{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /sr"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/callback/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /src/app/api/automations/disp"}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /src/app/api/automations/dispatch/:id/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/257"}, "properties": {"repository": "superset-sh/superset", "repoUrl": "https://github.com/superset-sh/superset", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8050, "scanner": "repobility-journey-contract", "fingerprint": "9f7edd60f69a64d3014c384ac22a5d763c5ff54dec48ac815cf3e787aec78628", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/integrations/linear/jobs/sync-task", "correlation_key": "fp|9f7edd60f69a64d3014c384ac22a5d763c5ff54dec48ac815cf3e787aec78628", "backend_endpoint_count": 41}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trpc/src/lib/integrations/sync/tasks.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8049, "scanner": "repobility-journey-contract", "fingerprint": "8f5945376cd8574358d884c0c9651fc80ca78567c326a6718b0f043c8722afc9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/trpc/{param}", "correlation_key": "fp|8f5945376cd8574358d884c0c9651fc80ca78567c326a6718b0f043c8722afc9", "backend_endpoint_count": 41}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/sdk/src/client.ts"}, "region": {"startLine": 491}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8048, "scanner": "repobility-journey-contract", "fingerprint": "1d11df11ea9c0161b7c7063c3be52b68a5ada06a86d1c0ebdba9287554c43678", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/trpc/{param}", "correlation_key": "fp|1d11df11ea9c0161b7c7063c3be52b68a5ada06a86d1c0ebdba9287554c43678", "backend_endpoint_count": 41}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/sdk/src/client.ts"}, "region": {"startLine": 472}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8047, "scanner": "repobility-journey-contract", "fingerprint": "2a487500cae0afbdc51620d80c90c99f401e386fa8550f62e6b725e6f48b1650", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/trpc", "correlation_key": "fp|2a487500cae0afbdc51620d80c90c99f401e386fa8550f62e6b725e6f48b1650", "backend_endpoint_count": 41}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/trpc/[trpc]/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8046, "scanner": "repobility-journey-contract", "fingerprint": "83ecb93a02712d01926fc99b892cfb031b232bc12e7c2f301544881ff7fdba49", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat/{param}/stream", "correlation_key": "fp|83ecb93a02712d01926fc99b892cfb031b232bc12e7c2f301544881ff7fdba49", "backend_endpoint_count": 41}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/chat/[sessionId]/route.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/callback/route."}, "properties": {"repobilityId": 8043, "scanner": "repobility-access-control", "fingerprint": "70d3c9f2f9c0b96cb55a8e6d60188a6f50a9957cff2e1c91b6c7fb8911b297bf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/slack/callback/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|15|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/slack/callback/route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/slack/interactions/route."}, "properties": {"repobilityId": 8042, "scanner": "repobility-access-control", "fingerprint": "88736fc311d0eb9f6982570cacd16d3d5333481e642ef11a97f47d9a8ae67e4f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/slack/interactions/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|21|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/slack/interactions/route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/link/route."}, "properties": {"repobilityId": 8041, "scanner": "repobility-access-control", "fingerprint": "8815e985eebcfbafc7efc8240c6008e80db890ce2fb78b17cce117d18680b97d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/slack/link/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|10|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/slack/link/route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/stripe/jobs/notify-slack/route."}, "properties": {"repobilityId": 8040, "scanner": "repobility-access-control", "fingerprint": "2a0d1aa5efeeaeed51cf94008a3a0ba9e08406f36525155b3c9619bb725fc06d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/stripe/jobs/notify-slack/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|119|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/stripe/jobs/notify-slack/route.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/sync-task/route."}, "properties": {"repobilityId": 8039, "scanner": "repobility-access-control", "fingerprint": "5ec41cf6fc608aa98c854ac5be6fa26e57087c69d6a3fbb0abd16ec73b8d60d8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/jobs/sync-task/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|246|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/jobs/sync-task/route.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/initial-sync/route."}, "properties": {"repobilityId": 8038, "scanner": "repobility-access-control", "fingerprint": "f2142db736b2d20e604fe4afe9be930d2612ea49ae00c73a081ef7b876aad82f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/jobs/initial-sync/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|25|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/jobs/initial-sync/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/refresh-tokens/route."}, "properties": {"repobilityId": 8037, "scanner": "repobility-access-control", "fingerprint": "4d8d2b62bf7f1d51eba8f1b6e9fe4ea97544eda6db48e07570b050c4b197a12a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/jobs/refresh-tokens/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/jobs/refresh-tokens/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/connect/route."