{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /th"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 11.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 11.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n const u = new URL(serverUrl, location.href);\n if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes.\n 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases.\n 3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `start` has cognitive complexity 15 (SonarSource scale). Cognitive complex", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `start` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all wei"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC016", "name": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prom", "shortDescription": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input tha"}, "fullDescription": {"text": "1) Separate user content from instructions: use the 'user' role for user text and 'system' role for your instructions \u2014 never concatenate them into one string. 2) Validate and constrain: limit input length, strip control characters, and reject known injection patterns. 3) Use structured output (JSON mode / function calling) so the model returns data, not freeform actions. 4) Apply output validation: check the AI's response before acting on it. 5) Consider a prompt injection detection layer (e.g. Anthropic's constitutional AI, prompt-guard models)."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves t", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially differe"}, "fullDescription": {"text": "Replace with: `FROM python:3.12-slim-bookworm@sha256:`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /memory/facts has no auth: Handler `create_memory_fact_endpoint` is registered with router/app.p", "shortDescription": {"text": "[MINED112] FastAPI POST /memory/facts has no auth: Handler `create_memory_fact_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_auth_config_token_expiry_zero_raises: Test function `test_auth_config_token_expir", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_auth_config_token_expiry_zero_raises: Test function `test_auth_config_token_expiry_zero_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line co"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.", "shortDescription": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the f"}, "fullDescription": {"text": "Initialize `self.end_headers = ` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `create_sandbox`: `time.sleep` is a synchronous (blocking) c", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `create_sandbox`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from m"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /threads/:thread_id/artifacts/"}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED132", "name": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash in", "shortDescription": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious pay"}, "fullDescription": {"text": "Remove the file or comment if it's documentation. If this is a security-testing repo, mark it with an inline `# nosec` comment and add the file to an allowlist."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "Avoid mounting docker.sock. Use a narrow proxy, rootless build service, or provider-native deployment credentials."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "SEC039", "name": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptogra", "shortDescription": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretchin"}, "fullDescription": {"text": "Use a purpose-built password hash:\n - Python: passlib.hash.argon2.hash(password)\n - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt())\n - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000)\n - PHP: password_hash($password, PASSWORD_ARGON2ID)\n - Node.js: argon2.hash(password) or bcrypt.hash(password, 12)\nWhen rotating, accept both old + new for one session each, then re-hash on next login."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/837"}, "properties": {"repository": "bytedance/deer-flow", "repoUrl": "https://github.com/bytedance/deer-flow", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74841, "scanner": "repobility-ast-engine", "fingerprint": "c7101db3ce8557faac21671b00b0e910783f10edec16dd24aa45fef4ea520fc8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7101db3ce8557faac21671b00b0e910783f10edec16dd24aa45fef4ea520fc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/scripts/run_eval.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74840, "scanner": "repobility-ast-engine", "fingerprint": "bba6ef35accaab9c4e90371938d9ad824799d27c219768442b7b1abf22860b59", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bba6ef35accaab9c4e90371938d9ad824799d27c219768442b7b1abf22860b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/scripts/package_skill.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74839, "scanner": "repobility-ast-engine", "fingerprint": "e26ad33f0c8cf151fc9c2956f56d88d60a2d98643477cd5db4fd00fdf2144de0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e26ad33f0c8cf151fc9c2956f56d88d60a2d98643477cd5db4fd00fdf2144de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74838, "scanner": "repobility-ast-engine", "fingerprint": "a27b3a645b01c6141415f6bc53dd6b6f22a7721f659fcbdbdb3c33e8abc12302", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a27b3a645b01c6141415f6bc53dd6b6f22a7721f659fcbdbdb3c33e8abc12302"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74837, "scanner": "repobility-ast-engine", "fingerprint": "9d0cd093d922896b8a0e635c8f8f4d03ee23fe7d6c8ce1d4fb6ba32716b6c333", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d0cd093d922896b8a0e635c8f8f4d03ee23fe7d6c8ce1d4fb6ba32716b6c333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74830, "scanner": "repobility-ast-engine", "fingerprint": "62668e45448ec42d9588c0855e8f38db2d26d8d9812752e8a01220f2bd2a933b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62668e45448ec42d9588c0855e8f38db2d26d8d9812752e8a01220f2bd2a933b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74829, "scanner": "repobility-ast-engine", "fingerprint": "175104247e2502e17f1356d3a780e0b39f8c176419368da0f7c09c2fa1e8f67f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|175104247e2502e17f1356d3a780e0b39f8c176419368da0f7c09c2fa1e8f67f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74828, "scanner": "repobility-ast-engine", "fingerprint": "fe9e9a6aeb14169722fa5278fa4a18cc51cff3d8908fb85ef87099e922bfb783", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe9e9a6aeb14169722fa5278fa4a18cc51cff3d8908fb85ef87099e922bfb783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74827, "scanner": "repobility-ast-engine", "fingerprint": "616cdbca9044738655872c61a71a9689f33552178b5d20c5d46704047c0aef29", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|616cdbca9044738655872c61a71a9689f33552178b5d20c5d46704047c0aef29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74826, "scanner": "repobility-ast-engine", "fingerprint": "831fd3907bb5391083d26f5887e5d4eec49b4ad237d929297cfb53892dfbe58b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|831fd3907bb5391083d26f5887e5d4eec49b4ad237d929297cfb53892dfbe58b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74825, "scanner": "repobility-ast-engine", "fingerprint": "5aef970a0b968ef731db470f482e93d9edb97c810f7d4b98c6275c792d8fb876", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5aef970a0b968ef731db470f482e93d9edb97c810f7d4b98c6275c792d8fb876"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74804, "scanner": "repobility-ast-engine", "fingerprint": "709249b1d09f222b054df725b4860f65a481eddb6d39bb758b9b28cfeaf984b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|709249b1d09f222b054df725b4860f65a481eddb6d39bb758b9b28cfeaf984b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/wizard/writer.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74802, "scanner": "repobility-ast-engine", "fingerprint": "9ed4ddf0712a04541f5113cc2a02bc25c58cf62490f6617fa14da93c5f0dbc8b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ed4ddf0712a04541f5113cc2a02bc25c58cf62490f6617fa14da93c5f0dbc8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 518}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74801, "scanner": "repobility-ast-engine", "fingerprint": "534710c26c20cc1c9094b6b180e760131af1389d9b0f5ed77978da06bc5d35c8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|534710c26c20cc1c9094b6b180e760131af1389d9b0f5ed77978da06bc5d35c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 613}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74800, "scanner": "repobility-ast-engine", "fingerprint": "4e7583e8681baa08820fce13f4b8c4f80ed6f3573f757566506938edceb02b0e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e7583e8681baa08820fce13f4b8c4f80ed6f3573f757566506938edceb02b0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 527}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74799, "scanner": "repobility-ast-engine", "fingerprint": "efc6d8bedaae30d6b8e7c8b3a916c0f8e83529c08003eba49cb27df7f86bc305", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|efc6d8bedaae30d6b8e7c8b3a916c0f8e83529c08003eba49cb27df7f86bc305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 437}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74798, "scanner": "repobility-ast-engine", "fingerprint": "9fe901a199ded714db8b33b87e431558f3ab8b84385044ad3c9ed46059668217", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9fe901a199ded714db8b33b87e431558f3ab8b84385044ad3c9ed46059668217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74797, "scanner": "repobility-ast-engine", "fingerprint": "356ccb8fd804777ea52cc44bfcdf7d4f4f0e3c3c8705e08c204e151f8b42d5f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|356ccb8fd804777ea52cc44bfcdf7d4f4f0e3c3c8705e08c204e151f8b42d5f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74796, "scanner": "repobility-ast-engine", "fingerprint": "64a0ca6063e1a26c263945c202044a7a0cf6f5fc138cd19544bac08cbfa9385f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64a0ca6063e1a26c263945c202044a7a0cf6f5fc138cd19544bac08cbfa9385f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74795, "scanner": "repobility-ast-engine", "fingerprint": "eb6768732795be804bcc56c12cc4ae7d29637f35f0df3bb2fe4dabd5b31beb11", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb6768732795be804bcc56c12cc4ae7d29637f35f0df3bb2fe4dabd5b31beb11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74794, "scanner": "repobility-ast-engine", "fingerprint": "bbae6cd2259b02a8aff215ccdabce436092bd1ec119f9d4ba2180bc30591c7bb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbae6cd2259b02a8aff215ccdabce436092bd1ec119f9d4ba2180bc30591c7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74793, "scanner": "repobility-ast-engine", "fingerprint": "7a20a08c2b81dfc565622d3ac35e05b00ca7b93d5c179f950942cb2fb606da9b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a20a08c2b81dfc565622d3ac35e05b00ca7b93d5c179f950942cb2fb606da9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74792, "scanner": "repobility-ast-engine", "fingerprint": "5a2f1536ad01b2f2e19e8d8d379db0800fce821af021f12f57c524caf37b65aa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a2f1536ad01b2f2e19e8d8d379db0800fce821af021f12f57c524caf37b65aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/doctor.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74791, "scanner": "repobility-ast-engine", "fingerprint": "0b17ca789187ec6637eb6a6c436b63ec3f7af7e939271129a66f47311c08b2b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b17ca789187ec6637eb6a6c436b63ec3f7af7e939271129a66f47311c08b2b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/debug.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 74790, "scanner": "repobility-ast-engine", "fingerprint": "b279c2f5220cf0e18f7bc165ac75d98a8cef6487e97bb5a020bf7e8e3136debf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b279c2f5220cf0e18f7bc165ac75d98a8cef6487e97bb5a020bf7e8e3136debf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/debug.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74787, "scanner": "repobility-journey-contract", "fingerprint": "13aedd5d0974fd311103147db32693d36e54cf3412ffdea426c5fec52771f870", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/me", "correlation_key": "fp|13aedd5d0974fd311103147db32693d36e54cf3412ffdea426c5fec52771f870", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/core/auth/AuthProvider.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74786, "scanner": "repobility-journey-contract", "fingerprint": "7ec8b5351053328135421624a139123f4a6aaec87dc62ec64c2a1dfaa53c6339", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/change-password", "correlation_key": "fp|7ec8b5351053328135421624a139123f4a6aaec87dc62ec64c2a1dfaa53c6339", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/settings/account-settings-page.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74785, "scanner": "repobility-journey-contract", "fingerprint": "518a35f28f64fe77dc32c8dcdadfe55d6965c11c677240dfb98523e2a3b27d3a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/logout", "correlation_key": "fp|518a35f28f64fe77dc32c8dcdadfe55d6965c11c677240dfb98523e2a3b27d3a", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/workspace/layout.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74784, "scanner": "repobility-journey-contract", "fingerprint": "c7621e998ee20220f0e6b679189a4ab1f17274daae9eec1c5683cd5a51716b44", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/memory", "correlation_key": "fp|c7621e998ee20220f0e6b679189a4ab1f17274daae9eec1c5683cd5a51716b44", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74783, "scanner": "repobility-journey-contract", "fingerprint": "4bea53ce8cd8bbd0dad3098d32fdd59a66b618813ef60b26db690e1ce4a3ea16", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/memory", "correlation_key": "fp|4bea53ce8cd8bbd0dad3098d32fdd59a66b618813ef60b26db690e1ce4a3ea16", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74782, "scanner": "repobility-journey-contract", "fingerprint": "c362f62a12ec3054880585ca4308cdf7e52aa48a427e7de25f13f9aef161d8eb", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/change-password", "correlation_key": "fp|c362f62a12ec3054880585ca4308cdf7e52aa48a427e7de25f13f9aef161d8eb", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/setup/page.