{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /np"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `collect_rs_files` has cognitive complexity 8 (SonarSource scale). Cogniti", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `collect_rs_files` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursi"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED057] Todo Bomb (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 113 more): Same pattern found in 113 a", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 113 more): Same pattern found in 113 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 28 more): Same pattern found in 28 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 15 more): Same pattern found in 15 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 76 more): Same pattern found in 76 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@code-yeongyu/lsp-tools-mcp` pulled from URL/Git: `dependencies.@code-yeongyu/lsp-tools-mcp", "shortDescription": {"text": "[MINED122] package.json dep `@code-yeongyu/lsp-tools-mcp` pulled from URL/Git: `dependencies.@code-yeongyu/lsp-tools-mcp` = `file:../../../../lsp-tools-mcp` bypasses the npm registry. No integrity hash, no version locking, no registry-side "}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC036", "name": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF ", "shortDescription": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-20"}, "fullDescription": {"text": "Strip `\\r\\n` before setting headers:\n  safe = value.replace('\\r','').replace('\\n','')\n  response.headers['X-Custom'] = safe\nMost modern frameworks (Django 3+, Express 4.10+) already do this \u2014 but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual header dict assignment."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/876"}, "properties": {"repository": "code-yeongyu/oh-my-openagent", "repoUrl": "https://github.com/code-yeongyu/oh-my-openagent", "branch": "dev"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 80338, "scanner": "repobility-journey-contract", "fingerprint": "4e5391fb2038a0bf39f52d30fa2527bc5812d8b126353d7a65af4353eb7d1761", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|4e5391fb2038a0bf39f52d30fa2527bc5812d8b126353d7a65af4353eb7d1761", "backend_endpoint_count": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/metis.ts"}, "region": {"startLine": 257}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 80337, "scanner": "repobility-journey-contract", "fingerprint": "2499d4dc31cca7cf87f84ed710cb332edce89a03eec330aea9577e439b7c02fe", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/stats", "correlation_key": "fp|2499d4dc31cca7cf87f84ed710cb332edce89a03eec330aea9577e439b7c02fe", "backend_endpoint_count": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/components/landing/live-stats.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /npm-downloads/route."}, "properties": {"repobilityId": 80336, "scanner": "repobility-access-control", "fingerprint": "7bd8c6467ec237839dd834919d32faff926f8737bcef0030d0e23f1377dd792e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/npm-downloads/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|23|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/app/api/npm-downloads/route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /stats/route."}, "properties": {"repobilityId": 80335, "scanner": "repobility-access-control", "fingerprint": "e43359fb563fb15a44e0dd875d51c2e3f88d9967020831a2c49395eee3208cad", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stats/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/app/api/stats/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 80334, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 4, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 80333, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 80332, "scanner": "repobility-agent-runtime", "fingerprint": "5fc49926781c571e539d4f9cc2ded117d826d9bcfb64bf435250f02f99eb59e5", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5fc49926781c571e539d4f9cc2ded117d826d9bcfb64bf435250f02f99eb59e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/references/python/one-liners.md"}, "region": {"startLine": 37}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 80331, "scanner": "repobility-agent-runtime", "fingerprint": "8ae046a6ec577b2370acad3d12e50b19c09bfcb0bf7c19fd4e6ff8c49710dc49", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8ae046a6ec577b2370acad3d12e50b19c09bfcb0bf7c19fd4e6ff8c49710dc49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/start-work-continuation/src/boulder-reader.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 80330, "scanner": "repobility-agent-runtime", "fingerprint": "0f5d8912d9755c86417420c1e469109081590ef0f5ab5959d1511256ff623db6", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0f5d8912d9755c86417420c1e469109081590ef0f5ab5959d1511256ff623db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".opencode/skills/work-with-pr-workspace/iteration-1/review.html"}, "region": {"startLine": 736}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 80329, "scanner": "repobility-agent-runtime", "fingerprint": "0f075d59f22c6792e88fa4bc66c3ad743b5d20d4474694eb35cd002f0c807f79", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0f075d59f22c6792e88fa4bc66c3ad743b5d20d4474694eb35cd002f0c807f79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/work-with-pr-workspace/iteration-1/review.html"}, "region": {"startLine": 736}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 80328, "scanner": "repobility-agent-runtime", "fingerprint": "d8a72f2b1f453859e1988bdc018679f52975c3f45f0958fda478b10b7b2e401b", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d8a72f2b1f453859e1988bdc018679f52975c3f45f0958fda478b10b7b2e401b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/opencode-qa/references/cli-commands.md"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 80285, "scanner": "repobility-threat-engine", "fingerprint": "2a82938ce45e1c57e31a04846bf314ddaf40b8186a99a3d874ed769b3595819a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a82938ce45e1c57e31a04846bf314ddaf40b8186a99a3d874ed769b3595819a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builtin-skills/skills/playwright-cli.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 80256, "scanner": "repobility-threat-engine", "fingerprint": "7eba80d1ab0ccf4b0ad6f8e0612eb77392c6a184fe46fa3242e136cd99b64948", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|11|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/skill-mcp-config.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 80255, "scanner": "repobility-threat-engine", "fingerprint": "24aa7e7e09e4e8e792489823df87278a821ea35360aeda5adf633e53ec06cf16", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|39|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/async-loader.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 80254, "scanner": "repobility-threat-engine", "fingerprint": "634238663eaea635d12c8143d3a14e7a0153ffbe1fc56d8a260aca12283af943", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|25|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/src/frontmatter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80207, "scanner": "repobility-threat-engine", "fingerprint": "a94c80f6a0c8b1483b3327c2be051b6f4782e80c06d3ab4bb43a1d9e09cea31d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|22|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/ulw-loop/src/review-blockers.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80206, "scanner": "repobility-threat-engine", "fingerprint": "df597a04ba31d8e5051f41246e1f981489dcbcc7823a7091703b8e6efe8a5c7e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-core/src/model-family-detectors.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80205, "scanner": "repobility-threat-engine", "fingerprint": "a24c4fe9cc0e126dc1bddc007a8501501cdf5959eccc13a685b072bebf693f00", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|113|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ast-grep-mcp/src/mcp-stdio-transport.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80203, "scanner": "repobility-threat-engine", "fingerprint": "1f7456999bb37f62d34c5e1d8b87eae5b90caa8b700b9d891b9bbe03f7b04078", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f7456999bb37f62d34c5e1d8b87eae5b90caa8b700b9d891b9bbe03f7b04078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/config-manager/opencode-binary.