{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /ar"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 22.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 22.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT008", "name": "Ollama audio payload path may mislead users about direct model audio", "shortDescription": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "fullDescription": {"text": "Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `e2e` image uses the latest tag", "shortDescription": {"text": "Compose service `e2e` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `inference-e2e` image is selected through a build variable", "shortDescription": {"text": "Compose service `inference-e2e` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 278 more): Same pattern found in 278 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 278 more): Same pattern found in 278 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 127 more): Same pattern found in 127 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 127 more): Same pattern found in 127 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/servic", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time."}, "fullDescription": {"text": "Replace with `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC019", "name": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or servic", "shortDescription": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "fullDescription": {"text": "Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/180"}, "properties": {"repository": "tinyhumansai/openhuman", "repoUrl": "https://github.com/tinyhumansai/openhuman", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 40736, "scanner": "repobility-journey-contract", "fingerprint": "da44730a2242eb5cb5e4ddc446bb98e09df7f818c361a038d6e6d53d3eca82fe", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/show", "correlation_key": "fp|da44730a2242eb5cb5e4ddc446bb98e09df7f818c361a038d6e6d53d3eca82fe", "backend_endpoint_count": 72}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/tauriCommands/localAi.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 40735, "scanner": "repobility-journey-contract", "fingerprint": "7c98688c5c637ec75551ff70f225e753f0a9c4a1e8e1589dadb43788b2da4bbc", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|256|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 40734, "scanner": "repobility-journey-contract", "fingerprint": "176a4608776e3936d4fc46e90aa632ef548720f8c81b9634bc15992c73812ae4", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|239|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 40733, "scanner": "repobility-journey-contract", "fingerprint": "c4f9249211b8352f1fabf40c8e76fd941ae88de31ca7f90bf96058a2f47e85dd", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|67|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/coreModeSlice.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /artifacts/{asset}."}, "properties": {"repobilityId": 40731, "scanner": "repobility-access-control", "fingerprint": "83a496f078fc31305a3812d382e3c76d2160e35648a0292e5c004e66a09b33e2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/artifacts/{asset}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/runtime_python/bootstrap_tests.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /releases/latest."}, "properties": {"repobilityId": 40730, "scanner": "repobility-access-control", "fingerprint": "4f79bc302df326f1c0c29f1d31187326697f0b6bb7c3c2b278183a87c421204f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/releases/latest", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|token|32|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/runtime_python/bootstrap_tests.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /."}, "properties": {"repobilityId": 40729, "scanner": "repobility-access-control", "fingerprint": "7b9080bc03e83dee437d7c7d75bc0b8a18aff5c247b72c235937f2a616583fea", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|token|449|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/mcp_server/http.rs"}, "region": {"startLine": 449}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /."}, "properties": {"repobilityId": 40728, "scanner": "repobility-access-control", "fingerprint": "cf15e2d4e259e1468b013dd4d9ff7d51bbca242cb3f093070115d518a8c8e2ae", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|token|351|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/mcp_server/http.rs"}, "region": {"startLine": 351}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /."}, "properties": {"repobilityId": 40727, "scanner": "repobility-access-control", "fingerprint": "9c3f76ae76fd7c771fef7f91a18adec428b5e6ac4e49006959a27079fb2db392", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|token|73|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/mcp_server/http.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"repobilityId": 40726, "scanner": "repobility-access-control", "fingerprint": "bc300b9c0ea84da1ac9255057aee80750adde5a4054d59ac6bd7767f66bf19df", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/probe", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|src/api/rest_tests.rs|191|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/rest_tests.rs"}, "region": {"startLine": 191}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 22.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 40725, "scanner": "repobility-access-control", "fingerprint": "d0ec21e054be47268f81034df4f006906b4ec6dc519f9e0e9e883710d0f59dc2", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 72, "correlation_key": "fp|d0ec21e054be47268f81034df4f006906b4ec6dc519f9e0e9e883710d0f59dc2", "auth_visible_percent": 22.2}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 40720, "scanner": "repobility-agent-runtime", "fingerprint": "ab19fc473d1835bd58282b157728d8eaaa02ed26c1c93c6f98222ee3277763f7", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ab19fc473d1835bd58282b157728d8eaaa02ed26c1c93c6f98222ee3277763f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/components/BetaBanner.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 40719, "scanner": "repobility-agent-runtime", "fingerprint": "4638f227f921228e36419cd8ef41b10dc20a48785f53d4b4ad7d68d1db69bd82", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4638f227f921228e36419cd8ef41b10dc20a48785f53d4b4ad7d68d1db69bd82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 664}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 40718, "scanner": "repobility-agent-runtime", "fingerprint": "580345546ee33bf65b94eac38b6aba33b91d0fd04a285f8b6a563abad29072e5", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|580345546ee33bf65b94eac38b6aba33b91d0fd04a285f8b6a563abad29072e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/overlay/OverlayApp.tsx"}, "region": {"startLine": 486}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 40717, "scanner": "repobility-agent-runtime", "fingerprint": "2f472da371f255762bd4cbbf693afce286637502a550265a17a023715a32934f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2f472da371f255762bd4cbbf693afce286637502a550265a17a023715a32934f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AgentChatPanel.