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74781, "scanner": "repobility-journey-contract", "fingerprint": "c86e05df8fc2b26c73d97c8c319ae571fd8d57372ff7fd1d83287d61125c4a20", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/initialize", "correlation_key": "fp|c86e05df8fc2b26c73d97c8c319ae571fd8d57372ff7fd1d83287d61125c4a20", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/setup/page.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74780, "scanner": "repobility-journey-contract", "fingerprint": "6cc14b09e79a50c52cfbc6eba18419d3d543cacf4ed17c0564f5fb3ba976dcc9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/setup-status", "correlation_key": "fp|6cc14b09e79a50c52cfbc6eba18419d3d543cacf4ed17c0564f5fb3ba976dcc9", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/setup/page.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74779, "scanner": "repobility-journey-contract", "fingerprint": "9f8bd7835dd3f8d8d59278d6beef330bed3d1d9be4427671d6921969927db5d6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/register", "correlation_key": "fp|9f8bd7835dd3f8d8d59278d6beef330bed3d1d9be4427671d6921969927db5d6", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74778, "scanner": "repobility-journey-contract", "fingerprint": "ca1628dd3d66a463470aad9f1e23a655add11a6ef228c1281348c6246453579f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/login/local", "correlation_key": "fp|ca1628dd3d66a463470aad9f1e23a655add11a6ef228c1281348c6246453579f", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74777, "scanner": "repobility-journey-contract", "fingerprint": "3dff2ae7ce38045bf18ab7b15d7799e06b6a34aff7c2f1c3633f14995e1771a2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/setup-status", "correlation_key": "fp|3dff2ae7ce38045bf18ab7b15d7799e06b6a34aff7c2f1c3633f14995e1771a2", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74776, "scanner": "repobility-journey-contract", "fingerprint": "845f0f9485f6290c74630f83efa4f4e601e7bfe734acd631e7ee563d68de7e77", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/langgraph/threads/{param}/history", "correlation_key": "fp|845f0f9485f6290c74630f83efa4f4e601e7bfe734acd631e7ee563d68de7e77", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/save-demo.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74775, "scanner": "repobility-journey-contract", "fingerprint": "f666d3b1cd71e9315b454cb26c434da12265a5de033c1c0e564b1d46f6783e92", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/skills", "correlation_key": "fp|f666d3b1cd71e9315b454cb26c434da12265a5de033c1c0e564b1d46f6783e92", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/next.config.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74774, "scanner": "repobility-journey-contract", "fingerprint": "268ab4c4cf04c19115f5f8c39d5113e600f2f413d16e167b1d98a6994abe1427", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agents", "correlation_key": "fp|268ab4c4cf04c19115f5f8c39d5113e600f2f413d16e167b1d98a6994abe1427", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/next.config.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 74773, "scanner": "repobility-journey-contract", "fingerprint": "c912bacf8b95572390357e61aa8ece1fddd6353627fb3bb0cda778a53a7092b7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/langgraph", "correlation_key": "fp|c912bacf8b95572390357e61aa8ece1fddd6353627fb3bb0cda778a53a7092b7", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/next.config.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /threads/:thread_id/artifacts/::...artifact_path/route."}, "properties": {"repobilityId": 74772, "scanner": "repobility-access-control", "fingerprint": "f50dbad7218a313ef91a7c458ce84d24c650cc274889cd136ec69f5d7627c29c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/threads/:thread_id/artifacts/::...artifact_path/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / thread_id /artifacts/ ...artifact_path /route.ts|6|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/mock/api/threads/[thread_id]/artifacts/[[...artifact_path]]/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /threads/search/route."}, "properties": {"repobilityId": 74771, "scanner": "repobility-access-control", "fingerprint": "85f1fd633edd5402ba68451d1629fac4713b2ce260ef97390f62027bbe2aaef1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/threads/search/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|16|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/mock/api/threads/search/route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /memory/:...path/route."}, "properties": {"repobilityId": 74770, "scanner": "repobility-access-control", "fingerprint": "0bf27d3da30ce08deeb505680f863e97d1ce059cf51a50a1c620dc7a06632c09", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/:...path/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|frontend/src/app/api/memory/ ...path /route.ts|50|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/[...path]/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /memory/:...path/route."}, "properties": {"repobilityId": 74769, "scanner": "repobility-access-control", "fingerprint": "61b11b94140d9c32d9d2ed84c363967191fe8948664b93f2d81b0f7a00ac905f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/:...path/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|frontend/src/app/api/memory/ ...path /route.ts|43|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/[...path]/route.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /memory/:...path/route."}, "properties": {"repobilityId": 74768, "scanner": "repobility-access-control", "fingerprint": "fa46521951989923246729b2c004e8b7e13718b4236ba122afe4450818ae438a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/:...path/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|frontend/src/app/api/memory/ ...path /route.ts|36|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/[...path]/route.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /memory/:...path/route."}, "properties": {"repobilityId": 74767, "scanner": "repobility-access-control", "fingerprint": "7e819c79bdce449e119b6e2ec6ad9339e442f3d73de91d6ce585584b8344eb68", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/:...path/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|frontend/src/app/api/memory/ ...path /route.ts|29|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/[...path]/route.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /memory/route."}, "properties": {"repobilityId": 74766, "scanner": "repobility-access-control", "fingerprint": "fe721d9ada667e9725a16fcecfbf3d8045c10e49b7bbe9530e565a0e8bc69a40", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /memory/route."}, "properties": {"repobilityId": 74765, "scanner": "repobility-access-control", "fingerprint": "dfe09002cfde7c2cb7ce4b39f7d33af019bbbc612f3e0b31f2177ba9e6205fad", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/memory/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|29|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 11.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 74763, "scanner": "repobility-access-control", "fingerprint": "e8b7f424130bad966f366962e1741ad1062fe0411ab7c5665e225b914d5d0cff", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 9, "correlation_key": "fp|e8b7f424130bad966f366962e1741ad1062fe0411ab7c5665e225b914d5d0cff", "auth_visible_percent": 11.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 74762, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74754, "scanner": "repobility-docker", "fingerprint": "9b797e11a46f9159032556690e5a362a296b9f3901a9b4dc13ab7911124bf3c9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9b797e11a46f9159032556690e5a362a296b9f3901a9b4dc13ab7911124bf3c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74753, "scanner": "repobility-docker", "fingerprint": "c4e76631c1e2e23064feb7c29575afc605cf71cd386f9ed81703f28625e1338a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c4e76631c1e2e23064feb7c29575afc605cf71cd386f9ed81703f28625e1338a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/provisioner/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74751, "scanner": "repobility-docker", "fingerprint": "172e582877afa414863d547972d41bc48a5fdebf875ea9018ec273939d6545a7", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|172e582877afa414863d547972d41bc48a5fdebf875ea9018ec273939d6545a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 73}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 74748, "scanner": "repobility-agent-runtime", "fingerprint": "ae470e4818244335a7972db586daef2ac92ac07de0c45280937659fc0c23edd8", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ae470e4818244335a7972db586daef2ac92ac07de0c45280937659fc0c23edd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 74747, "scanner": "repobility-agent-runtime", "fingerprint": "cdc32f6006b01098d1e0e228ed3412ebc15909a63041d5e0c5a865943fafedb3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cdc32f6006b01098d1e0e228ed3412ebc15909a63041d5e0c5a865943fafedb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/models/credential_loader.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 74746, "scanner": "repobility-agent-runtime", "fingerprint": "f453fe4d2ac3a27c3fe9784ac85b6baad6d65cdd08979c2018ecedf459aade41", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f453fe4d2ac3a27c3fe9784ac85b6baad6d65cdd08979c2018ecedf459aade41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/sandbox_audit_middleware.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 74733, "scanner": "repobility-threat-engine", "fingerprint": "5469da5e95c91e23c51685fef3dc2a420ccaf612dc51a4444946facca8b536e0", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = buildLoginUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5469da5e95c91e23c51685fef3dc2a420ccaf612dc51a4444946facca8b536e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/core/api/fetcher.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74727, "scanner": "repobility-threat-engine", "fingerprint": "448ae1dd97bab1d6b09a1df55babc50367f124c874aec7a7b71f240e95d6c1f3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|172|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/core/artifacts/preview.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74726, "scanner": "repobility-threat-engine", "fingerprint": "770ae2e1360bc74e1914a07b8bef1ac585a8cf6da404f45bbb906b3f2f9e6aac", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/messages/markdown-content.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74725, "scanner": "repobility-threat-engine", "fingerprint": "6d3c9f4ea67baa96ce7f30e86138b5c38234b96ed12e02ed3671abe53a44552c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/citations/artifact-link.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 74714, "scanner": "repobility-threat-engine", "fingerprint": "ada906116fd850b716215a2b459b5a1e448459a8ae2caf9d2a5539029bfc4b85", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "re.compile(r\"^[a-z0-9]+(?:-[a-z0-9]+)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ada906116fd850b716215a2b459b5a1e448459a8ae2caf9d2a5539029bfc4b85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/skills/storage/skill_storage.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 74712, "scanner": "repobility-threat-engine", "fingerprint": "00f884328dca3058f156aa46c8418bcc2bbb4d340441fb15bc4d72c4dd0156ad", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def _compile_default(element: JsonMatch, compiler: SQLCompiler, **kw: Any) -> str:\n raise NotImpl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00f884328dca3058f156aa46c8418bcc2bbb4d340441fb15bc4d72c4dd0156ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/persistence/json_compat.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 74693, "scanner": "repobility-threat-engine", "fingerprint": "c06cf77290ccead65b67dc79b21c0cf47888a8a6cec79d988fc9b80d5adeb4de", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n type_hints = get_type_hints(func)\n except Exception:\n return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c06cf77290ccead65b67dc79b21c0cf47888a8a6cec79d988fc9b80d5adeb4de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/tools/sync.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 74692, "scanner": "repobility-threat-engine", "fingerprint": "f1a8f5c6ff01fa4c5968066c3dbe0fed821a52d6dd1fee0a535250cf3269fd2e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n data = json.loads(candidate)\n except Exception:\n return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1a8f5c6ff01fa4c5968066c3dbe0fed821a52d6dd1fee0a535250cf3269fd2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/suggestions.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 74682, "scanner": "repobility-threat-engine", "fingerprint": "3d90a57fc033f20476b438b8dd3bf4bb843211280d667fe6943e8649b74134eb", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_csrf_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|27|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/csrf_middleware.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 74681, "scanner": "repobility-threat-engine", "fingerprint": "3b1de7622e9f30b5507a00f9b0fa7faba75d49008bbe6e2952ebcf55af45cb7e", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_access_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|21|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/jwt.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 74673, "scanner": "repobility-threat-engine", "fingerprint": "0a8649d7941a7e97946fe460d9050556730890b3a7597c193f82726e440aeaf8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a8649d7941a7e97946fe460d9050556730890b3a7597c193f82726e440aeaf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/tools/builtins/invoke_acp_agent_tool.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 74672, "scanner": "repobility-threat-engine", "fingerprint": "904411f0dbcf373520f413e2dec03a76d988568a6c403ec15f18732607b6417d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|904411f0dbcf373520f413e2dec03a76d988568a6c403ec15f18732607b6417d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/runtime/serialization.