef463b0ace1527b22533350dfc9da86cd3a2080ad32e39a9cc84e2687", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2ad771ef463b0ace1527b22533350dfc9da86cd3a2080ad32e39a9cc84e2687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/auth.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113658, "scanner": "repobility-threat-engine", "fingerprint": "16bde757c1561f0901afaab2bdb2cf98eeba83c3d0d02147736a39bda76c599a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16bde757c1561f0901afaab2bdb2cf98eeba83c3d0d02147736a39bda76c599a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/providers/index.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113657, "scanner": "repobility-threat-engine", "fingerprint": "49e25a06d107567490adae45f632376179b7d430646f03de96aa6670d33c74f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49e25a06d107567490adae45f632376179b7d430646f03de96aa6670d33c74f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/referral-card.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 113656, "scanner": "repobility-threat-engine", "fingerprint": "bf1765d10ae69815519b5176ccbd494aebb8115e183093d22bedbfcc2c31dc03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf1765d10ae69815519b5176ccbd494aebb8115e183093d22bedbfcc2c31dc03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/mermaid-diagram.tsx"}, "region": {"startLine": 192}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 113655, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 113651, "scanner": "repobility-threat-engine", "fingerprint": "72868d73be2432154286c4455605b76057530dd020051f40b6c07b0c3574921f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|72868d73be2432154286c4455605b76057530dd020051f40b6c07b0c3574921f", "aggregated_count": 9}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113650, "scanner": "repobility-threat-engine", "fingerprint": "6ffe288e3cb8a7fdda1ab8c44203868f034628207659d4f196ee907863e998e1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ffe288e3cb8a7fdda1ab8c44203868f034628207659d4f196ee907863e998e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/selectable-text-layer.tsx"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113649, "scanner": "repobility-threat-engine", "fingerprint": "7353a4390918a4522892e9803aa1401d59dcddfe096925c89f962d44b9122827", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7353a4390918a4522892e9803aa1401d59dcddfe096925c89f962d44b9122827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/hooks/use-search-focus.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113648, "scanner": "repobility-threat-engine", "fingerprint": "fdffea60a2c052850507ded69085bcbcf7ad5763e0cbac4416b36492753b6850", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdffea60a2c052850507ded69085bcbcf7ad5763e0cbac4416b36492753b6850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/pipe-install-dialog.tsx"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 113647, "scanner": "repobility-threat-engine", "fingerprint": "a11ab9f8abe02e6441b5913f087a14467402903998509cf03d9de2cfd60b888c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a11ab9f8abe02e6441b5913f087a14467402903998509cf03d9de2cfd60b888c", "aggregated_count": 22}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113646, "scanner": "repobility-threat-engine", "fingerprint": "28f9db52fd74e084d76d4d839feb762e7e6d39b15a28839b318d424c072be766", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28f9db52fd74e084d76d4d839feb762e7e6d39b15a28839b318d424c072be766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/hooks/use-timeline-keyboard.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113645, "scanner": "repobility-threat-engine", "fingerprint": "5eb66c7dbc307753f7c169b97dd536e66f0f959ff2fae3b4fbd45a4ee4c6ca6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5eb66c7dbc307753f7c169b97dd536e66f0f959ff2fae3b4fbd45a4ee4c6ca6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/hooks/use-frame-actions.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113644, "scanner": "repobility-threat-engine", "fingerprint": "0bc23823b1f0cebd720e9c960735814e464eaca3cd02b02c6bb33b5e69fc36d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bc23823b1f0cebd720e9c960735814e464eaca3cd02b02c6bb33b5e69fc36d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/pipe-install-dialog.tsx"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 113643, "scanner": "repobility-threat-engine", "fingerprint": "86f5848d91e08880b0a2858404fb653f75db38d4d87213f235d92edbf73183d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|86f5848d91e08880b0a2858404fb653f75db38d4d87213f235d92edbf73183d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/subscription.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 113642, "scanner": "repobility-threat-engine", "fingerprint": "e0a66465f4df86b90aafec877acb55524eb12be9053116ed35b89fbb12446da3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0a66465f4df86b90aafec877acb55524eb12be9053116ed35b89fbb12446da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/auth.