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80202, "scanner": "repobility-threat-engine", "fingerprint": "ee1b43a110c45452195f9305355727031f50cbfd36af21f7d553a91462fe434c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee1b43a110c45452195f9305355727031f50cbfd36af21f7d553a91462fe434c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/dynamic-agent-policy-sections.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80201, "scanner": "repobility-threat-engine", "fingerprint": "b235a91ed1cb8adb3949789ddd3b6591452d3d92a0a5389096d872adbb9361d5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b235a91ed1cb8adb3949789ddd3b6591452d3d92a0a5389096d872adbb9361d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ast-grep-mcp/src/cli-binary-path-resolution.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80327, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d7201d07d7acc8d96cc4a69708df37915d7e891af48c338784e814801062824", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-dynamic-prompt.ts", "duplicate_line": 17, "correlation_key": "fp|8d7201d07d7acc8d96cc4a69708df37915d7e891af48c338784e814801062824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/gpt-5-4.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80326, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06a0f21d271c91cf13ed8e927551fd522bcfeee99d25522ed1f40d77b437276d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus/claude-opus-4-7.ts", "duplicate_line": 1, "correlation_key": "fp|06a0f21d271c91cf13ed8e927551fd522bcfeee99d25522ed1f40d77b437276d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/gpt-5-4.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80325, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fcb668e8724d501c800c5a3ca7311136d8d5bbf3e1587679508d0b381f72a58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt.ts", "duplicate_line": 49, "correlation_key": "fp|9fcb668e8724d501c800c5a3ca7311136d8d5bbf3e1587679508d0b381f72a58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/default.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80324, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec26f159549f3358b7c16916ec2128cc9481f9f51a28790d1c23a3bb307b2b16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt-5-4.ts", "duplicate_line": 41, "correlation_key": "fp|ec26f159549f3358b7c16916ec2128cc9481f9f51a28790d1c23a3bb307b2b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/default.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80323, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea5966713f32f659ec904479f3a58bbdd90c10b8f0db93c3f7fd6b71b9397b9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus/claude-opus-4-7.ts", "duplicate_line": 11, "correlation_key": "fp|ea5966713f32f659ec904479f3a58bbdd90c10b8f0db93c3f7fd6b71b9397b9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/default.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80322, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78ed1b6727d19ae96e12d37b48a8cd3e63da9162cd946377ff8553c73109220e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-dynamic-prompt.ts", "duplicate_line": 19, "correlation_key": "fp|78ed1b6727d19ae96e12d37b48a8cd3e63da9162cd946377ff8553c73109220e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/default.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80321, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dc512648b056bd1147687b5917906deeb1a4e007f5448efedbe1a31008a066f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt.ts", "duplicate_line": 49, "correlation_key": "fp|2dc512648b056bd1147687b5917906deeb1a4e007f5448efedbe1a31008a066f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/claude-opus-4-7.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80320, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90b9a3768b34640eb42b0d86d4b494db4d5372768dcb98a45b6ea593150754b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt-5-4.ts", "duplicate_line": 41, "correlation_key": "fp|90b9a3768b34640eb42b0d86d4b494db4d5372768dcb98a45b6ea593150754b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/claude-opus-4-7.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80319, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5eccdf9a121ba7ddb0b51acbe7a1fa44d79eaa7d9b325491deed338dab13d619", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-dynamic-prompt.ts", "duplicate_line": 17, "correlation_key": "fp|5eccdf9a121ba7ddb0b51acbe7a1fa44d79eaa7d9b325491deed338dab13d619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus/claude-opus-4-7.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80318, "scanner": "repobility-ai-code-hygiene", "fingerprint": "303d167df8315acf88d3667ee4bce8f37e7bd991ba6ca143413cf408d2ed9d8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gpt.ts", "duplicate_line": 43, "correlation_key": "fp|303d167df8315acf88d3667ee4bce8f37e7bd991ba6ca143413cf408d2ed9d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/kimi-k2-6.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80317, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36389e5655a441b5980699ff46a28d0c966f21ae6e02bb60377073974f2252cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gemini.ts", "duplicate_line": 47, "correlation_key": "fp|36389e5655a441b5980699ff46a28d0c966f21ae6e02bb60377073974f2252cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/kimi-k2-6.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80316, "scanner": "repobility-ai-code-hygiene", "fingerprint": "123f473497be102d53683ce621afd99cf8e98519bdaca6beddd9a2b8f7df38c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gpt-5-4.ts", "duplicate_line": 24, "correlation_key": "fp|123f473497be102d53683ce621afd99cf8e98519bdaca6beddd9a2b8f7df38c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/kimi-k2-6.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80315, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70ade3988a2d527c45d4cb4f7d2b5a158cad9d149421df4e2cc083a812935f7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gemini.ts", "duplicate_line": 21, "correlation_key": "fp|70ade3988a2d527c45d4cb4f7d2b5a158cad9d149421df4e2cc083a812935f7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/gpt.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80314, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72740f8eb754f705f3232958e1efbbba022809412ebd3839873047de48279267", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gpt-5-4.ts", "duplicate_line": 14, "correlation_key": "fp|72740f8eb754f705f3232958e1efbbba022809412ebd3839873047de48279267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/gpt.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80313, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f65e77b76720fa272470c5bc02e5aaa22293d063d5b728303da31293660e01e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/sisyphus-junior/gemini.ts", "duplicate_line": 21, "correlation_key": "fp|5f65e77b76720fa272470c5bc02e5aaa22293d063d5b728303da31293660e01e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-junior/gpt-5-4.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80312, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc0067d236fe2abfbc74a2623fec3b93a11b194a275dee4201a016191c04f592", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt.ts", "duplicate_line": 49, "correlation_key": "fp|fc0067d236fe2abfbc74a2623fec3b93a11b194a275dee4201a016191c04f592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-dynamic-prompt.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80311, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b99e9bd186e6471afed0166a0cf1bd0af75a9491b864a19d8c90170afc1d428", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt-5-4.ts", "duplicate_line": 41, "correlation_key": "fp|9b99e9bd186e6471afed0166a0cf1bd0af75a9491b864a19d8c90170afc1d428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sisyphus-dynamic-prompt.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80310, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c97ce468c9501aca37f7ab7fbc4e37f4f98d17c318af369ecb16f8d2fa6280c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/hephaestus/gpt-5-4.ts", "duplicate_line": 2, "correlation_key": "fp|3c97ce468c9501aca37f7ab7fbc4e37f4f98d17c318af369ecb16f8d2fa6280c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/hephaestus/gpt.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80309, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ab9bfcad29d13f1929d383c9bdba7f4d0fba6c38ac0067c56e06ad8712e6b4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "script/generate-changelog.ts", "duplicate_line": 95, "correlation_key": "fp|5ab9bfcad29d13f1929d383c9bdba7f4d0fba6c38ac0067c56e06ad8712e6b4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/publish.