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 74671, "scanner": "repobility-threat-engine", "fingerprint": "53a460a7546b17402b0b9406b8aa6ddd04a07452084b46d3ce3dc8e22dc544ab", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53a460a7546b17402b0b9406b8aa6ddd04a07452084b46d3ce3dc8e22dc544ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/slack.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `start` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=2, continue=2, else=1, for=1, if=4, nested_bonus=4, recursion=1."}, "properties": {"repobilityId": 74648, "scanner": "repobility-threat-engine", "fingerprint": "c9c5904ff96f0ab06357e300b1830a23e3b172f2ef9f90d1816d54175bcb5485", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "start", "breakdown": {"if": 4, "and": 2, "for": 1, "else": 1, "continue": 2, "recursion": 1, "nested_bonus": 4}, "complexity": 15, "correlation_key": "fp|c9c5904ff96f0ab06357e300b1830a23e3b172f2ef9f90d1816d54175bcb5485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/service.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74761, "scanner": "repobility-docker", "fingerprint": "4edb2dd638c6babc14e9ad13cabc9882c2a831391cc0e2334262bebf3b225785", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "provisioner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4edb2dd638c6babc14e9ad13cabc9882c2a831391cc0e2334262bebf3b225785"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74760, "scanner": "repobility-docker", "fingerprint": "8cef6899a1e88e7299c283a57f80c461720b8f96077c92635371453dcbc0f68e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "provisioner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8cef6899a1e88e7299c283a57f80c461720b8f96077c92635371453dcbc0f68e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74759, "scanner": "repobility-docker", "fingerprint": "9ee93a30fbe90a1e462ee49cb4b60a67c8c727227b622443eafbdec7dad147fa", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9ee93a30fbe90a1e462ee49cb4b60a67c8c727227b622443eafbdec7dad147fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74757, "scanner": "repobility-docker", "fingerprint": "d49a088ca7822f8b3c227d902e96c41a8fa0520b0a085ed76f66e6485b2beeb4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d49a088ca7822f8b3c227d902e96c41a8fa0520b0a085ed76f66e6485b2beeb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74756, "scanner": "repobility-docker", "fingerprint": "bd920b0ce17760462ced9ae20d6bb288ef1513cdbf4808d95c7aaea916c8fe3b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bd920b0ce17760462ced9ae20d6bb288ef1513cdbf4808d95c7aaea916c8fe3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74755, "scanner": "repobility-docker", "fingerprint": "1761507e0179e0521ad4eb8bc9d9d732be2e2377b443c1b276636b828eebb5ec", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1761507e0179e0521ad4eb8bc9d9d732be2e2377b443c1b276636b828eebb5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 74752, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 74750, "scanner": "repobility-docker", "fingerprint": "7164ecfc174180bc41e5718a14a2460b3b97c70620fb4089926c273173b740f5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7164ecfc174180bc41e5718a14a2460b3b97c70620fb4089926c273173b740f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3918f0c246b983dd62f10c661bd9dcd02544b9afabff3354fe22010848197d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/content/en/_meta.ts", "duplicate_line": 20, "correlation_key": "fp|c3918f0c246b983dd62f10c661bd9dcd02544b9afabff3354fe22010848197d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/content/zh/_meta.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83eaca15be5e6b61d606c5fa728fa428c7db714f639769bc9d4e0e0cf7e33e85", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/workspace/citations/artifact-link.tsx", "duplicate_line": 8, "correlation_key": "fp|83eaca15be5e6b61d606c5fa728fa428c7db714f639769bc9d4e0e0cf7e33e85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/messages/markdown-content.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3e1f86b468ed60c7c7be802fca9ccf35f0ab8f23416507ddf543bcacce11738", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/ai-elements/artifact.tsx", "duplicate_line": 105, "correlation_key": "fp|e3e1f86b468ed60c7c7be802fca9ccf35f0ab8f23416507ddf543bcacce11738"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ai-elements/message.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4485684ac102bb55995137674180003c3e964ab0d62e485e5148c3a080032d68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/app/workspace/agents/[agent_name]/chats/[thread_id]/page.tsx", "duplicate_line": 81, "correlation_key": "fp|4485684ac102bb55995137674180003c3e964ab0d62e485e5148c3a080032d68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/workspace/chats/[thread_id]/page.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1add55f7de78e684a74e8a65b0faa039899987ba707b6724a1a8cff80b0f92e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/app/blog/[[...mdxPath]]/page.tsx", "duplicate_line": 113, "correlation_key": "fp|f1add55f7de78e684a74e8a65b0faa039899987ba707b6724a1a8cff80b0f92e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/blog/tags/[tag]/page.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "79f325f118a7553cedbcaddd0ae10288740367daabe705aaa7f0b197c82e3b59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/app/api/memory/[...path]/route.ts", "duplicate_line": 1, "correlation_key": "fp|79f325f118a7553cedbcaddd0ae10288740367daabe705aaa7f0b197c82e3b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc59442377e47569aca957855084569ec22519b3f5b63a07049027dac2ac2866", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/packages/harness/deerflow/persistence/run/sql.py", "duplicate_line": 193, "correlation_key": "fp|fc59442377e47569aca957855084569ec22519b3f5b63a07049027dac2ac2866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/runtime/runs/store/base.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0752c867d3a36a85fa90c89bd86f075fdf73fa9c379c6934faf5c4a6d120663a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/app/channels/manager.py", "duplicate_line": 198, "correlation_key": "fp|0752c867d3a36a85fa90c89bd86f075fdf73fa9c379c6934faf5c4a6d120663a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/runtime/journal.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e80f1c50abfd6dd13bc5d03e70bb98c2314a7128ab99ddc08d1d43c1d3b83e1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/packages/harness/deerflow/community/exa/tools.py", "duplicate_line": 40, "correlation_key": "fp|e80f1c50abfd6dd13bc5d03e70bb98c2314a7128ab99ddc08d1d43c1d3b83e1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/firecrawl/tools.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6313d362769e8b5ad098f5fbec6cf1e50b7cd816241ec28fac432cc0cc9501dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/packages/harness/deerflow/agents/middlewares/loop_detection_middleware.py", "duplicate_line": 457, "correlation_key": "fp|6313d362769e8b5ad098f5fbec6cf1e50b7cd816241ec28fac432cc0cc9501dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/todo_middleware.py"}, "region": {"startLine": 253}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b165dcbf2816243bd67c5085e43357567769c1f941de4e9326e3a53f112d84e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/app/gateway/routers/runs.py", "duplicate_line": 33, "correlation_key": "fp|b165dcbf2816243bd67c5085e43357567769c1f941de4e9326e3a53f112d84e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/thread_runs.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 74710, "scanner": "repobility-threat-engine", "fingerprint": "da4d43b39e6ea367d0e502dc2303a1c0aa2502930e543f7e61e807ceaffcac8c", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker", "evidence": {"match": "postgresql://user:pass@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|token|5|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/config/database_config.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `send` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=1, if=6, nested_bonus=5."}, "properties": {"repobilityId": 74649, "scanner": "repobility-threat-engine", "fingerprint": "cffb81407eadb13f2590661f53b6f6c5cc33435f637e20c5b5b45302283840d2", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "send", "breakdown": {"if": 6, "for": 1, "except": 2, "nested_bonus": 5}, "complexity": 14, "correlation_key": "fp|cffb81407eadb13f2590661f53b6f6c5cc33435f637e20c5b5b45302283840d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/slack.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_on_outbound` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=1, if=2, nested_bonus=6."}, "properties": {"repobilityId": 74647, "scanner": "repobility-threat-engine", "fingerprint": "5509c6c1d40740f8199cece17b66d00ae71b3b7b965301577348134940678982", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_on_outbound", "breakdown": {"if": 2, "for": 1, "except": 2, "nested_bonus": 6}, "complexity": 11, "correlation_key": "fp|5509c6c1d40740f8199cece17b66d00ae71b3b7b965301577348134940678982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/base.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74749, "scanner": "repobility-docker", "fingerprint": "6fff839228624976877bb1679980bbeb5541f7b36ded900a3f98e3b71ea1206c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${UV_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6fff839228624976877bb1679980bbeb5541f7b36ded900a3f98e3b71ea1206c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 74732, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 74728, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 74724, "scanner": "repobility-threat-engine", "fingerprint": "f8f0144c726a2c08625bc0a0e443717dbef178a54324050e5e3bc02a39300179", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8f0144c726a2c08625bc0a0e443717dbef178a54324050e5e3bc02a39300179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ui/terminal.tsx"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 74723, "scanner": "repobility-threat-engine", "fingerprint": "e8028ec631f88026081c236dd27d656c9c6fa9549f2340192473651b4a9da18b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8028ec631f88026081c236dd27d656c9c6fa9549f2340192473651b4a9da18b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ai-elements/code-block.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 74722, "scanner": "repobility-threat-engine", "fingerprint": "3fe8d33e128ffadbccce73f2652100ccfed6103ba34fda2f795c803e2dd7cf38", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3fe8d33e128ffadbccce73f2652100ccfed6103ba34fda2f795c803e2dd7cf38", "aggregated_count": 8}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 74721, "scanner": "repobility-threat-engine", "fingerprint": "b8ab53241e64fc0c0ef7adc44c811e46891de20d109de57d1c04f4044eb327c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8ab53241e64fc0c0ef7adc44c811e46891de20d109de57d1c04f4044eb327c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ai-elements/code-block.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 74720, "scanner": "repobility-threat-engine", "fingerprint": "98f98b2df081b18bfbbf25d2879a0bc6437582c29d8d317fcca8596d0e27defd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98f98b2df081b18bfbbf25d2879a0bc6437582c29d8d317fcca8596d0e27defd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 74719, "scanner": "repobility-threat-engine", "fingerprint": "e3674c1b583bc9b11c8d60787654bdf950575348940290b5a323c33b2e711c0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3674c1b583bc9b11c8d60787654bdf950575348940290b5a323c33b2e711c0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/api/memory/[...path]/route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 74718, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 74717, "scanner": "repobility-threat-engine", "fingerprint": "6c4c313e1619c3787f43b546477d2ecc92940670a07d1c3d09b5ebd90f8519fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c4c313e1619c3787f43b546477d2ecc92940670a07d1c3d09b5ebd90f8519fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ui/galaxy.jsx"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 74716, "scanner": "repobility-threat-engine", "fingerprint": "4059db9a981ea75c1a66b3b7513ce9e19b1c3c4ecd140f3a9239c60dfd0a450f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4059db9a981ea75c1a66b3b7513ce9e19b1c3c4ecd140f3a9239c60dfd0a450f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/landing/header.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 74715, "scanner": "repobility-threat-engine", "fingerprint": "00c0ccffc9a2b9629fde2f7b091dd9cbca5e6270512f31dabcaa91b25aed31a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00c0ccffc9a2b9629fde2f7b091dd9cbca5e6270512f31dabcaa91b25aed31a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/save-demo.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 74713, "scanner": "repobility-threat-engine", "fingerprint": "a342e33c22fd870791492fe76fc217af41fd24370c68d848bb5474e6155cf8dd", "category": "llm_injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "evidence": {"match": "prompt = f\"Location: {location}\\nExecutable: {str(executable).lower()}\\n\\nReview this content:\\n----", "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|a342e33c22fd870791492fe76fc217af41fd24370c68d848bb5474e6155cf8dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/skills/security_scanner.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 74708, "scanner": "repobility-threat-engine", "fingerprint": "8a4a6eee8542066df89bc31a1647336e3047611a9bc074cfbe10edf76227be49", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8a4a6eee8542066df89bc31a1647336e3047611a9bc074cfbe10edf76227be49", "aggregated_count": 4}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 74707, "scanner": "repobility-threat-engine", "fingerprint": "173211864648dcae2371ec5e26c9cf9d4083ca21d6327f31cf7844c667a88d4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|173211864648dcae2371ec5e26c9cf9d4083ca21d6327f31cf7844c667a88d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 74706, "scanner": "repobility-threat-engine", "fingerprint": "8b35dc9659f950f60929c7f08f46d1be6392eb8393fbff1910dfafa75f7728b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b35dc9659f950f60929c7f08f46d1be6392eb8393fbff1910dfafa75f7728b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/remote_backend.