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 113641, "scanner": "repobility-threat-engine", "fingerprint": "45b2c69527d14c7a3b0b9a4528c550d676fe1f8bf9addabe6521a6560ad10751", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45b2c69527d14c7a3b0b9a4528c550d676fe1f8bf9addabe6521a6560ad10751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/deeplink-handler.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 113640, "scanner": "repobility-threat-engine", "fingerprint": "295b38bb7b2f05a46b2ae472339828151fca6a9abddaa890ab0eacd6d4f41a72", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('Valid screenpipe user token, user:', userData?.email)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.log valid screenpipe user token user: userdata .email"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/subscription.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 113638, "scanner": "repobility-threat-engine", "fingerprint": "919c7e6dac1ad7f1936055f275362fcfada8ada5d1438c1732a2144eb128d503", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"[deeplink] emitted pi-reauth with new auth token\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|console.log deeplink emitted pi-reauth with new auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/deeplink-handler.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 113637, "scanner": "repobility-threat-engine", "fingerprint": "897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 113633, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113632, "scanner": "repobility-threat-engine", "fingerprint": "f845fb28868ba43f726398d73e29cd0b5f282db11aa19edacd36fce5ba5f2e55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f845fb28868ba43f726398d73e29cd0b5f282db11aa19edacd36fce5ba5f2e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/search-result-strip.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113631, "scanner": "repobility-threat-engine", "fingerprint": "4da6d4ff11183f0f56803ff73015cef3f0c7ef52fd25d0932e7e6b1005319694", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4da6d4ff11183f0f56803ff73015cef3f0c7ef52fd25d0932e7e6b1005319694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/pipe-ai-icon.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113630, "scanner": "repobility-threat-engine", "fingerprint": "3d0c8de1d781a338e78a701c8ab15ce9176654412acced395378d743af3b9aad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d0c8de1d781a338e78a701c8ab15ce9176654412acced395378d743af3b9aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/changelog-dialog.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 113627, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 113622, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 113621, "scanner": "repobility-threat-engine", "fingerprint": "1d2c55c592d4bf6241248a320ceb5cb7e7727e32ff8398770ddb86fbdaa1211b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d2c55c592d4bf6241248a320ceb5cb7e7727e32ff8398770ddb86fbdaa1211b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/engine_events.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 113620, "scanner": "repobility-threat-engine", "fingerprint": "d7d6904ef6932efe202d3087de9e93da6d4fe3fbf5fba8098a153ac5f76f41ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7d6904ef6932efe202d3087de9e93da6d4fe3fbf5fba8098a153ac5f76f41ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/timeline/favicon-utils.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 113619, "scanner": "repobility-threat-engine", "fingerprint": "a86066d6ef2b060c5352949c7176efceb61ddb1fdf6e6472ab41272bdb4a28d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a86066d6ef2b060c5352949c7176efceb61ddb1fdf6e6472ab41272bdb4a28d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/shortcut-reminder/use-overlay-data.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 113617, "scanner": "repobility-threat-engine", "fingerprint": "75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 113613, "scanner": "repobility-threat-engine", "fingerprint": "49740e3cda1ad7d33d39ae640807944dff49a7f056df62abdcd905c65a4eadfa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|49740e3cda1ad7d33d39ae640807944dff49a7f056df62abdcd905c65a4eadfa", "aggregated_count": 52}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113612, "scanner": "repobility-threat-engine", "fingerprint": "2608674243cbe7af5708bdb8c2c4ffeb74bfc3f0532d6e59e014eb29dfb28b39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2608674243cbe7af5708bdb8c2c4ffeb74bfc3f0532d6e59e014eb29dfb28b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/global-error.