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80308, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9c670cca7f871fdf3b42524741e5f05713c2a846cf6f9a37b7e91b240db182b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/telemetry/src/posthog-activity-state.ts", "duplicate_line": 6, "correlation_key": "fp|c9c670cca7f871fdf3b42524741e5f05713c2a846cf6f9a37b7e91b240db182b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/src/telemetry/posthog-activity-state.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80307, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a6da4e8c30042d03f3f1d8b859a119fc14e04ed5d39aff1d64891cda53e4c160", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/telemetry/src/env-flags.ts", "duplicate_line": 5, "correlation_key": "fp|a6da4e8c30042d03f3f1d8b859a119fc14e04ed5d39aff1d64891cda53e4c160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/src/telemetry/env-flags.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80306, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e2c7a810b56208abda075afeca92140fbe607243657f714df7fcae41460b273", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/telemetry/src/diagnostics.ts", "duplicate_line": 5, "correlation_key": "fp|3e2c7a810b56208abda075afeca92140fbe607243657f714df7fcae41460b273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/src/telemetry/diagnostics.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80305, "scanner": "repobility-ai-code-hygiene", "fingerprint": "884c6e452466e20c65f54dab7ae4cdc549a202ad34e89f5ba7f8549b27af2f2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/telemetry/src/data-path.ts", "duplicate_line": 5, "correlation_key": "fp|884c6e452466e20c65f54dab7ae4cdc549a202ad34e89f5ba7f8549b27af2f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/src/telemetry/data-path.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80304, "scanner": "repobility-ai-code-hygiene", "fingerprint": "384752c9a95e67581ff78c6c779ffd94ca7fcb8e51c13dd7e28a0059b4f55db7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/telemetry/src/atomic-write.ts", "duplicate_line": 1, "correlation_key": "fp|384752c9a95e67581ff78c6c779ffd94ca7fcb8e51c13dd7e28a0059b4f55db7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/src/telemetry/atomic-write.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "faafa492c34fac0c28a8e496b3fc5cba2f53c3f4813d539df7af3a50ee5b4dbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/git-bash/src/codex-hook.ts", "duplicate_line": 4, "correlation_key": "fp|faafa492c34fac0c28a8e496b3fc5cba2f53c3f4813d539df7af3a50ee5b4dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/ulw-loop/src/codex-hook.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d931006184a92cc08ed885bea51721551e44404e706bb17a477a61ef38fad14c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/start-work-continuation/src/cli.ts", "duplicate_line": 24, "correlation_key": "fp|d931006184a92cc08ed885bea51721551e44404e706bb17a477a61ef38fad14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/ultrawork/src/cli.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9c31d7f5f91e57a4893d4a8d9b2f845ee2b17d0cbac015dbec80e86c54d015f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/rules/src/cli.ts", "duplicate_line": 50, "correlation_key": "fp|d9c31d7f5f91e57a4893d4a8d9b2f845ee2b17d0cbac015dbec80e86c54d015f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/telemetry/src/cli.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff395106b93ec96003669c1d91e09c8fb528e7060d3a85a6f6435ef7be924149", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/omo-codex/plugin/components/comment-checker/src/codex-hook.ts", "duplicate_line": 136, "correlation_key": "fp|ff395106b93ec96003669c1d91e09c8fb528e7060d3a85a6f6435ef7be924149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/src/codex-hook.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b95597ed9904a4d97ae0b55c64a235d27eda8436a98e89d06b6be16d4426282", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/model-core/src/model-resolution-pipeline.ts", "duplicate_line": 34, "correlation_key": "fp|9b95597ed9904a4d97ae0b55c64a235d27eda8436a98e89d06b6be16d4426282"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-core/src/model-resolution-types.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a214c8894da75a82ba65ba3d4f4b211dddc33bf9090260e3d6604649546a6556", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/model-core/src/agent-model-requirements.ts", "duplicate_line": 47, "correlation_key": "fp|a214c8894da75a82ba65ba3d4f4b211dddc33bf9090260e3d6604649546a6556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-core/src/category-model-requirements.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c500ea4b99eb6704d17141048332130304c4a27aab8552588b845ddc6790d52", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6c500ea4b99eb6704d17141048332130304c4a27aab8552588b845ddc6790d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tools/task/task-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca25e77c827dd65a584625beb5ae6cd381d7fb308fb83b40505310a236bdab36", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ca25e77c827dd65a584625beb5ae6cd381d7fb308fb83b40505310a236bdab36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/auto-update-checker/checker/check-for-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 80271, "scanner": "repobility-threat-engine", "fingerprint": "57bf9bf13b95e36e01830d39eee639520a73d26b5599e85f29379fd8efc269ae", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[model-fallback] Skipping unreachable fallback for session: \" + sessionID + \", attempt: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|57bf9bf13b95e36e01830d39eee639520a73d26b5599e85f29379fd8efc269ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/model-fallback/next-fallback.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 80270, "scanner": "repobility-threat-engine", "fingerprint": "3ac61dd21f34a33ecd61ec147e9006c54a97c4b170997505f8a83c07cde9522a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Generated \" + OUTPUT + \" with \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ac61dd21f34a33ecd61ec147e9006c54a97c4b170997505f8a83c07cde9522a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/scripts/generate-docs-content.mjs"}, "region": {"startLine": 63}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `collect_rs_files` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, for=1, if=2, nested_bonus=4."}, "properties": {"repobilityId": 80239, "scanner": "repobility-threat-engine", "fingerprint": "0b7a1c897b5c423368ea6a7c64106808b3526421fcb9edd6c7b471e6dcf34bfd", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "collect_rs_files", "breakdown": {"if": 2, "for": 1, "elif": 1, "nested_bonus": 4}, "complexity": 8, "correlation_key": "fp|0b7a1c897b5c423368ea6a7c64106808b3526421fcb9edd6c7b471e6dcf34bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/rust/check-no-excuse-rules.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=1, if=7, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 80237, "scanner": "repobility-threat-engine", "fingerprint": "b46ad71dc9b23626801aee474aea5fcfa35b17fb3d3671be72a3df8a7a4b14b7", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 7, "for": 1, "ternary": 1, "continue": 1, "nested_bonus": 4}, "complexity": 14, "correlation_key": "fp|b46ad71dc9b23626801aee474aea5fcfa35b17fb3d3671be72a3df8a7a4b14b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/python/new-project.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 80294, "scanner": "repobility-threat-engine", "fingerprint": "14db5d1eeb84ec19294fdfc5f9f4a75b37ea65370b33bb1ab992a748c7d1a9a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14db5d1eeb84ec19294fdfc5f9f4a75b37ea65370b33bb1ab992a748c7d1a9a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/think-mode/detector.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 80293, "scanner": "repobility-threat-engine", "fingerprint": "f6581ca6c96e522d2fd2bda6107d98b439e6aa2d56a2ee97e3cb8d5150eb0fb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6581ca6c96e522d2fd2bda6107d98b439e6aa2d56a2ee97e3cb8d5150eb0fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/keyword-detector/search/default.