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 74705, "scanner": "repobility-threat-engine", "fingerprint": "d9e1bbd04deef9876b3da2c415ac2e55b2ae33c6788ae0cddcd95a0575795a48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9e1bbd04deef9876b3da2c415ac2e55b2ae33c6788ae0cddcd95a0575795a48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/backend.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 74704, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74703, "scanner": "repobility-threat-engine", "fingerprint": "35b542e4d12bd7f12cd29876b746190594065d2157d35e3c41e09dde8ba532e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35b542e4d12bd7f12cd29876b746190594065d2157d35e3c41e09dde8ba532e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/sandbox_info.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74702, "scanner": "repobility-threat-engine", "fingerprint": "5175cf0e45a9ba2e754ea60917ff5050afec5ec4f4bd188d26c69d07978f7e96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5175cf0e45a9ba2e754ea60917ff5050afec5ec4f4bd188d26c69d07978f7e96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/remote_backend.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74701, "scanner": "repobility-threat-engine", "fingerprint": "99da048dd6e52e86f9059213162fb13ead760980d9f0ec8ca6d2ba729689e3ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99da048dd6e52e86f9059213162fb13ead760980d9f0ec8ca6d2ba729689e3ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/backend.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 74700, "scanner": "repobility-threat-engine", "fingerprint": "6914b84c8d582a96a353e399742a72e9a6a6f6dca439c350e3996698fc9f8cb0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6914b84c8d582a96a353e399742a72e9a6a6f6dca439c350e3996698fc9f8cb0"}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 74696, "scanner": "repobility-threat-engine", "fingerprint": "ef1a13fb515a794bf6cace2d9e26fd893f6a1351b8be055a9ef144145aed604f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef1a13fb515a794bf6cace2d9e26fd893f6a1351b8be055a9ef144145aed604f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/wizard/ui.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 74695, "scanner": "repobility-threat-engine", "fingerprint": "eca924dda4eff52028135f98a6529e590511912e93e979e599345c88307e0478", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eca924dda4eff52028135f98a6529e590511912e93e979e599345c88307e0478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/uploads/manager.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 74694, "scanner": "repobility-threat-engine", "fingerprint": "784d5304d6c6d6481a235b2ab5952ccf976f13163e9351236ce0903467c0869c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|784d5304d6c6d6481a235b2ab5952ccf976f13163e9351236ce0903467c0869c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/debug.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 74688, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 74684, "scanner": "repobility-threat-engine", "fingerprint": "911e63db83610da60299126a36b5b7f2f3d5f62ef85d4c4e16fc5dc37a010bd4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|911e63db83610da60299126a36b5b7f2f3d5f62ef85d4c4e16fc5dc37a010bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/csrf_middleware.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 74680, "scanner": "repobility-threat-engine", "fingerprint": "ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 74679, "scanner": "repobility-threat-engine", "fingerprint": "eb844bbeb1665eea5a7f8382c2912b99d33a8b1e885234acb453a8ddc459ee95", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb844bbeb1665eea5a7f8382c2912b99d33a8b1e885234acb453a8ddc459ee95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/export_claude_code_oauth.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 74678, "scanner": "repobility-threat-engine", "fingerprint": "4f1ab7ab696a2d0f79f21df852e8475e2977723597c323fc69b73ee76c8f0af4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f1ab7ab696a2d0f79f21df852e8475e2977723597c323fc69b73ee76c8f0af4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/reset_admin.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 74677, "scanner": "repobility-threat-engine", "fingerprint": "1a5e2fb15ef3871839ff3a5fe753fc71c28f0b206bf9c2388ad046ca4bf15cc3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a5e2fb15ef3871839ff3a5fe753fc71c28f0b206bf9c2388ad046ca4bf15cc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/config.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 74670, "scanner": "repobility-threat-engine", "fingerprint": "0870b88b7b462606419e71dc06c2db092b3a42675c3f7d720d30a266c93ca910", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0870b88b7b462606419e71dc06c2db092b3a42675c3f7d720d30a266c93ca910", "aggregated_count": 25}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 74669, "scanner": "repobility-threat-engine", "fingerprint": "aade8e905063562e69c70ce25e7737eac5446a124ec9d75c23860a7e37453440", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aade8e905063562e69c70ce25e7737eac5446a124ec9d75c23860a7e37453440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/providers.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 74668, "scanner": "repobility-threat-engine", "fingerprint": "522365be0c31a4cbf0494efa99e6a8f0707a474b5ce790b5cdc1404824106aa6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|522365be0c31a4cbf0494efa99e6a8f0707a474b5ce790b5cdc1404824106aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/store.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 74667, "scanner": "repobility-threat-engine", "fingerprint": "886b55e391684436418a62be5dd83f6372e0e75da768ca82d212fa55e96fbad0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|886b55e391684436418a62be5dd83f6372e0e75da768ca82d212fa55e96fbad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/slack.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 74666, "scanner": "repobility-threat-engine", "fingerprint": "5dbeeb73bb720b57759584c17afd0bf42e7d6e7730b037bc27e569b25a88dc3a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5dbeeb73bb720b57759584c17afd0bf42e7d6e7730b037bc27e569b25a88dc3a", "aggregated_count": 7}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 74662, "scanner": "repobility-threat-engine", "fingerprint": "2a66995403910da2502a79aaef8ddae5f99a399d669ebe007855c4a8f4867a5c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a66995403910da2502a79aaef8ddae5f99a399d669ebe007855c4a8f4867a5c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 74661, "scanner": "repobility-threat-engine", "fingerprint": "75e3e7f31574d8e88128874bd35019f3a86233e562226cbcfcdb614d0ef71134", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(secrets.token_urlsafe(32)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|print secrets.token_urlsafe 32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/config.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 74660, "scanner": "repobility-threat-engine", "fingerprint": "ba8c6bd8b1866ac4778f779b74ee11ededff140d5c5b7b431cab42f4e79afbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.error(\"Slack channel requires bot_token and app_token\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.error slack channel requires bot_token and app_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/slack.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 74658, "scanner": "repobility-threat-engine", "fingerprint": "a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7"}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 74654, "scanner": "repobility-threat-engine", "fingerprint": "1239a23d7f47fdf9348240f31d96fd42bb9260f756723e44bc0c4bdce14a7cae", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1239a23d7f47fdf9348240f31d96fd42bb9260f756723e44bc0c4bdce14a7cae", "aggregated_count": 10}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 74653, "scanner": "repobility-threat-engine", "fingerprint": "552c2f13124ef4c2edc8bf2d6accf8d6edf2909cd76be2aa53766ec14c63b156", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|552c2f13124ef4c2edc8bf2d6accf8d6edf2909cd76be2aa53766ec14c63b156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/memory/queue.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 74652, "scanner": "repobility-threat-engine", "fingerprint": "984ca22b5d6184b24503dfcb2767ffb61e8e48347f74a0577a2756779081159c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|984ca22b5d6184b24503dfcb2767ffb61e8e48347f74a0577a2756779081159c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/features.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 74651, "scanner": "repobility-threat-engine", "fingerprint": "990334df61e2e1ee68b7d0f6ba1f7230bd752a0e89a9ba6cd20903fded3589d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|990334df61e2e1ee68b7d0f6ba1f7230bd752a0e89a9ba6cd20903fded3589d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/message_bus.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 128 more): Same pattern found in 128 additional files. Review if needed."}, "properties": {"repobilityId": 74650, "scanner": "repobility-threat-engine", "fingerprint": "1f65e223cccae3a0c89774df4152ce2c3eca6ef133af5aca1c684bce2e807771", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 128 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "_on_outbound", "breakdown": {"if": 2, "for": 1, "except": 2, "nested_bonus": 6}, "aggregated": true, "complexity": 11, "correlation_key": "fp|1f65e223cccae3a0c89774df4152ce2c3eca6ef133af5aca1c684bce2e807771", "aggregated_count": 128}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74930, "scanner": "repobility-supply-chain", "fingerprint": "625d59ca9e97e4243f94718807916116904a22065a5175360b65f41d150a8588", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|625d59ca9e97e4243f94718807916116904a22065a5175360b65f41d150a8588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-unit-tests.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/labeler` pinned to mutable ref `@v5`: `uses: actions/labeler@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74929, "scanner": "repobility-supply-chain", "fingerprint": "6cf72ca40d80d141635017ecee2049ca3fdc72e09a9fdbe492101e0d62bdf45b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cf72ca40d80d141635017ecee2049ca3fdc72e09a9fdbe492101e0d62bdf45b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-labeler.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74928, "scanner": "repobility-supply-chain", "fingerprint": "96543739267ae23584120170160aa8e813496f129e0a84d5be309ca3a906e203", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96543739267ae23584120170160aa8e813496f129e0a84d5be309ca3a906e203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74927, "scanner": "repobility-supply-chain", "fingerprint": "5ea4a265792f8b4e81cfffd5ca72a50fb85e52f48c1d39de23b3e3cd0f138d4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ea4a265792f8b4e81cfffd5ca72a50fb85e52f48c1d39de23b3e3cd0f138d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74926, "scanner": "repobility-supply-chain", "fingerprint": "452c483025c30b1e6be0d5473d4aae31e59ee76f1c4ecd4c42ac119c4e351804", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|452c483025c30b1e6be0d5473d4aae31e59ee76f1c4ecd4c42ac119c4e351804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74925, "scanner": "repobility-supply-chain", "fingerprint": "f3c9c24589f19b46116728cdaa7def52cbfcda98f80f01b49ca2ea8a4931ac87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3c9c24589f19b46116728cdaa7def52cbfcda98f80f01b49ca2ea8a4931ac87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-check.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74924, "scanner": "repobility-supply-chain", "fingerprint": "32cce8244421cf37fbb1beea7401c6eb59752cade14320b84e0a53f12473349d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32cce8244421cf37fbb1beea7401c6eb59752cade14320b84e0a53f12473349d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-check.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74923, "scanner": "repobility-supply-chain", "fingerprint": "dabaf22f174250f1dbbcd1319058371baf7823713d29cdd3cfc89a73f3dcc306", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dabaf22f174250f1dbbcd1319058371baf7823713d29cdd3cfc89a73f3dcc306"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-check.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74922, "scanner": "repobility-supply-chain", "fingerprint": "bd3d85961346fdf6b43f53957690bea362a39b560f41d5c5d9538a43a254ca20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd3d85961346fdf6b43f53957690bea362a39b560f41d5c5d9538a43a254ca20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-check.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74921, "scanner": "repobility-supply-chain", "fingerprint": "5f5b5f0195374cebd25ecdb3216bdb1234dab8de50d8c4d4ce98a78651bde3cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5b5f0195374cebd25ecdb3216bdb1234dab8de50d8c4d4ce98a78651bde3cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-check.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v2`: `uses: actions/attest-build-provenance@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74920, "scanner": "repobility-supply-chain", "fingerprint": "a8dbd2472c4d0885a03b7b1919aca53a2aa073cded34ef0f63edad1d3be0b302", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8dbd2472c4d0885a03b7b1919aca53a2aa073cded34ef0f63edad1d3be0b302"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/container.yaml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74919, "scanner": "repobility-supply-chain", "fingerprint": "afdb07ba8f5c965d503fb2ba0ee7e673fd7cc3d6b8be774b07023e916fac02ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afdb07ba8f5c965d503fb2ba0ee7e673fd7cc3d6b8be774b07023e916fac02ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/container.yaml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v2`: `uses: actions/attest-build-provenance@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74918, "scanner": "repobility-supply-chain", "fingerprint": "191d7b1c79a8be4ec974d4bb4e4d063451ddc5f36de9cbf923c50f095c994c4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|191d7b1c79a8be4ec974d4bb4e4d063451ddc5f36de9cbf923c50f095c994c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/container.yaml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74917, "scanner": "repobility-supply-chain", "fingerprint": "d03300a1165cef0cc27273ff1c4ae07e36ee5989b5a6f8e93ae70c261ef3c654", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d03300a1165cef0cc27273ff1c4ae07e36ee5989b5a6f8e93ae70c261ef3c654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/container.yaml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74916, "scanner": "repobility-supply-chain", "fingerprint": "38b79a0ae54bd3747fac94df754471d1a80fea732e83614cf9408be4a537e185", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38b79a0ae54bd3747fac94df754471d1a80fea732e83614cf9408be4a537e185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-unit-tests.