}, "properties": {"repobilityId": 8036, "scanner": "repobility-access-control", "fingerprint": "c9445db02d477ec2e786fae07683bbea87426bd760a31294b4c262509b18eea2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/connect/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/connect/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/webhook/route."}, "properties": {"repobilityId": 8035, "scanner": "repobility-access-control", "fingerprint": "a0ab8e6f200aca5ca378115b7f552e54ce357ac20eeaa533c175e130b24c6763", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/webhook/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|22|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/webhook/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/callback/route."}, "properties": {"repobilityId": 8034, "scanner": "repobility-access-control", "fingerprint": "4e03d176197707027ad8a3666df8ee8857003adfa13de0d411089acb7f3c5ad5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/integrations/linear/callback/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|17|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/callback/route.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 8032, "scanner": "repobility-access-control", "fingerprint": "fdc85c5270310ee6b1cfeb5c7ffe5e88093dc3b582f455ed1e21dfdface5bf71", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 41, "correlation_key": "fp|fdc85c5270310ee6b1cfeb5c7ffe5e88093dc3b582f455ed1e21dfdface5bf71", "auth_visible_percent": 31.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8031, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 8029, "scanner": "repobility-docker", "fingerprint": "04b3787e70c83614f2d64c1c735fa492c0b3e39f635cb0850229983ef659c186", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|04b3787e70c83614f2d64c1c735fa492c0b3e39f635cb0850229983ef659c186", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/relay/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 8028, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/db/drizzle/0026_add_assignee_external_snapshot.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8023, "scanner": "repobility-threat-engine", "fingerprint": "168bd203927db1d985ac29745c10a26b4662505fdc692ebae47108cf4b29dfb2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|168bd203927db1d985ac29745c10a26b4662505fdc692ebae47108cf4b29dfb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/renderer/routes/error.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8022, "scanner": "repobility-threat-engine", "fingerprint": "22e0cc20b553d8deb4e7e96a71d63e748855772b98e878fd3c5584dc59fe8e3f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22e0cc20b553d8deb4e7e96a71d63e748855772b98e878fd3c5584dc59fe8e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/relay/src/tunnel.ts"}, "region": {"startLine": 335}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8021, "scanner": "repobility-threat-engine", "fingerprint": "967d909a3e1924f0f4bcf61d2f0ca5e9eae918423c7ec9f8fbe3521fae17608f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|967d909a3e1924f0f4bcf61d2f0ca5e9eae918423c7ec9f8fbe3521fae17608f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/relay/src/synthetic.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8020, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3963fe4dcfbde7085e7f4e75866aef56b5b26683db5743f6755a6407b33530a8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/app/api/github/install/route.ts", "duplicate_line": 7, "correlation_key": "fp|3963fe4dcfbde7085e7f4e75866aef56b5b26683db5743f6755a6407b33530a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/linear/connect/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8019, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b7e76aae5510b8376f18e9c7679dda322311e5c914cf287a83518fca2072ebb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/app/api/github/jobs/initial-sync/route.ts", "duplicate_line": 82, "correlation_key": "fp|7b7e76aae5510b8376f18e9c7679dda322311e5c914cf287a83518fca2072ebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/github/sync/route.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8018, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dee18f5f3cd6a7174e68d2ba280935458067ffd86af9af0902a365371d8f216", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/app/.well-known/oauth-protected-resource/[...path]/route.ts", "duplicate_line": 19, "correlation_key": "fp|8dee18f5f3cd6a7174e68d2ba280935458067ffd86af9af0902a365371d8f216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/.well-known/oauth-protected-resource/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8017, "scanner": "repobility-ai-code-hygiene", "fingerprint": "20096f624cfe487e7ef486efd667534af128f8abfed4bced104af3cf18a58c9c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/next.config.ts", "duplicate_line": 1, "correlation_key": "fp|20096f624cfe487e7ef486efd667534af128f8abfed4bced104af3cf18a58c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/next.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8016, "scanner": "repobility-ai-code-hygiene", "fingerprint": "441cf894237d5a7de05ec145afcdbce142a22431c834b91ae29f6a940e89eca9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/SignupsTrendChart/SignupsTrendChart.tsx", "duplicate_line": 88, "correlation_key": "fp|441cf894237d5a7de05ec145afcdbce142a22431c834b91ae29f6a940e89eca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8015, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98756407d955ef34754da99174bdf11cc24a63c37fba3a5363d6a09ad848202f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/RevenueTrendChart/RevenueTrendChart.tsx", "duplicate_line": 6, "correlation_key": "fp|98756407d955ef34754da99174bdf11cc24a63c37fba3a5363d6a09ad848202f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8014, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c38824d58b4ec0115307e4d02b50020189058cf0c8b64b592050c95b7fde94bb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/FunnelChart/FunnelChart.tsx", "duplicate_line": 1, "correlation_key": "fp|c38824d58b4ec0115307e4d02b50020189058cf0c8b64b592050c95b7fde94bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8013, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6e370c8bc33d4314c06954032305c56ffbc9e06ce10670463bf02eff2cc1923", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/FunnelChart/FunnelChart.tsx", "duplicate_line": 1, "correlation_key": "fp|f6e370c8bc33d4314c06954032305c56ffbc9e06ce10670463bf02eff2cc1923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/TrafficSourcesChart/TrafficSourcesChart.