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113611, "scanner": "repobility-threat-engine", "fingerprint": "838a8c4fa1e9723ca152490a28be87b1d9188cfad81b64e32eaeb3fb01e66b61", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|838a8c4fa1e9723ca152490a28be87b1d9188cfad81b64e32eaeb3fb01e66b61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/global-error.jsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113610, "scanner": "repobility-threat-engine", "fingerprint": "53d66510a9e79901247e4db0e871e9b138cf6643d0c79cb62fd1f52839f7ed6a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53d66510a9e79901247e4db0e871e9b138cf6643d0c79cb62fd1f52839f7ed6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/app/error.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@screenpipe/sdk` pulled from URL/Git: `dependencies.@screenpipe/sdk` = `file:../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 113789, "scanner": "repobility-supply-chain", "fingerprint": "dd21c34cd80ef115c4df4cdee194a805a3e3867249695973d9064bd05c424c7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd21c34cd80ef115c4df4cdee194a805a3e3867249695973d9064bd05c424c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ee/sdk/examples/electron-app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@screenpipe/sdk` pulled from URL/Git: `dependencies.@screenpipe/sdk` = `file:../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 113788, "scanner": "repobility-supply-chain", "fingerprint": "a89af100b7837a01e56ae277a095c4724f1a28b0418b5ba5f363162789f833d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a89af100b7837a01e56ae277a095c4724f1a28b0418b5ba5f363162789f833d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ee/sdk/examples/tauri-app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113787, "scanner": "repobility-supply-chain", "fingerprint": "292679fb37019fdeaf598b911bb45ca812999ebb5f579fbf64f09375b517f451", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|292679fb37019fdeaf598b911bb45ca812999ebb5f579fbf64f09375b517f451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113786, "scanner": "repobility-supply-chain", "fingerprint": "d53b3e9e951106856f51f3d5613c6c21b58033c1e9c72012ffd0126fd6fb7050", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d53b3e9e951106856f51f3d5613c6c21b58033c1e9c72012ffd0126fd6fb7050"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113785, "scanner": "repobility-supply-chain", "fingerprint": "5cec9f8de5fae6eb6bb7b59350f0a1c5a380f70573261dea46c54b06102e5e7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cec9f8de5fae6eb6bb7b59350f0a1c5a380f70573261dea46c54b06102e5e7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113784, "scanner": "repobility-supply-chain", "fingerprint": "83b006e6b382d1c0fe566541f89d70ac199a981d3b99ef81a549fa4cb6c10507", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83b006e6b382d1c0fe566541f89d70ac199a981d3b99ef81a549fa4cb6c10507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113783, "scanner": "repobility-supply-chain", "fingerprint": "dd55387db4310f5dbd94cc692eaa30e4f5031f99861bcd93332b155020a2d781", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd55387db4310f5dbd94cc692eaa30e4f5031f99861bcd93332b155020a2d781"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113782, "scanner": "repobility-supply-chain", "fingerprint": "d6cc67a656a9b409519f89be8f04e7c8dc8d5cab4465ce8eb324faedbd590ef1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6cc67a656a9b409519f89be8f04e7c8dc8d5cab4465ce8eb324faedbd590ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113781, "scanner": "repobility-supply-chain", "fingerprint": "f9a52a86a41379083f255a0fd593efd9a32df7988d26480d4a8123b92d562c9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9a52a86a41379083f255a0fd593efd9a32df7988d26480d4a8123b92d562c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113780, "scanner": "repobility-supply-chain", "fingerprint": "7a191fbeba07520c315696c4df2167a74182f143b634e20941a3352e259c6d48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a191fbeba07520c315696c4df2167a74182f143b634e20941a3352e259c6d48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113779, "scanner": "repobility-supply-chain", "fingerprint": "1b3142a857e97abda9f9ad5aa34dc7eac8900a3f61cd62e99f849bbe02382f83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b3142a857e97abda9f9ad5aa34dc7eac8900a3f61cd62e99f849bbe02382f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113778, "scanner": "repobility-supply-chain", "fingerprint": "ac42575c86b31228e33702f63d33ef84fbf91679f2f9c35fda5dff2672a8369c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac42575c86b31228e33702f63d33ef84fbf91679f2f9c35fda5dff2672a8369c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113777, "scanner": "repobility-supply-chain", "fingerprint": "92edf75907a0604045a48d583072c53c1d725607d2f3711a78238aca42350c8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92edf75907a0604045a48d583072c53c1d725607d2f3711a78238aca42350c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113776, "scanner": "repobility-supply-chain", "fingerprint": "b51f66602a3950426b96a667a7d4fd6800afe155fd761c3d020094d69762f427", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b51f66602a3950426b96a667a7d4fd6800afe155fd761c3d020094d69762f427