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74915, "scanner": "repobility-supply-chain", "fingerprint": "cf85cc584ae562d721c4b4b801292c4f73a8986e05d08590932c6f8d7a2c974d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf85cc584ae562d721c4b4b801292c4f73a8986e05d08590932c6f8d7a2c974d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-unit-tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74914, "scanner": "repobility-supply-chain", "fingerprint": "6b3497abb7487d71901f603eeb2f42c22e4c30596a86f8065c7814a7db626573", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b3497abb7487d71901f603eeb2f42c22e4c30596a86f8065c7814a7db626573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-unit-tests.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74913, "scanner": "repobility-supply-chain", "fingerprint": "f182ef9f98e701667f8f53a20df0e4a6d9d1e6dbbff0e83d282e78a0e8a7e724", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f182ef9f98e701667f8f53a20df0e4a6d9d1e6dbbff0e83d282e78a0e8a7e724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-triage.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74912, "scanner": "repobility-supply-chain", "fingerprint": "e5bba3fab2624e9f7fbdf8828e34916e9d1880cc03a6b926430ca8b23c2c55a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5bba3fab2624e9f7fbdf8828e34916e9d1880cc03a6b926430ca8b23c2c55a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-triage.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74911, "scanner": "repobility-supply-chain", "fingerprint": "4945ca74e81ae276682ef73e6e1793b4dac82d9894e3069ae86671f4d6492d80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4945ca74e81ae276682ef73e6e1793b4dac82d9894e3069ae86671f4d6492d80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-triage.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v3`: `uses: astral-sh/setup-uv@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74910, "scanner": "repobility-supply-chain", "fingerprint": "4a9ff073447e8ef54f5558432cb3bf1ba42f095c5e6d0d4b2f051f239f1b8efa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a9ff073447e8ef54f5558432cb3bf1ba42f095c5e6d0d4b2f051f239f1b8efa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-blocking-io-tests.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74909, "scanner": "repobility-supply-chain", "fingerprint": "8039a507c115267e4b28759fd2b92035c1405c2c815b3eaf86f7a0709cf2ec23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8039a507c115267e4b28759fd2b92035c1405c2c815b3eaf86f7a0709cf2ec23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-blocking-io-tests.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74908, "scanner": "repobility-supply-chain", "fingerprint": "0eaa59f796dae00259ce85d7d0c28c8a1911106fecc6bc848cfc0a9fc88575a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0eaa59f796dae00259ce85d7d0c28c8a1911106fecc6bc848cfc0a9fc88575a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-blocking-io-tests.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74907, "scanner": "repobility-supply-chain", "fingerprint": "1ed0885eed0b13ca32e7fc8671e4a2b591070993b857a334ab978c29f90d896a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ed0885eed0b13ca32e7fc8671e4a2b591070993b857a334ab978c29f90d896a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-sync.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 74906, "scanner": "repobility-supply-chain", "fingerprint": "3620526b8c4389d33c14ea6e451bb4ea192a6886fee1d5c0aa51a82101e751a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3620526b8c4389d33c14ea6e451bb4ea192a6886fee1d5c0aa51a82101e751a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-sync.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74905, "scanner": "repobility-supply-chain", "fingerprint": "db2e8a1a1b7b66cf90685f5c3fa9032ad82ad37fe9442df4aa284534fb684e99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db2e8a1a1b7b66cf90685f5c3fa9032ad82ad37fe9442df4aa284534fb684e99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/provisioner/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74904, "scanner": "repobility-supply-chain", "fingerprint": "2c59ce5716f634d21cc8c35452c82bf39791913e83bcfe2564b0527e574791bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c59ce5716f634d21cc8c35452c82bf39791913e83bcfe2564b0527e574791bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74903, "scanner": "repobility-supply-chain", "fingerprint": "c093fcb4329ee07b0280085148d71b9bcf42cc9cc339c7c0234b84cfb5f2521c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c093fcb4329ee07b0280085148d71b9bcf42cc9cc339c7c0234b84cfb5f2521c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74902, "scanner": "repobility-supply-chain", "fingerprint": "59317e07309d011f19f17590135026c81b36ba8f0f80e25aa3f7ade38deb4fd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59317e07309d011f19f17590135026c81b36ba8f0f80e25aa3f7ade38deb4fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74901, "scanner": "repobility-supply-chain", "fingerprint": "161b6df1b88e14b9a2a70f3f5e1d43def59546a51258151cb515439a05210381", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|161b6df1b88e14b9a2a70f3f5e1d43def59546a51258151cb515439a05210381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /memory/facts has no auth: Handler `create_memory_fact_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74900, "scanner": "repobility-route-auth", "fingerprint": "ba14da2ee5809a43e04044cb8f8dd8ab2cbc133c49d1a0686f82812fc8d935ca", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ba14da2ee5809a43e04044cb8f8dd8ab2cbc133c49d1a0686f82812fc8d935ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/memory.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /memory has no auth: Handler `clear_memory` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74899, "scanner": "repobility-route-auth", "fingerprint": "76e589a89b3f568d3ae7d079d1d11fbbdcdf65a62d86a661d9d4a0e0f2a944af", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|76e589a89b3f568d3ae7d079d1d11fbbdcdf65a62d86a661d9d4a0e0f2a944af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/memory.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /memory/reload has no auth: Handler `reload_memory` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74898, "scanner": "repobility-route-auth", "fingerprint": "1b3d6d0455c6d21a261fe39d629307c0e2f0c3a50bdc8aabe3f75a8d369a736b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1b3d6d0455c6d21a261fe39d629307c0e2f0c3a50bdc8aabe3f75a8d369a736b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/memory.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /initialize has no auth: Handler `initialize_admin` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74897, "scanner": "repobility-route-auth", "fingerprint": "b5306df1b2e87ae50b1426f2b020d204065f8b0af21312c5b3f356e3525765c4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b5306df1b2e87ae50b1426f2b020d204065f8b0af21312c5b3f356e3525765c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/auth.py"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /change-password has no auth: Handler `change_password` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74896, "scanner": "repobility-route-auth", "fingerprint": "6e7a612ee9dd4677179cfcd8f30db6659a65ea83401c124d344c3844a10e5cba", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6e7a612ee9dd4677179cfcd8f30db6659a65ea83401c124d344c3844a10e5cba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/auth.py"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /logout has no auth: Handler `logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74895, "scanner": "repobility-route-auth", "fingerprint": "6d77cd0a7cdfa0c50dfc2ff756b1e0e4b19f18acaa4cdab3ed5d98c75d6d3b92", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6d77cd0a7cdfa0c50dfc2ff756b1e0e4b19f18acaa4cdab3ed5d98c75d6d3b92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/auth.py"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /register has no auth: Handler `register` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74894, "scanner": "repobility-route-auth", "fingerprint": "0b0819b757dcf0c589a60bb4f9464ccdc259374e83ad925ee7e32c5a0462e76b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0b0819b757dcf0c589a60bb4f9464ccdc259374e83ad925ee7e32c5a0462e76b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/auth.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PUT /mcp/config has no auth: Handler `update_mcp_configuration` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74893, "scanner": "repobility-route-auth", "fingerprint": "02afceccd963a88e02bc3fd7b8a12bf4b50543f229b079c2515b0941a209828c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|02afceccd963a88e02bc3fd7b8a12bf4b50543f229b079c2515b0941a209828c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/mcp.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /{thread_id}/runs/{run_id}/feedback/{feedback_id} has no auth: Handler `delete_feedback` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74892, "scanner": "repobility-route-auth", "fingerprint": "249cb73ec32abde7425cc22197bb5289616591abc5e8d497657a83f1506a0b90", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|249cb73ec32abde7425cc22197bb5289616591abc5e8d497657a83f1506a0b90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/feedback.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /{thread_id}/runs/{run_id}/feedback has no auth: Handler `create_feedback` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74891, "scanner": "repobility-route-auth", "fingerprint": "e7792082ef4376b6d42110bbc755dc9da0f0ddc7ff9d3357223d94e1d836d5f1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|e7792082ef4376b6d42110bbc755dc9da0f0ddc7ff9d3357223d94e1d836d5f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/feedback.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /{thread_id}/runs/{run_id}/feedback has no auth: Handler `delete_run_feedback` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74890, "scanner": "repobility-route-auth", "fingerprint": "26bc91d2fee070c426f074f90cd28a6d5ead108d3f8c77851169153e7e096a7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|26bc91d2fee070c426f074f90cd28a6d5ead108d3f8c77851169153e7e096a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/feedback.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PUT /{thread_id}/runs/{run_id}/feedback has no auth: Handler `upsert_feedback` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74889, "scanner": "repobility-route-auth", "fingerprint": "ed8ea8f12abcb36fa18477595f40046fbff71b9df67e49be69ffe740d030f17a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ed8ea8f12abcb36fa18477595f40046fbff71b9df67e49be69ffe740d030f17a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/feedback.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /wait has no auth: Handler `stateless_wait` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74888, "scanner": "repobility-route-auth", "fingerprint": "95a9f5b6a13b603fb773fccc7c1ec52aebca00e6cdb4c1565c6e2a159b30d6ea", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|95a9f5b6a13b603fb773fccc7c1ec52aebca00e6cdb4c1565c6e2a159b30d6ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/runs.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /stream has no auth: Handler `stateless_stream` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74887, "scanner": "repobility-route-auth", "fingerprint": "4da8ef98745bf2ad606c4e0ae988e71124c579d85bc9cc04fea482958d8a0185", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4da8ef98745bf2ad606c4e0ae988e71124c579d85bc9cc04fea482958d8a0185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/runs.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/threads/abc/runs/stream has no auth: Handler `protected_mutation` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74886, "scanner": "repobility-route-auth", "fingerprint": "ca31eaf7cc84de64aa55e02a9ee297de27571c46c079c7f7456f8e2281bc5c19", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ca31eaf7cc84de64aa55e02a9ee297de27571c46c079c7f7456f8e2281bc5c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_csrf_middleware.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/v1/auth/register has no auth: Handler `register` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74885, "scanner": "repobility-route-auth", "fingerprint": "2e9fd7df19d690e59e383577c9b7dfc53f6aebfd8ed584f71d7b71cce6b46953", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2e9fd7df19d690e59e383577c9b7dfc53f6aebfd8ed584f71d7b71cce6b46953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_csrf_middleware.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/v1/auth/login/local has no auth: Handler `login_local` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74884, "scanner": "repobility-route-auth", "fingerprint": "fae308e38c0d73f4cf7ba14f9e307bd45c2931bff8c620dab974b5006f74da39", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fae308e38c0d73f4cf7ba14f9e307bd45c2931bff8c620dab974b5006f74da39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_csrf_middleware.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/threads/abc/runs/stream has no auth: Handler `stream` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74883, "scanner": "repobility-route-auth", "fingerprint": "d693ed8076c891295fd49e411f591975ac0b3138b09f57490e1927d658b7f956", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d693ed8076c891295fd49e411f591975ac0b3138b09f57490e1927d658b7f956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_middleware.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH /api/threads/abc has no auth: Handler `thread_patch` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74882, "scanner": "repobility-route-auth", "fingerprint": "bc6010a998f08219edf307a41f7c62dd31d7a364f531b82e65f6840091853fd4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bc6010a998f08219edf307a41f7c62dd31d7a364f531b82e65f6840091853fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_middleware.