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 80292, "scanner": "repobility-threat-engine", "fingerprint": "01e6f4e1852c0ed850460e2cccc8cd2d9d51318b0ba57b56f636fc1e996e8be3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01e6f4e1852c0ed850460e2cccc8cd2d9d51318b0ba57b56f636fc1e996e8be3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/keyword-detector/analyze/default.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 80289, "scanner": "repobility-threat-engine", "fingerprint": "6fc30e9384231932d601a27ca53d6f705deaabc5edefa477b511a4a4221585b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fc30e9384231932d601a27ca53d6f705deaabc5edefa477b511a4a4221585b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/model-availability.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 80288, "scanner": "repobility-threat-engine", "fingerprint": "383c3ea366c4f4c84623ecccb0c7fa74c06f6665c242d6a4d290fb45850445b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|383c3ea366c4f4c84623ecccb0c7fa74c06f6665c242d6a4d290fb45850445b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/anthropic-context-window-limit-recovery/message-builder.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80287, "scanner": "repobility-threat-engine", "fingerprint": "889690acf113005af193296e3c7e7ee340e1b2c26d2d9540c6ad164b2577222b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|889690acf113005af193296e3c7e7ee340e1b2c26d2d9540c6ad164b2577222b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/config-source-discovery.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 80286, "scanner": "repobility-threat-engine", "fingerprint": "29330aa7a3fe073121300f508046acc6f3a036822936d4a0c456d77d1e1fb8c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29330aa7a3fe073121300f508046acc6f3a036822936d4a0c456d77d1e1fb8c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builtin-skills/skills/playwright-cli.ts"}, "region": {"startLine": 221}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 80284, "scanner": "repobility-threat-engine", "fingerprint": "da6f9f830901c8280ebdf12fb26e0acbc68968e4d1d95cd1a7a209f36c6eb603", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|39|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/auto-update-checker/checker/sync-package-json.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 80283, "scanner": "repobility-threat-engine", "fingerprint": "e2630560caf60edc0d460166311b487f93742ea72fa3f891bbfa24f248abb7b9", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|57|sec118", "duplicate_count": 1, "duplicate_rule_ids": ["SEC118"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["5fd435c7ef8cf2f02781d42f4e8fd6aeb77aeb453fee6bed9730dd270c2366fb", "e2630560caf60edc0d460166311b487f93742ea72fa3f891bbfa24f248abb7b9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/background-agent/attempt-lifecycle.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80281, "scanner": "repobility-threat-engine", "fingerprint": "5a291e9fe7c7540009229aa90b1ca9a9c4e51e156584be2f3f56a81916ab1f27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a291e9fe7c7540009229aa90b1ca9a9c4e51e156584be2f3f56a81916ab1f27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/status.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80280, "scanner": "repobility-threat-engine", "fingerprint": "15b5d534f01f7aea70553718db3650d64e8bc3a7bf0d20508f2a4da5434c47d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15b5d534f01f7aea70553718db3650d64e8bc3a7bf0d20508f2a4da5434c47d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/logout.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80279, "scanner": "repobility-threat-engine", "fingerprint": "7ed3db14571e7c903d1652f56ba8c9343464c152495e4a66425ef3a489660a8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ed3db14571e7c903d1652f56ba8c9343464c152495e4a66425ef3a489660a8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/login.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80278, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 80273, "scanner": "repobility-threat-engine", "fingerprint": "625bab995eef3d0e6183bb7fa58d380329881673d080f6e72b3ae40b658f35fc", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'mock' detected on same line", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|625bab995eef3d0e6183bb7fa58d380329881673d080f6e72b3ae40b658f35fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builtin-skills/skills/playwright-cli.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 80272, "scanner": "repobility-threat-engine", "fingerprint": "ebf9d36f7b69888447fe2b09a56b321ff71e9a7bcf71519dccc9d8cf92730e3a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebf9d36f7b69888447fe2b09a56b321ff71e9a7bcf71519dccc9d8cf92730e3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/librarian.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 80269, "scanner": "repobility-threat-engine", "fingerprint": "2c7ac3da81405b074d3945ffcf328fc7b3ade62f123874951be31070b014dbde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c7ac3da81405b074d3945ffcf328fc7b3ade62f123874951be31070b014dbde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/components/landing/sections/prometheus-atlas.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 80267, "scanner": "repobility-threat-engine", "fingerprint": "2a836d8acd763f4987c16c5a38c5169886c31ef08633648f2ea897a60d0bc3f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a836d8acd763f4987c16c5a38c5169886c31ef08633648f2ea897a60d0bc3f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/app/layout.tsx"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 80266, "scanner": "repobility-threat-engine", "fingerprint": "e220a503f9d606cf62e592eeca285c946d235a6dae96a0e84ac45b82bdebdee8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e220a503f9d606cf62e592eeca285c946d235a6dae96a0e84ac45b82bdebdee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/app/[locale]/docs/page.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 80253, "scanner": "repobility-threat-engine", "fingerprint": "a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "aggregated_count": 3}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 80252, "scanner": "repobility-threat-engine", "fingerprint": "08423214bfd62aaafadaccbe9fffeb1df6f48280d18a0b727e3792162cec7507", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08423214bfd62aaafadaccbe9fffeb1df6f48280d18a0b727e3792162cec7507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/dynamic-agent-core-sections.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 80251, "scanner": "repobility-threat-engine", "fingerprint": "10d32cbd5ba80fd50eac93b1a6f1050e30fec73f71e2fc625b2089a5fba9db6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10d32cbd5ba80fd50eac93b1a6f1050e30fec73f71e2fc625b2089a5fba9db6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared-skills/skills/programming/scripts/typescript/check-no-excuse-rules.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 80250, "scanner": "repobility-threat-engine", "fingerprint": "d69714c7a33b60dbaea1efbf849a5d2e07745abf1e77d5544714fc971d17a662", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d69714c7a33b60dbaea1efbf849a5d2e07745abf1e77d5544714fc971d17a662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/typescript/check-no-excuse-rules.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 80248, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80247, "scanner": "repobility-threat-engine", "fingerprint": "d50b90fa4c5d83ce9e7f449e5d661bc475a1a5660981e820563dd101690a896f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`No tokens found for ${serverName}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/mcp-oauth/status.ts|1|console.log no tokens found for servername"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/status.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80246, "scanner": "repobility-threat-engine", "fingerprint": "d44316b6822392dba7f5e667dbe4ca6b7df8ce852139f215a222bb515ac80b1e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(`Error: --server-url is required for logout. Token storage uses server URLs, not names", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/mcp-oauth/logout.ts|1|console.error error: --server-url is required for logout. token storage uses server urls not names"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/logout.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80245, "scanner": "repobility-threat-engine", "fingerprint": "4286cd48d756ca9bd206bcc03482c15eec63332346a914b3b3b4e223d9594e16", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.log(`  Token expires at: ${expiryDate.toISOString()", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/mcp-oauth/login.ts|4|console.log token expires at: expirydate.toisostring"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/mcp-oauth/login.