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113775, "scanner": "repobility-supply-chain", "fingerprint": "b100ac78c2a232eaa6a7293429c2291b09e4d1f07a62df02306416270f68e4ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b100ac78c2a232eaa6a7293429c2291b09e4d1f07a62df02306416270f68e4ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113774, "scanner": "repobility-supply-chain", "fingerprint": "e227f0dae50a07c1bfe6299983f8079cc9a77ed6556398ddcd94cbcaec873690", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e227f0dae50a07c1bfe6299983f8079cc9a77ed6556398ddcd94cbcaec873690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113773, "scanner": "repobility-supply-chain", "fingerprint": "159e14888d4abd79a2d62dfb967c575c46e2ccaf880b98ae5c8bcd7730da0cdb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|159e14888d4abd79a2d62dfb967c575c46e2ccaf880b98ae5c8bcd7730da0cdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-meeting-detection.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113772, "scanner": "repobility-supply-chain", "fingerprint": "004e5252e5a86bddda68fadceff3ce4a8166b5253e85868b4955baaa10cfcedf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|004e5252e5a86bddda68fadceff3ce4a8166b5253e85868b4955baaa10cfcedf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-meeting-detection.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113771, "scanner": "repobility-supply-chain", "fingerprint": "4f2afd61c6fa495d9635b127d7aaa3d44c6bd9591ef3e162da5107ab8c0c6e7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f2afd61c6fa495d9635b127d7aaa3d44c6bd9591ef3e162da5107ab8c0c6e7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-meeting-detection.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113770, "scanner": "repobility-supply-chain", "fingerprint": "58e9b1758146795567eb3998015339bc9c19885a3f8ccda2e23fcea599aff454", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58e9b1758146795567eb3998015339bc9c19885a3f8ccda2e23fcea599aff454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-diarization.yml"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113769, "scanner": "repobility-supply-chain", "fingerprint": "eee00b800aefc8f88433b1f624a06d975b867f54f76d88cc2b51ec6705f3028c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eee00b800aefc8f88433b1f624a06d975b867f54f76d88cc2b51ec6705f3028c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-diarization.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113768, "scanner": "repobility-supply-chain", "fingerprint": "66100e591680e93253ff4d4ff558c5f3e5fe4a9dd9a4ca47bca7031a7ae5a5c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66100e591680e93253ff4d4ff558c5f3e5fe4a9dd9a4ca47bca7031a7ae5a5c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-diarization.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113767, "scanner": "repobility-supply-chain", "fingerprint": "cdcb6cb766d4921528a067955a4d5fa420442246f76577c49d368d2d0e3d7525", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdcb6cb766d4921528a067955a4d5fa420442246f76577c49d368d2d0e3d7525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-diarization.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113766, "scanner": "repobility-supply-chain", "fingerprint": "1ef2a9ab115772697197abbf2348fc60711595b855bbdfafe22bca4d9c2955d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ef2a9ab115772697197abbf2348fc60711595b855bbdfafe22bca4d9c2955d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/eval-diarization.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v6`: `uses: peter-evans/create-pull-request@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113765, "scanner": "repobility-supply-chain", "fingerprint": "4a98777a1e4ea9e398f6c8c82b8fb68ef72cfbc4998c5d51fb7ac620c078dbca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a98777a1e4ea9e398f6c8c82b8fb68ef72cfbc4998c5d51fb7ac620c078dbca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-skills.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113764, "scanner": "repobility-supply-chain", "fingerprint": "c01d15553fb8d48b4674d36e7d3951ab395001839851705eb792d2dd3030aca1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c01d15553fb8d48b4674d36e7d3951ab395001839851705eb792d2dd3030aca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-skills.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 113763, "scanner": "repobility-supply-chain", "fingerprint": "2503dfb35f61b82c3c903fed46de4c99be096d9c4995af55c13daf9c0b0959ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2503dfb35f61b82c3c903fed46de4c99be096d9c4995af55c13daf9c0b0959ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-inactive.