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/threads/abc has no auth: Handler `thread_delete` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74881, "scanner": "repobility-route-auth", "fingerprint": "863345046f520d1704e943689dfb9e63fb415f2384ca9b6648bcb442e0f2b0ba", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|863345046f520d1704e943689dfb9e63fb415f2384ca9b6648bcb442e0f2b0ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_middleware.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PUT /api/mcp/config has no auth: Handler `mcp_put` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74880, "scanner": "repobility-route-auth", "fingerprint": "63d8dddf0508f8bea487c349cb1f1cc460a9a0356ffa9c30cfd9e0d0a978f1d9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|63d8dddf0508f8bea487c349cb1f1cc460a9a0356ffa9c30cfd9e0d0a978f1d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_middleware.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/v1/auth/login/local has no auth: Handler `login` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74879, "scanner": "repobility-route-auth", "fingerprint": "b917d4f064bd284616a93d501255e022dfca7a868f7958ae053c33c6ef710d72", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b917d4f064bd284616a93d501255e022dfca7a868f7958ae053c33c6ef710d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_type_system.py"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/v1/test/protected has no auth: Handler `protected` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74878, "scanner": "repobility-route-auth", "fingerprint": "7ea0ba9eee0588db897ec044518f19c519b3e79d9205a5ae4ac385e69948d05c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7ea0ba9eee0588db897ec044518f19c519b3e79d9205a5ae4ac385e69948d05c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_type_system.py"}, "region": {"startLine": 415}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/sandboxes/{sandbox_id} has no auth: Handler `destroy_sandbox` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74877, "scanner": "repobility-route-auth", "fingerprint": "5b0283648af79823753fe4c7b087688d1926060f4387f9ccf2ff224a6c755ebc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5b0283648af79823753fe4c7b087688d1926060f4387f9ccf2ff224a6c755ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/provisioner/app.py"}, "region": {"startLine": 506}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/sandboxes has no auth: Handler `create_sandbox` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 74876, "scanner": "repobility-route-auth", "fingerprint": "dd38862e3610b5ee27f1dde94bebbcd55f7d68f7d8cf834d196433e78729fe15", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dd38862e3610b5ee27f1dde94bebbcd55f7d68f7d8cf834d196433e78729fe15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/provisioner/app.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_auth_config_token_expiry_zero_raises: Test function `test_auth_config_token_expiry_zero_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74868, "scanner": "repobility-ast-engine", "fingerprint": "b14dddcad4c86593dc32f2e187532d88d3ff949fb43267b0dce4dc4cdc78dbce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b14dddcad4c86593dc32f2e187532d88d3ff949fb43267b0dce4dc4cdc78dbce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_type_system.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_auth_config_missing_jwt_secret_raises: Test function `test_auth_config_missing_jwt_secret_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74867, "scanner": "repobility-ast-engine", "fingerprint": "3016e059070102ab0a0fb440b1cad74843ca8f2005a35f9440f7f002b2766287", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3016e059070102ab0a0fb440b1cad74843ca8f2005a35f9440f7f002b2766287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_type_system.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_user_response_rejects_invalid_role: Test function `test_user_response_rejects_invalid_role` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74866, "scanner": "repobility-ast-engine", "fingerprint": "9375a9b8a7fb8c634fda873bd06d680855c67ffa7afa5fa3a5802a283e145972", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9375a9b8a7fb8c634fda873bd06d680855c67ffa7afa5fa3a5802a283e145972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_auth_type_system.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_kubeconfig_accepts_file: Test function `test_wait_for_kubeconfig_accepts_file` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74865, "scanner": "repobility-ast-engine", "fingerprint": "4a39e9f22cb6794ff10f438605d4966242347b920bb2522424ca7ce1d0d9c0ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a39e9f22cb6794ff10f438605d4966242347b920bb2522424ca7ce1d0d9c0ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_provisioner_kubeconfig.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_resolve_skill_dir_rejects_archive_with_only_metadata: Test function `test_resolve_skill_dir_rejects_archive_with_only_metadata` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74864, "scanner": "repobility-ast-engine", "fingerprint": "8bfc3efef948a9aafe5ddc11fd11fabd1efc89e6eeb9601b8bbc35e8e265fb8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8bfc3efef948a9aafe5ddc11fd11fabd1efc89e6eeb9601b8bbc35e8e265fb8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_skills_archive_root.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_delete_nonexistent_is_noop: Test function `test_delete_nonexistent_is_noop` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74863, "scanner": "repobility-ast-engine", "fingerprint": "e6a331c5200a523af86173038253d8cd08311c7f0f80b064d50c85233983e5aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6a331c5200a523af86173038253d8cd08311c7f0f80b064d50c85233983e5aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_run_repository.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_update_run_progress_defaults_to_noop_for_custom_store: Test function `test_update_run_progress_defaults_to_noop_for_custom_store` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74862, "scanner": "repobility-ast-engine", "fingerprint": "d480cc9d436059b58796c9e1e884da3065eb3e7bc78da14705e9f0bdbac8dfae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d480cc9d436059b58796c9e1e884da3065eb3e7bc78da14705e9f0bdbac8dfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_run_repository.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_postgres_without_asyncpg_gives_actionable_error: Test function `test_postgres_without_asyncpg_gives_actionable_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74861, "scanner": "repobility-ast-engine", "fingerprint": "ae60c08fdbc650c64e57b40f8db78406fca084b189a082d100df0dee59b2bf89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae60c08fdbc650c64e57b40f8db78406fca084b189a082d100df0dee59b2bf89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_persistence_scaffold.py"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_delete_nonexistent_is_noop: Test function `test_delete_nonexistent_is_noop` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74860, "scanner": "repobility-ast-engine", "fingerprint": "c78674c6f2aeab0832ac79ba41e2bfb8de2902af339fa5f4b4d0ea6bc2f3ad4d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c78674c6f2aeab0832ac79ba41e2bfb8de2902af339fa5f4b4d0ea6bc2f3ad4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_persistence_scaffold.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_memory_has_no_url: Test function `test_memory_has_no_url` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74859, "scanner": "repobility-ast-engine", "fingerprint": "d3e7a57ab1cd8ffce994891a859038a0308c81471680d9457abdd29955c78fcb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3e7a57ab1cd8ffce994891a859038a0308c81471680d9457abdd29955c78fcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_persistence_scaffold.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_claude_provider_rejects_non_positive_retry_attempts: Test function `test_claude_provider_rejects_non_positive_retry_attempts` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74858, "scanner": "repobility-ast-engine", "fingerprint": "228c810b63350a6cb1b9fe8ff15a5fa4087c893029a00e9b23fa8bca18dd2729", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|228c810b63350a6cb1b9fe8ff15a5fa4087c893029a00e9b23fa8bca18dd2729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_cli_auth_providers.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_codex_provider_requires_credentials: Test function `test_codex_provider_requires_credentials` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74857, "scanner": "repobility-ast-engine", "fingerprint": "cab3b2f99b5be2fb2ff79901ff694da0fab62b24c20827dc5d556f17d893eae6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cab3b2f99b5be2fb2ff79901ff694da0fab62b24c20827dc5d556f17d893eae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_cli_auth_providers.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_codex_provider_rejects_non_positive_retry_attempts: Test function `test_codex_provider_rejects_non_positive_retry_attempts` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74856, "scanner": "repobility-ast-engine", "fingerprint": "6dd2f1d9c69f5842b7f55b6dc561292fd38b68c9b0d3065289625849276e8852", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6dd2f1d9c69f5842b7f55b6dc561292fd38b68c9b0d3065289625849276e8852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_cli_auth_providers.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_no_legacy_memory_is_noop: Test function `test_no_legacy_memory_is_noop` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74855, "scanner": "repobility-ast-engine", "fingerprint": "b2b04182ff34ed087bab7ce6f38eecb82d1376db1828614910a99bc8daf4f72e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2b04182ff34ed087bab7ce6f38eecb82d1376db1828614910a99bc8daf4f72e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_migration_user_isolation.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_safety_termination_is_frozen: Test function `test_safety_termination_is_frozen` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74854, "scanner": "repobility-ast-engine", "fingerprint": "927f0a29ec6c25d609dc1c294f4d1df53ffafe963dad9d48b61977d64d0a788d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|927f0a29ec6c25d609dc1c294f4d1df53ffafe963dad9d48b61977d64d0a788d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_safety_termination_detectors.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_request_cancel_nonexistent_task_is_noop: Test function `test_request_cancel_nonexistent_task_is_noop` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74853, "scanner": "repobility-ast-engine", "fingerprint": "fe53675478d1e61560a7ebe8b3599619724b14690227364764f743a6b66370f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe53675478d1e61560a7ebe8b3599619724b14690227364764f743a6b66370f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_subagent_executor.py"}, "region": {"startLine": 1507}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cleanup_handles_unknown_task_gracefully: Test function `test_cleanup_handles_unknown_task_gracefully` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74852, "scanner": "repobility-ast-engine", "fingerprint": "00c68fe7126a3d944c10bc4a60b474f44f89eec757f18719fd0ba7c65aa9790b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00c68fe7126a3d944c10bc4a60b474f44f89eec757f18719fd0ba7c65aa9790b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_subagent_executor.py"}, "region": {"startLine": 1362}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_build_run_config_rejects_non_mapping_context: Test function `test_build_run_config_rejects_non_mapping_context` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74851, "scanner": "repobility-ast-engine", "fingerprint": "d7ab1f727ead3e3ef98ea117e78720ab1227fe0ab7f21a6161ac6da9fee52ebc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7ab1f727ead3e3ef98ea117e78720ab1227fe0ab7f21a6161ac6da9fee52ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_gateway_services.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_acp_agent_config_missing_description_raises: Test function `test_acp_agent_config_missing_description_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74850, "scanner": "repobility-ast-engine", "fingerprint": "f9194a4eccea81c05e9b2ac4e3f31c5feee5d8edc1c0ff6a108e52497f3794d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9194a4eccea81c05e9b2ac4e3f31c5feee5d8edc1c0ff6a108e52497f3794d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_acp_config.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_acp_agent_config_missing_command_raises: Test function `test_acp_agent_config_missing_command_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74849, "scanner": "repobility-ast-engine", "fingerprint": "42d0cde637e2d8d9744661d3a2abd38548079e06d5636bbb17cc52b2a2d54e8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42d0cde637e2d8d9744661d3a2abd38548079e06d5636bbb17cc52b2a2d54e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_acp_config.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_after_seq_page_keeps_oldest_side_when_extra_row_returned: Test function `test_after_seq_page_keeps_oldest_side_when_extra_row_returned` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74848, "scanner": "repobility-ast-engine", "fingerprint": "743d987dc4080b3fc0dddefb3d9dff83426a57f6e8adaa279c4bde510c14e5c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|743d987dc4080b3fc0dddefb3d9dff83426a57f6e8adaa279c4bde510c14e5c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_thread_run_messages_pagination.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_before_seq_page_keeps_newest_side_when_extra_row_returned: Test function `test_before_seq_page_keeps_newest_side_when_extra_row_returned` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74847, "scanner": "repobility-ast-engine", "fingerprint": "5369119649dadc8b970667b5657bc4b0303e470ce417764863d055b40a544d74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5369119649dadc8b970667b5657bc4b0303e470ce417764863d055b40a544d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_thread_run_messages_pagination.