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 80244, "scanner": "repobility-threat-engine", "fingerprint": "fd96382d524d1dc2b539f815efd60aab00996302f2a6c35aecafd9e2eb679e8e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd96382d524d1dc2b539f815efd60aab00996302f2a6c35aecafd9e2eb679e8e", "aggregated_count": 3}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 80243, "scanner": "repobility-threat-engine", "fingerprint": "075bdeb14fe42d3ba716b6357c917c1ce5f24ff0ea36363c6b5ba6c71003c1a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|075bdeb14fe42d3ba716b6357c917c1ce5f24ff0ea36363c6b5ba6c71003c1a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/rust/check-no-excuse-rules.sh"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 80242, "scanner": "repobility-threat-engine", "fingerprint": "521691fbb35d856fdec19d9df8a76b78918c42382f721bc1a92f8b88a2f4c99e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|521691fbb35d856fdec19d9df8a76b78918c42382f721bc1a92f8b88a2f4c99e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/rust/check-no-excuse-rules.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 80241, "scanner": "repobility-threat-engine", "fingerprint": "bd0df3c048cc9f5a6977c85529292b962698585f65e40a75d12bb3fd88d5c6db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd0df3c048cc9f5a6977c85529292b962698585f65e40a75d12bb3fd88d5c6db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/python/new-script.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 80240, "scanner": "repobility-threat-engine", "fingerprint": "ffacc44acd0408185fc3827739658544dd0204c83ccb78694e2ced81539c2c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 7, "for": 1, "ternary": 1, "continue": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 14, "correlation_key": "fp|ffacc44acd0408185fc3827739658544dd0204c83ccb78694e2ced81539c2c58", "aggregated_count": 3}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 80233, "scanner": "repobility-threat-engine", "fingerprint": "2e3607151b79226e1f988d03377240b01f057a39282b8ee7334800f3ede61bb1", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2e3607151b79226e1f988d03377240b01f057a39282b8ee7334800f3ede61bb1"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 113 more): Same pattern found in 113 additional files. Review if needed."}, "properties": {"repobilityId": 80229, "scanner": "repobility-threat-engine", "fingerprint": "255079f6dd5edc79ae2b548eb804e85d598b6f62eb707debf08c254820a22081", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 113 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 113 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|255079f6dd5edc79ae2b548eb804e85d598b6f62eb707debf08c254820a22081"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 80225, "scanner": "repobility-threat-engine", "fingerprint": "bec6245b6bfa7afc214dd905bb9818242228a9e52b6adae8981503aa14630fb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bec6245b6bfa7afc214dd905bb9818242228a9e52b6adae8981503aa14630fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/src/runner.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 80224, "scanner": "repobility-threat-engine", "fingerprint": "cea829578e6dd492f7ec4cd156950825893f71ec3e0f8a54b78babd87906b126", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cea829578e6dd492f7ec4cd156950825893f71ec3e0f8a54b78babd87906b126"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "properties": {"repobilityId": 80216, "scanner": "repobility-threat-engine", "fingerprint": "78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "aggregated_count": 49}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80215, "scanner": "repobility-threat-engine", "fingerprint": "70305978d9e69ca7b94ad70c8006f88e033597f77cd320f03ddf3276be6720e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70305978d9e69ca7b94ad70c8006f88e033597f77cd320f03ddf3276be6720e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/scripts/auto-update.mjs"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80214, "scanner": "repobility-threat-engine", "fingerprint": "29648f64891bb5f77a334be63486cf4517b9ec6de1d8ed36bb76c59db8b2184e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29648f64891bb5f77a334be63486cf4517b9ec6de1d8ed36bb76c59db8b2184e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/scripts/build-lsp-tools.mjs"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80213, "scanner": "repobility-threat-engine", "fingerprint": "a6f9135d53727608d40bdaa68ddcc1f7b72dde986e16b9068ac319d6159244c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6f9135d53727608d40bdaa68ddcc1f7b72dde986e16b9068ac319d6159244c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ast-grep-mcp/src/tool-descriptions.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 80212, "scanner": "repobility-threat-engine", "fingerprint": "a0019a713ca3f2779e26a30598d0b5e71f24582d30b6ad8f4d2dfbdab270e715", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0019a713ca3f2779e26a30598d0b5e71f24582d30b6ad8f4d2dfbdab270e715"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 80208, "scanner": "repobility-threat-engine", "fingerprint": "22392344724895ffca9c480ac12c9c8fa4f96c0b988894fd81a0f35b89e7a613", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22392344724895ffca9c480ac12c9c8fa4f96c0b988894fd81a0f35b89e7a613"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 80204, "scanner": "repobility-threat-engine", "fingerprint": "568270b11cabd02a49645584383c6eb8cf8dee384db689b3df1ea1f6b19e4392", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|568270b11cabd02a49645584383c6eb8cf8dee384db689b3df1ea1f6b19e4392"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "properties": {"repobilityId": 80200, "scanner": "repobility-threat-engine", "fingerprint": "2b37f923ba2c3d1411889489e6bff64fa2afe337aa72b4e901868f9bbbae0369", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 76 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2b37f923ba2c3d1411889489e6bff64fa2afe337aa72b4e901868f9bbbae0369", "aggregated_count": 76}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 80199, "scanner": "repobility-threat-engine", "fingerprint": "ed6c52b80fb012726c55186f70b8835f9e98f55682ad48dff5d8a9b677df6de2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed6c52b80fb012726c55186f70b8835f9e98f55682ad48dff5d8a9b677df6de2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/hashline-core/src/edit-text-normalization.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 80198, "scanner": "repobility-threat-engine", "fingerprint": "16b3b8aae06602a5cc02eff23d6a2aeec007f9a57026ecc707ce9aa48c306c92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16b3b8aae06602a5cc02eff23d6a2aeec007f9a57026ecc707ce9aa48c306c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/comment-checker-core/src/runner.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 80197, "scanner": "repobility-threat-engine", "fingerprint": "cca68a8d8387ba078d05aaba1fd23f6434e0922e498b18947c399ae8b022daa4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cca68a8d8387ba078d05aaba1fd23f6434e0922e498b18947c399ae8b022daa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ast-grep-core/src/runner.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80366, "scanner": "repobility-supply-chain", "fingerprint": "5250eca2965a04cf101a2d598d884c4dc7fa342139dda86f391e9379b6313ca2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5250eca2965a04cf101a2d598d884c4dc7fa342139dda86f391e9379b6313ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`: `uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80365, "scanner": "repobility-supply-chain", "fingerprint": "45b4b6824f8a65c37a969639cc772aa58ef4320955cb5cff0c5fa4632d237e2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45b4b6824f8a65c37a969639cc772aa58ef4320955cb5cff0c5fa4632d237e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-model-capabilities.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80364, "scanner": "repobility-supply-chain", "fingerprint": "91d5ca467ebb098f39b6cb97d86c6fb011c1e223b3178d5d3e8896c75f636029", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91d5ca467ebb098f39b6cb97d86c6fb011c1e223b3178d5d3e8896c75f636029"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-model-capabilities.