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 113762, "scanner": "repobility-supply-chain", "fingerprint": "dbc20876fa14037206d50784c9e7e8ad4389bf42ec85bc65fc1021977ef790ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbc20876fa14037206d50784c9e7e8ad4389bf42ec85bc65fc1021977ef790ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/privacy-filter/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 113761, "scanner": "repobility-supply-chain", "fingerprint": "57d2d6b78b6e8ecb2515e82de454b2027a5649720a6532b709cddd1c417276ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57d2d6b78b6e8ecb2515e82de454b2027a5649720a6532b709cddd1c417276ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-test/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/base:ubuntu-22.04` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 113760, "scanner": "repobility-supply-chain", "fingerprint": "4467302cf2b93b37b9a21914ed37904ef53d5de4f3b07c1be9d614ff4b9049bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4467302cf2b93b37b9a21914ed37904ef53d5de4f3b07c1be9d614ff4b9049bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /filter has no auth: Handler `filter_pii` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 113759, "scanner": "repobility-route-auth", "fingerprint": "1e14c861ad289ff6f06faa2ba252a0f1ea6c4ec0686ea285f51754d3b5b16580", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1e14c861ad289ff6f06faa2ba252a0f1ea6c4ec0686ea285f51754d3b5b16580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/privacy-filter/server.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 113758, "scanner": "repobility-journey-contract", "fingerprint": "827a6977c5a9190b15ff581486c12ab258ad0061ba215949acb70c4e3b941f6e", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|344|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/settings/sync-settings.tsx"}, "region": {"startLine": 344}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 113757, "scanner": "repobility-journey-contract", "fingerprint": "19efdfdde96adaa2d83185d3c732d14597f46275e1290f7d4267f8a8f3d02a9c", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|160|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/utils/tauri.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/test."}, "properties": {"repobilityId": 113743, "scanner": "repobility-access-control", "fingerprint": "d109038458880a578b7f13c9caae74a4d0bd0617656853496ae1e9a8c330d41c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/test", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2553|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2553}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/instances."}, "properties": {"repobilityId": 113742, "scanner": "repobility-access-control", "fingerprint": "f96f91f541b33032a84b4069de1d63ad6e6d09269154747fd3dd25b81b85c36e", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/instances", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2541|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2541}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/config."}, "properties": {"repobilityId": 113741, "scanner": "repobility-access-control", "fingerprint": "49071291728e4db7dbd7d39b97bbbdab8d8989136b3bf957f253ea1767b73e05", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/config", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2539|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2539}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/proxy/*path."}, "properties": {"repobilityId": 113740, "scanner": "repobility-access-control", "fingerprint": "0a52cd082e5eb99b26b073be0789eda7d1b5a7d6ea6d80695dc6a7496b142255", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/proxy/*path", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2538|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2538}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /gmail/messages/:id."}, "properties": {"repobilityId": 113739, "scanner": "repobility-access-control", "fingerprint": "01590763de264477743d81d38a051fa97ba76c05cec39e2127c0cee11d2d6c79", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/gmail/messages/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|2529|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/connections_api.rs"}, "region": {"startLine": 2529}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id."}, "properties": {"repobilityId": 113738, "scanner": "repobility-access-control", "fingerprint": "971b0ac94a82ac72c38d0e88510eb77840f695ec44dfb5dfc5d1d201a4be4874", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|808|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 808}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id."