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_default_page_keeps_newest_messages_when_extra_row_returned: Test function `test_default_page_keeps_newest_messages_when_extra_row_returned` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74846, "scanner": "repobility-ast-engine", "fingerprint": "69d910ffdb6fe3278452b377fa81f979e9413ec4105183e7ae62ac1365abbf5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69d910ffdb6fe3278452b377fa81f979e9413ec4105183e7ae62ac1365abbf5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_thread_run_messages_pagination.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_process_queue_forwards_reinforcement_flag_to_updater: Test function `test_process_queue_forwards_reinforcement_flag_to_updater` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74844, "scanner": "repobility-ast-engine", "fingerprint": "a251b09994527f2c9c25882339ef9c92280524beb7f8b3a62bcd28cf547060c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a251b09994527f2c9c25882339ef9c92280524beb7f8b3a62bcd28cf547060c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_memory_queue.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_process_queue_forwards_correction_flag_to_updater: Test function `test_process_queue_forwards_correction_flag_to_updater` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 74843, "scanner": "repobility-ast-engine", "fingerprint": "ed14eedd7d3fefedf29592100d9dcc50451d25ea66420e20cc96e27f1c819935", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed14eedd7d3fefedf29592100d9dcc50451d25ea66420e20cc96e27f1c819935"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_memory_queue.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74836, "scanner": "repobility-ast-engine", "fingerprint": "a7d2bd728ab1219434aa97382d6bface3430b1f401613c89b106817de4d7aeaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7d2bd728ab1219434aa97382d6bface3430b1f401613c89b106817de4d7aeaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74835, "scanner": "repobility-ast-engine", "fingerprint": "73fedb84efbf8c1df0ddbc867efb8a0209cdb26bc779652b3939e2d4fc069959", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73fedb84efbf8c1df0ddbc867efb8a0209cdb26bc779652b3939e2d4fc069959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74834, "scanner": "repobility-ast-engine", "fingerprint": "0cd2631ab2d08c2d99bd78f493b355c5ff3a0b4f09dedbbe9169d8f483532fb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0cd2631ab2d08c2d99bd78f493b355c5ff3a0b4f09dedbbe9169d8f483532fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74833, "scanner": "repobility-ast-engine", "fingerprint": "8aeedb1f751fed2a13aba5eda2330b79a3b6e5b7972223611b55b8fc7ad43e33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aeedb1f751fed2a13aba5eda2330b79a3b6e5b7972223611b55b8fc7ad43e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `ReviewHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74832, "scanner": "repobility-ast-engine", "fingerprint": "6f30449b4268211dad2a09e5fc112051b287b848b35e589d5a423ba3b773354f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f30449b4268211dad2a09e5fc112051b287b848b35e589d5a423ba3b773354f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_contributors` used but never assigned in __init__: Method `summarize_repo` of class `GitHubAPI` reads `self.get_contributors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74824, "scanner": "repobility-ast-engine", "fingerprint": "025c09e5de4747cf21b913a9702df4e5987b1bdc89b97794dfe1cbaa9d16bcda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|025c09e5de4747cf21b913a9702df4e5987b1bdc89b97794dfe1cbaa9d16bcda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_releases` used but never assigned in __init__: Method `summarize_repo` of class `GitHubAPI` reads `self.get_releases`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74823, "scanner": "repobility-ast-engine", "fingerprint": "244294a0a2566462e35f85603e316964cb1668c4943af5c13cf66ac58abe3903", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|244294a0a2566462e35f85603e316964cb1668c4943af5c13cf66ac58abe3903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_contributors` used but never assigned in __init__: Method `summarize_repo` of class `GitHubAPI` reads `self.get_contributors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74822, "scanner": "repobility-ast-engine", "fingerprint": "6cbdb9ecc60f04649d4d7fb8b2b30d400da31d18cf2cbd5150195d988ad598e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cbdb9ecc60f04649d4d7fb8b2b30d400da31d18cf2cbd5150195d988ad598e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_languages` used but never assigned in __init__: Method `summarize_repo` of class `GitHubAPI` reads `self.get_languages`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74821, "scanner": "repobility-ast-engine", "fingerprint": "66740603f961bd7cd428371ed3ae55f4acbc6d9f2c593e3301bbbb4b1de329ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66740603f961bd7cd428371ed3ae55f4acbc6d9f2c593e3301bbbb4b1de329ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_repo_info` used but never assigned in __init__: Method `summarize_repo` of class `GitHubAPI` reads `self.get_repo_info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74820, "scanner": "repobility-ast-engine", "fingerprint": "4827fa19700c2b80b5b5d2f24bad1ba9df97aa7f430be0c657f346f320153f32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4827fa19700c2b80b5b5d2f24bad1ba9df97aa7f430be0c657f346f320153f32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_code_frequency` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74819, "scanner": "repobility-ast-engine", "fingerprint": "061b4f8a1f36ad2195b105f792a1dec765bd2b6ec0bc0f0eb4007043978dd9a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|061b4f8a1f36ad2195b105f792a1dec765bd2b6ec0bc0f0eb4007043978dd9a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_commit_activity` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74818, "scanner": "repobility-ast-engine", "fingerprint": "f5fc88fc160c71f8e4c57e4774b39dffd35999350fae52de1f5d91cbfcf64d3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5fc88fc160c71f8e4c57e4774b39dffd35999350fae52de1f5d91cbfcf64d3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `search_issues` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74817, "scanner": "repobility-ast-engine", "fingerprint": "00e9b92afadd2366241fc5c73703d0ce0cfc18103f6a3df99017569af0ca4185", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00e9b92afadd2366241fc5c73703d0ce0cfc18103f6a3df99017569af0ca4185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_tags` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74816, "scanner": "repobility-ast-engine", "fingerprint": "af78dc7f921a45872d052edd8edb0d05cc2fa26237f8070802b11c88bfe8a6af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af78dc7f921a45872d052edd8edb0d05cc2fa26237f8070802b11c88bfe8a6af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_releases` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74815, "scanner": "repobility-ast-engine", "fingerprint": "e03ac370462899e84aa04e2a0b5b4efbc8a452d469da99823a7515a79f59f392", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e03ac370462899e84aa04e2a0b5b4efbc8a452d469da99823a7515a79f59f392"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_pull_requests` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74814, "scanner": "repobility-ast-engine", "fingerprint": "20fb80bb080b6ba3ece099455a73b18e74b9433e1df0eb5a7073d6cc1dc78a15", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20fb80bb080b6ba3ece099455a73b18e74b9433e1df0eb5a7073d6cc1dc78a15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_issues` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74813, "scanner": "repobility-ast-engine", "fingerprint": "9792f0baddf59ede3a7b9a2279911f061d3a4d24f2070cb9ede1ddd3651694a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9792f0baddf59ede3a7b9a2279911f061d3a4d24f2070cb9ede1ddd3651694a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_recent_commits` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74812, "scanner": "repobility-ast-engine", "fingerprint": "ef9b9d576d4b8cef64c6242d7c98a33acd4242e9cc784f0aef62e25b7626139b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef9b9d576d4b8cef64c6242d7c98a33acd4242e9cc784f0aef62e25b7626139b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_contributors` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74811, "scanner": "repobility-ast-engine", "fingerprint": "107a4f7ad7b74d0fcead9d3e7970619ffef5941b011753fc90f018563e64548f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|107a4f7ad7b74d0fcead9d3e7970619ffef5941b011753fc90f018563e64548f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_languages` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74810, "scanner": "repobility-ast-engine", "fingerprint": "f92cd24b3fc5f173a14354e50a12d74fe697e2040ac6853a0f46d1b574365e6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f92cd24b3fc5f173a14354e50a12d74fe697e2040ac6853a0f46d1b574365e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_file_content` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74809, "scanner": "repobility-ast-engine", "fingerprint": "f33b904f7b22bf6c589744e5cbdab76e92c1be40d707bac4fb38ac14fcf4e0e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f33b904f7b22bf6c589744e5cbdab76e92c1be40d707bac4fb38ac14fcf4e0e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_tree` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74808, "scanner": "repobility-ast-engine", "fingerprint": "d72ccfeaa29047f37d626e147433ecf3d0f3cfb27205ede85d54e7d089ebda5d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d72ccfeaa29047f37d626e147433ecf3d0f3cfb27205ede85d54e7d089ebda5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_tree` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74807, "scanner": "repobility-ast-engine", "fingerprint": "837abe6edb54164ff16db21902bd24849f8c061f641d70fca347bbfd8eb1337e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|837abe6edb54164ff16db21902bd24849f8c061f641d70fca347bbfd8eb1337e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_readme` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74806, "scanner": "repobility-ast-engine", "fingerprint": "167e8250250f04f009a4311259403a88c84808cff8c8f3598940b29248af6f83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|167e8250250f04f009a4311259403a88c84808cff8c8f3598940b29248af6f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get` used but never assigned in __init__: Method `get_repo_info` of class `GitHubAPI` reads `self._get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 74805, "scanner": "repobility-ast-engine", "fingerprint": "153012b125094f1f5eda457b2730d76bc54a8eb46d405f269750c1c910c9540b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|153012b125094f1f5eda457b2730d76bc54a8eb46d405f269750c1c910c9540b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/github-deep-research/scripts/github_api.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `create_sandbox`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 74803, "scanner": "repobility-ast-engine", "fingerprint": "2526a43919fb715f1f649ecf7097d2a979375cb49a99926f49de9a101122387b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2526a43919fb715f1f649ecf7097d2a979375cb49a99926f49de9a101122387b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/provisioner/app.py"}, "region": {"startLine": 491}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 74789, "scanner": "repobility-ast-engine", "fingerprint": "84774d34ff3a4076a06d43fffd737bdfb02d03bfff8dd100d9ed3c1d092a6535", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84774d34ff3a4076a06d43fffd737bdfb02d03bfff8dd100d9ed3c1d092a6535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/debug.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 74788, "scanner": "repobility-journey-contract", "fingerprint": "ff38ed80ec90326f4a08e055d5f08ee852946663319d22a8ff4b54bf293766b5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|frontend/src/app/ auth /login/page.tsx|168|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /threads/:thread_id/artifacts/::...artifact_path/route."}, "properties": {"repobilityId": 74764, "scanner": "repobility-access-control", "fingerprint": "d783869671e8deb35923e1614aca2e4baf11c9bbabd4486d899ad9e0e29a054c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/threads/:thread_id/artifacts/::...artifact_path/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / thread_id /artifacts/ ...artifact_path /route.ts|6|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/app/mock/api/threads/[thread_id]/artifacts/[[...artifact_path]]/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 74734, "scanner": "repobility-threat-engine", "fingerprint": "900d18fc62f0b2611797aa285a86bde58788b391577e60b17af197792ab219be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|900d18fc62f0b2611797aa285a86bde58788b391577e60b17af197792ab219be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check.sh"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74731, "scanner": "repobility-threat-engine", "fingerprint": "70ea3c07cbc6311e618c9172469d834a4a97b68533ba254330253082b1d82292", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70ea3c07cbc6311e618c9172469d834a4a97b68533ba254330253082b1d82292"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/core/artifacts/preview.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74730, "scanner": "repobility-threat-engine", "fingerprint": "7302e9b0434c0c9d25031678e30277ee08ef1db4000187460f9821707bfe8a01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(props", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7302e9b0434c0c9d25031678e30277ee08ef1db4000187460f9821707bfe8a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/messages/markdown-content.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74729, "scanner": "repobility-threat-engine", "fingerprint": "ff9d6a7cf3c8365caac9e78264b84c9e36b9c45ed569818d1932cd01558f3ae2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(props", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff9d6a7cf3c8365caac9e78264b84c9e36b9c45ed569818d1932cd01558f3ae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/workspace/citations/artifact-link.