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80363, "scanner": "repobility-supply-chain", "fingerprint": "e9de9e2a10e989d178caca514f9d703614f5b96ae853bf313573c4dbb28cd006", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9de9e2a10e989d178caca514f9d703614f5b96ae853bf313573c4dbb28cd006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-model-capabilities.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80362, "scanner": "repobility-supply-chain", "fingerprint": "4a2c0eacfb3a95b1af680679f00aea9436993ab2a6539201fc552376883de54f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a2c0eacfb3a95b1af680679f00aea9436993ab2a6539201fc552376883de54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-deploy.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80361, "scanner": "repobility-supply-chain", "fingerprint": "88c5154efd77405f264433b9a41cdd597dee90b0b5593d6671427e3977a0bfa1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88c5154efd77405f264433b9a41cdd597dee90b0b5593d6671427e3977a0bfa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-deploy.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80360, "scanner": "repobility-supply-chain", "fingerprint": "d32ce9feb9bab826a219d5c410adcd35bdd154d7d6df74e05c459f709863c011", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d32ce9feb9bab826a219d5c410adcd35bdd154d7d6df74e05c459f709863c011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-deploy.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80359, "scanner": "repobility-supply-chain", "fingerprint": "762a7404987d7211aab13c35df3d572fcb80e3de43174cc113b9977b4b3b10de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|762a7404987d7211aab13c35df3d572fcb80e3de43174cc113b9977b4b3b10de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80358, "scanner": "repobility-supply-chain", "fingerprint": "1e963cea1882072a755b5bfa771b054bc6b4710279697ac1dd4af1c00a46056b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e963cea1882072a755b5bfa771b054bc6b4710279697ac1dd4af1c00a46056b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80357, "scanner": "repobility-supply-chain", "fingerprint": "810fbfa5d3d4e47ac31635a02a66ad7887ea3c70fce07d8e91ec2e486692d111", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|810fbfa5d3d4e47ac31635a02a66ad7887ea3c70fce07d8e91ec2e486692d111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80356, "scanner": "repobility-supply-chain", "fingerprint": "795611289eaa1397fda4c9a9061ea37b8145c423526dbf59fdff6bb9527f6288", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|795611289eaa1397fda4c9a9061ea37b8145c423526dbf59fdff6bb9527f6288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80355, "scanner": "repobility-supply-chain", "fingerprint": "12134da89d20be7d0fd5fe2936d4d3085e7f21c3c1436711708d41f5f8a8b99a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12134da89d20be7d0fd5fe2936d4d3085e7f21c3c1436711708d41f5f8a8b99a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80354, "scanner": "repobility-supply-chain", "fingerprint": "58bf6e7300e916130976a9c60a5f95bc86d99dbd58bc77795b972740bc8d86ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58bf6e7300e916130976a9c60a5f95bc86d99dbd58bc77795b972740bc8d86ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-platform.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80353, "scanner": "repobility-supply-chain", "fingerprint": "bdbc8428442546e959d759cb06cc11aef1c5dd33aaa38dff0d9cd216ae62f9b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdbc8428442546e959d759cb06cc11aef1c5dd33aaa38dff0d9cd216ae62f9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/.github/workflows/publish.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80352, "scanner": "repobility-supply-chain", "fingerprint": "e45d9b40ed693c353c053c0c92cfd4248ff79b15e4533ddd5b43fd4a9a4f9038", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e45d9b40ed693c353c053c0c92cfd4248ff79b15e4533ddd5b43fd4a9a4f9038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/.github/workflows/publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80351, "scanner": "repobility-supply-chain", "fingerprint": "c37b935752e80d251a0a85e4be542d2350d7bc684a1f46b62a91fcc5c6c8d41e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c37b935752e80d251a0a85e4be542d2350d7bc684a1f46b62a91fcc5c6c8d41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/.github/workflows/ci.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80350, "scanner": "repobility-supply-chain", "fingerprint": "4468be989b2d3f80594b090bfd1356fd08eeb15f3c17f246bad6008541d00272", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4468be989b2d3f80594b090bfd1356fd08eeb15f3c17f246bad6008541d00272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/.github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80349, "scanner": "repobility-supply-chain", "fingerprint": "a7e5afee2cad3ab1059d775f913f73dd9745740e234db9fee72bfb518b7cc143", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7e5afee2cad3ab1059d775f913f73dd9745740e234db9fee72bfb518b7cc143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/.github/workflows/publish.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80348, "scanner": "repobility-supply-chain", "fingerprint": "aba4bf74e6a0cb927638293c2c9bdc3263e5b069893d54e80f735edd27410200", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aba4bf74e6a0cb927638293c2c9bdc3263e5b069893d54e80f735edd27410200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/.github/workflows/publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80347, "scanner": "repobility-supply-chain", "fingerprint": "a0696cd2f608f32212aede3d2cd2f2df85599d7818371146bb12a2124cc82fe9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0696cd2f608f32212aede3d2cd2f2df85599d7818371146bb12a2124cc82fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/.github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80346, "scanner": "repobility-supply-chain", "fingerprint": "730fdbb1f9175658370348d6804188d2181fd82d521c01c37edd98abe1ac2469", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|730fdbb1f9175658370348d6804188d2181fd82d521c01c37edd98abe1ac2469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/.github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80345, "scanner": "repobility-supply-chain", "fingerprint": "ee7b83460cc5a1972c5d9ef51484b0a67d3a3a01629fc1cb597e288cc46952ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee7b83460cc5a1972c5d9ef51484b0a67d3a3a01629fc1cb597e288cc46952ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/.github/workflows/publish.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80344, "scanner": "repobility-supply-chain", "fingerprint": "e6542bca36226f1d4ea933fe96be38ad17112797be76d60f1fc0dab2eaf10648", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6542bca36226f1d4ea933fe96be38ad17112797be76d60f1fc0dab2eaf10648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/.github/workflows/publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80343, "scanner": "repobility-supply-chain", "fingerprint": "3b1d00cff9d7e30e99a4b1e1c68fbec758414c32d3b222696806c496f36d57e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b1d00cff9d7e30e99a4b1e1c68fbec758414c32d3b222696806c496f36d57e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/.github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 80342, "scanner": "repobility-supply-chain", "fingerprint": "2aa527f707407cea44c2dc772fc80b05c57959aa5904b88a2648a8eae1b33b99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2aa527f707407cea44c2dc772fc80b05c57959aa5904b88a2648a8eae1b33b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/.github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@code-yeongyu/lsp-tools-mcp` pulled from URL/Git: `dependencies.@code-yeongyu/lsp-tools-mcp` = `file:../../../../lsp-tools-mcp` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 80341, "scanner": "repobility-supply-chain", "fingerprint": "06bb2480c1c82278a80ce67ea00427388182439c18f5f22dda12b0acca98e75d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06bb2480c1c82278a80ce67ea00427388182439c18f5f22dda12b0acca98e75d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@oh-my-opencode/shared-skills` pulled from URL/Git: `dependencies.