}, "properties": {"repobilityId": 113737, "scanner": "repobility-access-control", "fingerprint": "e94bb4d7d2d158dd016b8408664a2c0ed10e5613539398122d28145e7ebb4023", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|token|807|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-engine/src/server.rs"}, "region": {"startLine": 807}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 113733, "scanner": "repobility-docker", "fingerprint": "959c48893fd8aa4442b09a3111ab5a28043742ac7125c9a429e563e52866f4ca", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|959c48893fd8aa4442b09a3111ab5a28043742ac7125c9a429e563e52866f4ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/linux-test/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 113730, "scanner": "repobility-docker", "fingerprint": "42221591f328261c7cd6fe6bafb5ac093be7d094bb22d02122e39c5ce378f0c5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|42221591f328261c7cd6fe6bafb5ac093be7d094bb22d02122e39c5ce378f0c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 113728, "scanner": "repobility-docker", "fingerprint": "cfd67c3c8465a5842b3bf5680405e790df85e1f4e738e6680492c5f1d96279f7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cfd67c3c8465a5842b3bf5680405e790df85e1f4e738e6680492c5f1d96279f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 113722, "scanner": "repobility-agent-runtime", "fingerprint": "ad853e70a9279273d85afafae2eb58f2e1b035d45b0e954be42ce63e998ac757", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|ad853e70a9279273d85afafae2eb58f2e1b035d45b0e954be42ce63e998ac757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/lib/hooks/use-settings.tsx"}, "region": {"startLine": 321}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 113691, "scanner": "repobility-threat-engine", "fingerprint": "dfaabdcdba987ba80754667898a212e55accd389b1227ad624321bf55d5ee2aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/filter\", response_model=FilterResponse)\ndef filter_pii(req: FilterRequest)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dfaabdcdba987ba80754667898a212e55accd389b1227ad624321bf55d5ee2aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/privacy-filter/server.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 113690, "scanner": "repobility-threat-engine", "fingerprint": "8e469a9fcdc8e8a1c1929c56da3bca29c00fb22f34cbbd2c9592ab0f480f60e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e469a9fcdc8e8a1c1929c56da3bca29c00fb22f34cbbd2c9592ab0f480f60e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/rate-limiter.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 113688, "scanner": "repobility-threat-engine", "fingerprint": "f3ff89004c0c4b7436a0e3ef3f4d3b62463461ebb356eed7e91e79b90c4c556f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3ff89004c0c4b7436a0e3ef3f4d3b62463461ebb356eed7e91e79b90c4c556f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/cors.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 113687, "scanner": "repobility-threat-engine", "fingerprint": "1cad324ec5cd43343ad877d9fad6114d13e4dbf7914271f7c185fcd38a459a43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cad324ec5cd43343ad877d9fad6114d13e4dbf7914271f7c185fcd38a459a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/handlers/tinfoil-proxy.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 113678, "scanner": "repobility-threat-engine", "fingerprint": "9bb70eb754ecb58b510661ba0479e5f853ffecc74cf0d6fab6b3f552676b5709", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9bb70eb754ecb58b510661ba0479e5f853ffecc74cf0d6fab6b3f552676b5709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-audio/build.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 113664, "scanner": "repobility-threat-engine", "fingerprint": "80dbfecaf50e39b94f2d434e6ebbe24d99d9987906f244d0304714d947ff6a31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80dbfecaf50e39b94f2d434e6ebbe24d99d9987906f244d0304714d947ff6a31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/config.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 113663, "scanner": "repobility-threat-engine", "fingerprint": "efd1dec8ee0003f208f408dc48f992eb5c7fd6b56cd30d0cb12698a60c2931a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efd1dec8ee0003f208f408dc48f992eb5c7fd6b56cd30d0cb12698a60c2931a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/audio_exclusions.rs"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 113662, "scanner": "repobility-threat-engine", "fingerprint": "05c1b2a5e386ab87b6a35873279b3a153014775689001ead76300ae143381b79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05c1b2a5e386ab87b6a35873279b3a153014775689001ead76300ae143381b79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/src/agent_event_emitter.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 113661, "scanner": "repobility-threat-engine", "fingerprint": "f68a9237a8a85e92f6972a4635ad621bb65e6dac21616d98a3c2f1bafb6d390b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n              (t) => `  - ${t.name}${t.description ? `: ${t.description}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f68a9237a8a85e92f6972a4635ad621bb65e6dac21616d98a3c2f1bafb6d390b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-core/assets/extensions/mcp-bridge.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 113660, "scanner": "repobility-threat-engine", "fingerprint": "4aa06e654975a1887dbcfeadfa54aa31494705b6b092e02625fa29bd64f0c744", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n              (t) => `  - ${t.name}${t.description ? `: ${t.description}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4aa06e654975a1887dbcfeadfa54aa31494705b6b092e02625fa29bd64f0c744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/src-tauri/assets/extensions/mcp-bridge.