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 74711, "scanner": "repobility-threat-engine", "fingerprint": "7794f390447e6a8ac1443390c72283c3660fdb4749ef73a463517bc0cbc3637f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|81|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/models/mindie_provider.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 74699, "scanner": "repobility-threat-engine", "fingerprint": "e47fb7b6cb96edbf1cbbcc3ddf0912a25a37f0f0919869433e356aa3175d4128", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e47fb7b6cb96edbf1cbbcc3ddf0912a25a37f0f0919869433e356aa3175d4128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/video-generation/scripts/generate.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 74698, "scanner": "repobility-threat-engine", "fingerprint": "ae2f0349e185102eeea49fb23b51ee09a6b0465310585d28e3de4c43152e00a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae2f0349e185102eeea49fb23b51ee09a6b0465310585d28e3de4c43152e00a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/podcast-generation/scripts/generate.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 74697, "scanner": "repobility-threat-engine", "fingerprint": "ded9e9a9a9a15122844faa2320fba3a3f297f4fd1d901233835769af00b81038", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ded9e9a9a9a15122844faa2320fba3a3f297f4fd1d901233835769af00b81038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/image-generation/scripts/generate.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 74691, "scanner": "repobility-threat-engine", "fingerprint": "9173afaf280880a21e65623e43befe1e1fde492a8667dff95c286e9fbfb973fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/stream\")\nasync def stateless_stream(body: RunCreateRequest, request: Request)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9173afaf280880a21e65623e43befe1e1fde492a8667dff95c286e9fbfb973fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/runs.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 74690, "scanner": "repobility-threat-engine", "fingerprint": "4157b4406cd652936503d1c2542065d42cdf52e19988095fecb858e1aca03662", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/{name}/restart\", response_model=ChannelRestartResponse)\nasync def restart_channel(nam", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4157b4406cd652936503d1c2542065d42cdf52e19988095fecb858e1aca03662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/channels.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 74689, "scanner": "repobility-threat-engine", "fingerprint": "ca4d587de30a82e9417e2d68606c9d532cbbedc8fda6bda395227ccf2c50ff0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/search\", response_model=list[AssistantResponse])\nasync def search_assistants(body: As", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca4d587de30a82e9417e2d68606c9d532cbbedc8fda6bda395227ccf2c50ff0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/assistants_compat.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74687, "scanner": "repobility-threat-engine", "fingerprint": "efa40342daef2de32379ff07d792e4ffb0f5af03b84ce46ac4bf46f06cfcfdef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "model_settings_from_config.update(effective_wte)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efa40342daef2de32379ff07d792e4ffb0f5af03b84ce46ac4bf46f06cfcfdef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/models/factory.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74686, "scanner": "repobility-threat-engine", "fingerprint": "727152300dbc4083fc8931a06da63dd59943289722059b8c338f1ca0c9a299b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "seen_artifacts.update(new_artifacts)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|727152300dbc4083fc8931a06da63dd59943289722059b8c338f1ca0c9a299b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/debug.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74685, "scanner": "repobility-threat-engine", "fingerprint": "e6bb55ed4fad9cbc7b91958fe5ca821320d49d46f4dc45ee06764dbd3b23502f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "headers.update(extra_headers)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6bb55ed4fad9cbc7b91958fe5ca821320d49d46f4dc45ee06764dbd3b23502f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/routers/artifacts.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 74676, "scanner": "repobility-threat-engine", "fingerprint": "3498f000a9bdc87b3209be1a84c29fcb57d6f484fd46c551ece6678805bfc63a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3498f000a9bdc87b3209be1a84c29fcb57d6f484fd46c551ece6678805bfc63a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/setup_wizard.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 74675, "scanner": "repobility-threat-engine", "fingerprint": "a7a878bf888775c7b0dac3ddcb0b1119e510d714b9ee9498b5c55a949eade8bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7a878bf888775c7b0dac3ddcb0b1119e510d714b9ee9498b5c55a949eade8bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/tools/builtins/update_agent_tool.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 74674, "scanner": "repobility-threat-engine", "fingerprint": "a652cae3a5a61d6a7203ac6d6f12af9714d7881bbcfd84ec98c8faedd02581e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a652cae3a5a61d6a7203ac6d6f12af9714d7881bbcfd84ec98c8faedd02581e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/store.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 74665, "scanner": "repobility-threat-engine", "fingerprint": "5049aadd35f7ccf5663bd12818185826c123935fd7dacdc12e98b5f86cc95c2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5049aadd35f7ccf5663bd12818185826c123935fd7dacdc12e98b5f86cc95c2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/backend.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 74664, "scanner": "repobility-threat-engine", "fingerprint": "bbca4bd146e30e8050d3fe9ed89ec52cce076d7cf15385a10e6a0356bb65bd71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbca4bd146e30e8050d3fe9ed89ec52cce076d7cf15385a10e6a0356bb65bd71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/tool_error_handling_middleware.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 74663, "scanner": "repobility-threat-engine", "fingerprint": "35503d76efaf3e5aca7d4f363ab3eb4a6c1868b43d932389692bea94277d3254", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35503d76efaf3e5aca7d4f363ab3eb4a6c1868b43d932389692bea94277d3254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/slack.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 74659, "scanner": "repobility-threat-engine", "fingerprint": "47edf7d7d360e8721df8cb348d98b0969cd8f81c040ace85ca9ecdebe8b80a86", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(\"No export action selected. Use --show-target, --print-export, --print-token, or --write-crede", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|13|print no export action selected. use --show-target --print-export --print-token or --write-crede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/export_claude_code_oauth.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74657, "scanner": "repobility-threat-engine", "fingerprint": "b73d1d8cb7eec8c713df0cfbd99ef3eb5986dac7a40db3690f666b2db2eba6f1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b73d1d8cb7eec8c713df0cfbd99ef3eb5986dac7a40db3690f666b2db2eba6f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/remote_backend.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74656, "scanner": "repobility-threat-engine", "fingerprint": "6336a8690cacba26a3cb9d70923647673bf6864b3d7808e14272cded9b5d2adb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (K", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6336a8690cacba26a3cb9d70923647673bf6864b3d7808e14272cded9b5d2adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/community/aio_sandbox/backend.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74655, "scanner": "repobility-threat-engine", "fingerprint": "90c754a04737a2140ef7ca111d7e0a5213c98d4d317a584be90cd55cfb1ac56c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90c754a04737a2140ef7ca111d7e0a5213c98d4d317a584be90cd55cfb1ac56c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/service.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 74932, "scanner": "repobility-supply-chain", "fingerprint": "b331dc4639c306804753cf25ae985ff1ea7d64ce389e9a380c4bfc3aaccbb07f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b331dc4639c306804753cf25ae985ff1ea7d64ce389e9a380c4bfc3aaccbb07f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_sandbox_audit_middleware.py"}, "region": {"startLine": 661}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 74931, "scanner": "repobility-supply-chain", "fingerprint": "5145594e83a5a3a2fa72a7b1445fc3646ed89116e1402211a0e6933f30534132", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5145594e83a5a3a2fa72a7b1445fc3646ed89116e1402211a0e6933f30534132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_sandbox_audit_middleware.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74875, "scanner": "repobility-ast-engine", "fingerprint": "ca981b9b29d1c1f3b4de69b85bbf809d9c6aa86d7dde5e099bcf528e3b14ef9a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca981b9b29d1c1f3b4de69b85bbf809d9c6aa86d7dde5e099bcf528e3b14ef9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/memory/summarization_hook.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74874, "scanner": "repobility-ast-engine", "fingerprint": "893f334c1028ebae583c1d1476520fb5ce2a74994600004384842b552f9d1446", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|893f334c1028ebae583c1d1476520fb5ce2a74994600004384842b552f9d1446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/uploads_middleware.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74873, "scanner": "repobility-ast-engine", "fingerprint": "ad8220b1988a39dcdca6a34dab49aa49870a8b8775df3ba23b8a62b3629ae7bb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad8220b1988a39dcdca6a34dab49aa49870a8b8775df3ba23b8a62b3629ae7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/memory_middleware.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74872, "scanner": "repobility-ast-engine", "fingerprint": "3c95e845271e470b467b80b5512ad5846a9c8e2d3c2bd58d26de8474374d81af", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c95e845271e470b467b80b5512ad5846a9c8e2d3c2bd58d26de8474374d81af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/agents/middlewares/loop_detection_middleware.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74871, "scanner": "repobility-ast-engine", "fingerprint": "818b045a64abb1330cd3a873de5f192292973662e5f3b2550834cf6b940fb7cd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|818b045a64abb1330cd3a873de5f192292973662e5f3b2550834cf6b940fb7cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/channels/manager.py"}, "region": {"startLine": 1076}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74870, "scanner": "repobility-ast-engine", "fingerprint": "8dd4d6e144ac32172941d249d0bd8008cc43cd298b4557bb85853e751672a1ed", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8dd4d6e144ac32172941d249d0bd8008cc43cd298b4557bb85853e751672a1ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/support/detectors/blocking_io_static.py"}, "region": {"startLine": 615}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74869, "scanner": "repobility-ast-engine", "fingerprint": "0fd818e4cded10cc5206691731e8b6a451067889ee59fb3c5e12a65a07d6142b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fd818e4cded10cc5206691731e8b6a451067889ee59fb3c5e12a65a07d6142b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_summarization_middleware.py"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74845, "scanner": "repobility-ast-engine", "fingerprint": "c694049360000eb91813e75eca3940651db3ca5c8283418940202f54e35a95d5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c694049360000eb91813e75eca3940651db3ca5c8283418940202f54e35a95d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/tests/test_memory_queue.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `json` used but not imported: The file uses `json.something(...)` but never imports `json`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74842, "scanner": "repobility-ast-engine", "fingerprint": "0794a812df88bf3e375aea46c0a2ef5efac873e32e40566d505d7ceedec942df", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0794a812df88bf3e375aea46c0a2ef5efac873e32e40566d505d7ceedec942df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/video-generation/scripts/generate.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 74831, "scanner": "repobility-ast-engine", "fingerprint": "0371d8ae7944c8eb67a8a8d0c2e93b89e247992e11e63e1c7bf7ed10a7e63c5d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0371d8ae7944c8eb67a8a8d0c2e93b89e247992e11e63e1c7bf7ed10a7e63c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/public/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 74758, "scanner": "repobility-docker", "fingerprint": "99659a65f63271a909aee1354f1844cf6d7052808443fc7cfdf6f8be3ab0acea", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|99659a65f63271a909aee1354f1844cf6d7052808443fc7cfdf6f8be3ab0acea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 74709, "scanner": "repobility-threat-engine", "fingerprint": "9c2d18dd866b2acfccc832af66d804c346c3c46ef0a46e7980a2b4b7153ee265", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:pass@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|2|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/packages/harness/deerflow/config/checkpointer_config.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC039", "level": "error", "message": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort)."}, "properties": {"repobilityId": 74683, "scanner": "repobility-threat-engine", "fingerprint": "4fba56d02eaf4616387da2ed94c104aa09f85a9589c87d735cd91d344d4432d8", "category": "crypto", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hashlib.sha256(password", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC039", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|29|sec039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/app/gateway/auth/password.py"}, "region": {"startLine": 29}}}]}]}]}