@oh-my-opencode/shared-skills` = `file:../../shared-skills` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 80340, "scanner": "repobility-supply-chain", "fingerprint": "0a3b60776099f5e91f4acc5d9a9bae93daceebe6f0c1294c8d567f3bfcedab65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a3b60776099f5e91f4acc5d9a9bae93daceebe6f0c1294c8d567f3bfcedab65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 80339, "scanner": "repobility-journey-contract", "fingerprint": "76472a54ef71726e19bdcbb2c9d4c67bebbc9ec3c7ec764072bcaa5af225db9d", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|. token|717|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 2}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/work-with-pr-workspace/iteration-1/review.html"}, "region": {"startLine": 717}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 80291, "scanner": "repobility-threat-engine", "fingerprint": "d85ae4a97dd84b1c919b1bafd45db741cbbb2175df4c770a39b07f6f14551f85", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.set(makeKey(input.sessionID, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|92|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/webfetch-redirect-guard/hook.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 80290, "scanner": "repobility-threat-engine", "fingerprint": "8400b20605038d61d1d1c23bdc9f04de10d74c98a544c78746e59d2ca4fc1497", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.set(makeKey(input.sessionID, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|64|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/hashline-edit-diff-enhancer/hook.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 80282, "scanner": "repobility-threat-engine", "fingerprint": "3034e29bfa79fdf36940e53a29fdfd99682c3c98d8a2206ee6af01673d50716a", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Buffer.alloc(body.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3034e29bfa79fdf36940e53a29fdfd99682c3c98d8a2206ee6af01673d50716a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/sparkshell-appserver-websocket.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80277, "scanner": "repobility-threat-engine", "fingerprint": "540d24745eaccf9526d93a110275baa5faf34c3c692b43553dc37594d63aaa0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|540d24745eaccf9526d93a110275baa5faf34c3c692b43553dc37594d63aaa0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/claude-code-hooks/config-loader.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80276, "scanner": "repobility-threat-engine", "fingerprint": "6d4c8eb114915a4f5d0d897341bef78350ee26cda72c20fcbf488866d539fbc8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d4c8eb114915a4f5d0d897341bef78350ee26cda72c20fcbf488866d539fbc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/mcp-oauth/step-up.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80275, "scanner": "repobility-threat-engine", "fingerprint": "2708c9598483d16825c5cb665afd0acf32679d0b38477718d1f9520055c41588", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2708c9598483d16825c5cb665afd0acf32679d0b38477718d1f9520055c41588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/doctor/format-shared.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 80274, "scanner": "repobility-threat-engine", "fingerprint": "8c8ebe8b55d5bd79f405f1c6491970fd5311e81780ea6c2cf0e5b9f78e86aa00", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c8ebe8b55d5bd79f405f1c6491970fd5311e81780ea6c2cf0e5b9f78e86aa00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/config-manager/bun-install.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 80268, "scanner": "repobility-threat-engine", "fingerprint": "6dda121c3f1f01004f667f41ef24316cad85d82993f95d9f294e74b5b58d8cca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6dda121c3f1f01004f667f41ef24316cad85d82993f95d9f294e74b5b58d8cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/app/api/npm-downloads/route.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 80249, "scanner": "repobility-threat-engine", "fingerprint": "a38dd2add7df42507e9b2e0be402b4e85eac570108d7cd2cbf6906279790d92e", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|75|sec114", "duplicate_count": 1, "duplicate_rule_ids": ["SEC114"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["a38dd2add7df42507e9b2e0be402b4e85eac570108d7cd2cbf6906279790d92e", "b4da06b98d47759fc78f308a37d42876c83b58a7dff1e3194fd882527a9e18f4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/typescript/check-no-excuse-rules.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `check_file` has cognitive complexity 58 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=16, nested_bonus=36, or=1, ternary=3."}, "properties": {"repobilityId": 80238, "scanner": "repobility-threat-engine", "fingerprint": "df0956b23ba73727e7d445beb45e3924f60f23b40cdee313235a7f61c277ed11", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 58 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_file", "breakdown": {"if": 16, "or": 1, "for": 1, "except": 1, "ternary": 3, "nested_bonus": 36}, "complexity": 58, "correlation_key": "fp|df0956b23ba73727e7d445beb45e3924f60f23b40cdee313235a7f61c277ed11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/skills/programming/scripts/rust/check-no-excuse-rules.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 80236, "scanner": "repobility-threat-engine", "fingerprint": "e3af633dcd7950b292f5fe41d2c21d525c2b1c2cc52205c8ed79be47a779f39c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "safeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3af633dcd7950b292f5fe41d2c21d525c2b1c2cc52205c8ed79be47a779f39c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/ulw-loop/src/codex-goal-snapshot.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80232, "scanner": "repobility-threat-engine", "fingerprint": "2e92614d991ab2244d62a5de2cb02957c4e7c072fd3c380bf71c77ca2d4cf55f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e92614d991ab2244d62a5de2cb02957c4e7c072fd3c380bf71c77ca2d4cf55f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/scripts/migrate-codex-config.mjs"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80231, "scanner": "repobility-threat-engine", "fingerprint": "bdfa424fcdfaa42478f7f9532c25a3c77f930211fa1abdebbf4c95a42ee7a337", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdfa424fcdfaa42478f7f9532c25a3c77f930211fa1abdebbf4c95a42ee7a337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/scripts/auto-update.mjs"}, "region": {"startLine": 263}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80230, "scanner": "repobility-threat-engine", "fingerprint": "ae001b05ba83d42fcc0839ec00b2d313a07281490ef5a3d339b4bf35bedadb86", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae001b05ba83d42fcc0839ec00b2d313a07281490ef5a3d339b4bf35bedadb86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/src/tool-paths.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80228, "scanner": "repobility-threat-engine", "fingerprint": "83f3abaee1f0daa1f1af0f59e0f0d12d90e9151443e24b83a375d8d505d9a728", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(cacheKey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83f3abaee1f0daa1f1af0f59e0f0d12d90e9151443e24b83a375d8d505d9a728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/src/rules/engine-dynamic-cache.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80227, "scanner": "repobility-threat-engine", "fingerprint": "a2492b94bfb983f67648be621860d5ca64eb6e2fb048a10664619e259c017198", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pendingKinds.delete(kind);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a2492b94bfb983f67648be621860d5ca64eb6e2fb048a10664619e259c017198"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/src/persistent-cache.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80226, "scanner": "repobility-threat-engine", "fingerprint": "b931f12c67c349b5af3884caee16374fcac634a9456d9f850b532987fa9b539b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "unavailableExtensions.delete(extension);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b931f12c67c349b5af3884caee16374fcac634a9456d9f850b532987fa9b539b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/src/lsp-session-state.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80223, "scanner": "repobility-threat-engine", "fingerprint": "61eb0ada1cabab9aa420d77337c4fabc15531523af5278d408d1d40bb6529689", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=${String(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61eb0ada1cabab9aa420d77337c4fabc15531523af5278d408d1d40bb6529689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/src/debug-log.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80222, "scanner": "repobility-threat-engine", "fingerprint": "4498608ac48c7177b9f53a59f34ebaa00047a8732854859823c47447a5a7106e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `  ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4498608ac48c7177b9f53a59f34ebaa00047a8732854859823c47447a5a7106e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/lsp/src/codex-hook.