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e384fe287de75046575a91670d2f52c280061eb792650f455b157211e3b551da", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/RevenueTrendChart/RevenueTrendChart.tsx", "duplicate_line": 6, "correlation_key": "fp|e384fe287de75046575a91670d2f52c280061eb792650f455b157211e3b551da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/SignupsTrendChart/SignupsTrendChart.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d00eb224e58300ce25e1a498da9dd40e33207a268c16636324b8f9f6fe7ee313", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/FunnelChart/FunnelChart.tsx", "duplicate_line": 1, "correlation_key": "fp|d00eb224e58300ce25e1a498da9dd40e33207a268c16636324b8f9f6fe7ee313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/SignupsTrendChart/SignupsTrendChart.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b39000fcbf9d25c2752280bdb76bc2036bedc85d00b034787fb6ac74be722ccb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/FunnelChart/FunnelChart.tsx", "duplicate_line": 1, "correlation_key": "fp|b39000fcbf9d25c2752280bdb76bc2036bedc85d00b034787fb6ac74be722ccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/RevenueTrendChart/RevenueTrendChart.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "580a90c7fbef173b68096273e90eba699279f3698004ba2c9b388f0618de3861", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin/src/app/(dashboard)/components/FunnelChart/FunnelChart.tsx", "duplicate_line": 45, "correlation_key": "fp|580a90c7fbef173b68096273e90eba699279f3698004ba2c9b388f0618de3861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/app/(dashboard)/components/LeaderboardTable/LeaderboardTable.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 8030, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc4a0f1e65faaad5cbc80d17a659a415cf7983655158ad48052c0e946d9ff20f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|fc4a0f1e65faaad5cbc80d17a659a415cf7983655158ad48052c0e946d9ff20f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/renderer/stores/new-workspace-draft.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 8007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "CODEX.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8027, "scanner": "repobility-threat-engine", "fingerprint": "23f917e81a041e909466a8359da5afa5bfa35399f8b6e27b48d1980ba39817de", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|60|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/renderer/stores/tabs/utils.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8026, "scanner": "repobility-threat-engine", "fingerprint": "06281d099fba3c0eae2298c654c7efb5a25f708b8b09369ab7c4ab89598f7e9e", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Form field or UI element reference", "evidence": {"match": "console.log(`AGENT: ${config.label} (${config.id})", "reason": "Form field or UI element reference", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|20|console.log agent: config.label config.id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/demo-launch-spec.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8025, "scanner": "repobility-threat-engine", "fingerprint": "94bff81d1dfc438627326a2b9aaf7d3d3cd3a54edc2ed67390f26c1e916b61db", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"[slack/callback] Slack API error:\", tokenData.error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.error slack/callback slack api error: tokendata.error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/integrations/slack/callback/route.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 8024, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 8051, "scanner": "repobility-journey-contract", "fingerprint": "7d3ed72eb5b49a0c70ecef1814ed8a59c80b5f53b075adf6f12129ea3eff1481", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|1169|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/lib/trpc/routers/workspaces/utils/git.ts"}, "region": {"startLine": 1169}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /src/app/api/automations/dispatch/:id/route."}, "properties": {"repobilityId": 8033, "scanner": "repobility-access-control", "fingerprint": "89cd5581311e192b58da698b4d979c9a255f76c368c95c6315a2f548d3592bbb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/app/api/automations/dispatch/:id/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|23|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app/api/automations/dispatch/[id]/route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 8045, "scanner": "repobility-journey-contract", "fingerprint": "b20d6023707fbb729060345856554af455236f52265ce3b6c8167426df1c3543", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|71|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/workspace-client/src/lib/eventBus.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 8044, "scanner": "repobility-journey-contract", "fingerprint": "aa78ece1f16584b8bfdc9dc6a414ff268a7d7a88d6c35b47e9b3b6120b99277a", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|82|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/auth/desktop/success/page.tsx"}, "region": {"startLine": 82}}}]}]}]}