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113654, "scanner": "repobility-threat-engine", "fingerprint": "49b85de400e9b0460e996baefb59e85908af1f102f3a8b09877913c65d1c8ad6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(data);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49b85de400e9b0460e996baefb59e85908af1f102f3a8b09877913c65d1c8ad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-core/src/sync/crypto.rs"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113653, "scanner": "repobility-threat-engine", "fingerprint": "d1188d365ef9dfa577acd6189be45aa5527585f766226203312704fb2cb45746", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "toastTimeouts.delete(toastId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1188d365ef9dfa577acd6189be45aa5527585f766226203312704fb2cb45746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/ui/use-toast.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113652, "scanner": "repobility-threat-engine", "fingerprint": "6d085fac655fc1dd1a9ec6f5609c17c2716705452779a0262ce2b0f8447aefc1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mediaCache.delete(filePath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d085fac655fc1dd1a9ec6f5609c17c2716705452779a0262ce2b0f8447aefc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/rewind/media.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 113639, "scanner": "repobility-threat-engine", "fingerprint": "f8b0bf9354a006986178fd047051578bdc3a763f9e9098762d9c75eaa443b37d", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log('verifying clerk token', token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|1|console.log verifying clerk token token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai-gateway/src/utils/auth.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113636, "scanner": "repobility-threat-engine", "fingerprint": "9d416e84fe8edc4aae6301a41260f0ccb738e13f996c77bf536bf3ebf55b23f0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d416e84fe8edc4aae6301a41260f0ccb738e13f996c77bf536bf3ebf55b23f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/markdown.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113635, "scanner": "repobility-threat-engine", "fingerprint": "390a4d9592176ed0c069b00b8c310da05d686fe68972760abd72c00cef07d808", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|390a4d9592176ed0c069b00b8c310da05d686fe68972760abd72c00cef07d808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/deeplink-handler.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113634, "scanner": "repobility-threat-engine", "fingerprint": "e12adb66c68b9f6dde02acd993b726b0d77882ba076dcc3df28b77635601018e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e12adb66c68b9f6dde02acd993b726b0d77882ba076dcc3df28b77635601018e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/chat/source-citation-footer.tsx"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 113628, "scanner": "repobility-threat-engine", "fingerprint": "3322dcf48d8f3a59ccfeb90b90444573b31026a2f236ed059766d6b807584236", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(className", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3322dcf48d8f3a59ccfeb90b90444573b31026a2f236ed059766d6b807584236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/screenpipe-app-tauri/components/changelog-dialog.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 113684, "scanner": "repobility-threat-engine", "fingerprint": "a0128490bcb2ba819eab05fa8e309a34ac45e4fb7af21462b570b0da0b6fe004", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0128490bcb2ba819eab05fa8e309a34ac45e4fb7af21462b570b0da0b6fe004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-redact/src/adapters/regex.rs"}, "region": {"startLine": 293}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 113683, "scanner": "repobility-threat-engine", "fingerprint": "d98e8fd81ed57d57dd4abc63b4dd0992dd13d9340eecb3066b902531bcbafee2", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://aiden:S3cret@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|29|postgres://aiden:s3cret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-redact/src/adapters/regex.rs"}, "region": {"startLine": 293}}}]}, {"ruleId": "SEC019", "level": "error", "message": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "properties": {"repobilityId": 113682, "scanner": "repobility-threat-engine", "fingerprint": "8709664e334798b20946d9164e11b57bc53da7440ed53c41520fe86b71b9ea6d", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Authorization: Bearer <redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC019", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|26|authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/screenpipe-redact/src/adapters/regex.rs"}, "region": {"startLine": 266}}}]}]}]}