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80221, "scanner": "repobility-threat-engine", "fingerprint": "24d9bb1ef0c389a708e2d1ee57555e94bbc7a58b718884928d37e85b06e2c4d9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((warning) => `comment-checker found issues in ${warning.filePath}:\\n${warning.message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24d9bb1ef0c389a708e2d1ee57555e94bbc7a58b718884928d37e85b06e2c4d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/comment-checker/src/codex-hook.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 80220, "scanner": "repobility-threat-engine", "fingerprint": "e75866ad65e02f43dddfc4fd4e5aac76c7c28eb72607c3f2fbdd22c9acde5ebd", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.taskKey] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e75866ad65e02f43dddfc4fd4e5aac76c7c28eb72607c3f2fbdd22c9acde5ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/boulder-state/src/storage/task.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 80219, "scanner": "repobility-threat-engine", "fingerprint": "5da512c0d563b9f4a58992ab05c2112ab42673b64f3366643b2ca92adc9116f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5da512c0d563b9f4a58992ab05c2112ab42673b64f3366643b2ca92adc9116f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/skill-mcp-manager/cleanup.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 80218, "scanner": "repobility-threat-engine", "fingerprint": "2c286f947775690c74e9a74c736463cfba1cdc4eaaee218a8c302e7f3ddb3983", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c286f947775690c74e9a74c736463cfba1cdc4eaaee218a8c302e7f3ddb3983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/rules/src/rules/engine.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 80217, "scanner": "repobility-threat-engine", "fingerprint": "2c8756afa8e13439e1c19a74e23876ce4a59010d90666a951ae514e94f4e3d43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c8756afa8e13439e1c19a74e23876ce4a59010d90666a951ae514e94f4e3d43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/boulder-state/src/storage/session.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80211, "scanner": "repobility-threat-engine", "fingerprint": "3ea04c9fb90e557cc0594a7e4b2bbd57a48e4a7eb25e7715b35d0fec740ea16e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(goal", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ea04c9fb90e557cc0594a7e4b2bbd57a48e4a7eb25e7715b35d0fec740ea16e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/ulw-loop/src/review-blockers.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80210, "scanner": "repobility-threat-engine", "fingerprint": "3d82dbfcac79124b4a112e2664c00ac429446ba05a3882897d826721a029b65f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(modelName", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d82dbfcac79124b4a112e2664c00ac429446ba05a3882897d826721a029b65f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-core/src/model-family-detectors.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80209, "scanner": "repobility-threat-engine", "fingerprint": "94a99fd23467b22392de033fb828e83f4a1f589eb8012428fe4a7b674e380c2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94a99fd23467b22392de033fb828e83f4a1f589eb8012428fe4a7b674e380c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ast-grep-mcp/src/mcp-stdio-transport.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 80295, "scanner": "repobility-threat-engine", "fingerprint": "ce594c1709c272d816a5cd2abfd46546e15aae68472254085d563391ed982628", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce594c1709c272d816a5cd2abfd46546e15aae68472254085d563391ed982628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/plugin/ultrawork-db-model-override.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 80265, "scanner": "repobility-threat-engine", "fingerprint": "9080c6c20d504c6577e170b29d811bed1d24431515d7a1475820efdd66bf3f47", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9080c6c20d504c6577e170b29d811bed1d24431515d7a1475820efdd66bf3f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/skill-mcp-config.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 80264, "scanner": "repobility-threat-engine", "fingerprint": "98cb131bc5c64ab6c3b5bc2b23b43816636d7e84a1cdf6212cbbdda227a7b934", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98cb131bc5c64ab6c3b5bc2b23b43816636d7e84a1cdf6212cbbdda227a7b934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/async-loader.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 80263, "scanner": "repobility-threat-engine", "fingerprint": "ca7d6871490ce4d7f90c3b866a8fcfe1a7fe8a8c8ff826d4882f1623da5d84ea", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca7d6871490ce4d7f90c3b866a8fcfe1a7fe8a8c8ff826d4882f1623da5d84ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/src/frontmatter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 80262, "scanner": "repobility-threat-engine", "fingerprint": "f3cf0c084c68bacb3369aa492811e245eb4e027710249869454d5d4923097784", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|11|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/skill-mcp-config.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 80261, "scanner": "repobility-threat-engine", "fingerprint": "89bb158015a61fead093c9ca5722865c8aa0703035605f1dc52e2c1c4bf0bcb7", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|39|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/async-loader.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 80260, "scanner": "repobility-threat-engine", "fingerprint": "019f8a8e2c26dba0547e2fc4297ecfccf4ceabb7f685e73a5945de1ed1ec0495", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|25|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/src/frontmatter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 80259, "scanner": "repobility-threat-engine", "fingerprint": "da0269016a43ddbcf94bf86def336317ffa4873985dbcf52e23e21e7696af6e3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(frontmatterMatch[1])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da0269016a43ddbcf94bf86def336317ffa4873985dbcf52e23e21e7696af6e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/skill-mcp-config.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 80258, "scanner": "repobility-threat-engine", "fingerprint": "5ec47dd628c6f67bfa82c3f9ff14228c90ac2fd50927fbfec1b2d72823ce7d10", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(frontmatterMatch[1])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ec47dd628c6f67bfa82c3f9ff14228c90ac2fd50927fbfec1b2d72823ce7d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/opencode-skill-loader/async-loader.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 80257, "scanner": "repobility-threat-engine", "fingerprint": "8212f920206d144a452bc5cbb14ca865d1ef795b47558765a2ee1b8985094d71", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8212f920206d144a452bc5cbb14ca865d1ef795b47558765a2ee1b8985094d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/src/frontmatter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 80235, "scanner": "repobility-threat-engine", "fingerprint": "904aaaafe8cc90afb79e4d586912fbd5384b066033c99f05cd84ddd763b5becb", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.9 bits) \u2014 likely real secret", "evidence": {"match": "API_KEY = \"<redacted>\"", "reason": "High entropy value (4.9 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|src/shared/posthog.ts|4|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/posthog.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 80234, "scanner": "repobility-threat-engine", "fingerprint": "26942a558e559bb186b7af2c672e68d41d7b658aa4fe2d99b3986015ef90301c", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.9 bits) \u2014 likely real secret Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "API_KEY = \"<redacted>\"", "reason": "High entropy value (4.9 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|1|api_key redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC002"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["26942a558e559bb186b7af2c672e68d41d7b658aa4fe2d99b3986015ef90301c", "39c2a4df76cabe8210eea5814d75ee5abacdcf590b7693130ed6b60deefb88f3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/omo-codex/plugin/components/telemetry/src/product-identity.ts"}, "region": {"startLine": 9}}}]}]}]}