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 40716, "scanner": "repobility-agent-runtime", "fingerprint": "3966f04b2706a9e1f509a7a34333fef45ce35f2c04ecd7136c14030272006733", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3966f04b2706a9e1f509a7a34333fef45ce35f2c04ecd7136c14030272006733"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.zh-CN.md"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 40715, "scanner": "repobility-agent-runtime", "fingerprint": "cacbd01fb94f5a4a539a27f985df1036ea3a866e6eafcfbde6001f6a39783cdd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cacbd01fb94f5a4a539a27f985df1036ea3a866e6eafcfbde6001f6a39783cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ko.md"}, "region": {"startLine": 56}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 40714, "scanner": "repobility-agent-runtime", "fingerprint": "a006b241177cd5bd3990bcdb0f127a61f0de4a998ab30c94cf892976950cdcdb", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a006b241177cd5bd3990bcdb0f127a61f0de4a998ab30c94cf892976950cdcdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ja-JP.md"}, "region": {"startLine": 55}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 40713, "scanner": "repobility-agent-runtime", "fingerprint": "937329c08c0e1417ccf6630953973710d9027686e675790103c0d64bab93e368", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|937329c08c0e1417ccf6630953973710d9027686e675790103c0d64bab93e368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.de.md"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 40676, "scanner": "repobility-threat-engine", "fingerprint": "465f079aec58dedbbbe4e184bdd4dc604e47e8311d4d41692154b4e9648a8354", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "endpoint: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|465f079aec58dedbbbe4e184bdd4dc604e47e8311d4d41692154b4e9648a8354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/tools/impl/network/mcp.rs"}, "region": {"startLine": 300}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 40675, "scanner": "repobility-threat-engine", "fingerprint": "73ec81eef75147b3d255ab6eb437b89033aec973e53292abfd0e550c70d6eeb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73ec81eef75147b3d255ab6eb437b89033aec973e53292abfd0e550c70d6eeb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/redirect_links/store.rs"}, "region": {"startLine": 301}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 40670, "scanner": "repobility-threat-engine", "fingerprint": "61c8c27cc0fa31008e61790a37b247bd55ecb3228bbb8682ab851dc590517271", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/load-env.sh|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/load-env.sh"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 40669, "scanner": "repobility-threat-engine", "fingerprint": "d06644e497d342c75d3327e7c134d910132728855da94e90255bf3fa2618d1c6", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (4.1 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted> rand -base64 32)\"", "reason": "Low entropy value (4.1 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|7|password redacted rand -base64 32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-macos-signed.sh"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 40663, "scanner": "repobility-threat-engine", "fingerprint": "e837bb21282b736d0b27e5e1aa48e29f25102bf074c9dbc6af7c4429ba3b2c6d", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(normalizedUrl, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|app/src/utils/openurl.ts|70|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/openUrl.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 40662, "scanner": "repobility-threat-engine", "fingerprint": "bc97fa191c812fea47f465941b4546ce07152694b3638d27d9281f8d9af8b703", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 12)}`;\n      localStorage.setItem(STORAGE_KEY", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc97fa191c812fea47f465941b4546ce07152694b3638d27d9281f8d9af8b703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/deviceFingerprint.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40647, "scanner": "repobility-threat-engine", "fingerprint": "28e4930a9047de841d526713ad20177b2e73ba42b40084631957fdc593206312", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/agent-batch/lib.mjs|116|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/agent-batch/lib.mjs"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40646, "scanner": "repobility-threat-engine", "fingerprint": "231fb2a3275b725d9f802a1c2b190e2f3c47f32bfcd38ac80b4d6125698d6b61", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|34|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/workerThreadRef.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40645, "scanner": "repobility-threat-engine", "fingerprint": "0b08e7d866c5b72e956c050bf4f4a36486ddbb043f8eae1660f9676b300c8dd7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|111|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/format.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40621, "scanner": "repobility-threat-engine", "fingerprint": "ef0d8080f95011c582e82c55b2d4cc4733c7b0a640858585a2b0bada8bf35368", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef0d8080f95011c582e82c55b2d4cc4733c7b0a640858585a2b0bada8bf35368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/captions_bridge.js"}, "region": {"startLine": 158}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40620, "scanner": "repobility-threat-engine", "fingerprint": "ea83aae6d046e1361bb672c6c3f0b4988949e5068706b5a1715d94537b86db6b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea83aae6d046e1361bb672c6c3f0b4988949e5068706b5a1715d94537b86db6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/audio_bridge.js"}, "region": {"startLine": 209}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 5192, "scanner": "repobility-journey-contract", "fingerprint": "938b0a5b759b66d22ab6b6070d2348a7c0e49e4a15c8102f79d67cd012345ec7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|171|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 5191, "scanner": "repobility-journey-contract", "fingerprint": "9b670f0c311aae73919e49a887f9a16b73150dbd913a2a09583a1652fe539eb0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|154|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 5190, "scanner": "repobility-journey-contract", "fingerprint": "c61bc8ca3da779205d1fd3a85ea09037c052776d48671dd6695da83afe0e7964", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|60|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/coreModeSlice.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"repobilityId": 5189, "scanner": "repobility-access-control", "fingerprint": "0cb02af8ab627350b6f8120bb5e08298a3e9238bac7efa985b58b0e00b7b9206", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/probe", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|src/api/rest_tests.rs|187|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/rest_tests.rs"}, "region": {"startLine": 187}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 5188, "scanner": "repobility-access-control", "fingerprint": "b8aec905544bed83fdc3a42829107350ecf9e4a9966950416af2389bcfb07328", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 42, "correlation_key": "fp|b8aec905544bed83fdc3a42829107350ecf9e4a9966950416af2389bcfb07328", "auth_visible_percent": 19.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5187, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Actix", "Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `e2e` image uses the latest tag"}, "properties": {"repobilityId": 5186, "scanner": "repobility-docker", "fingerprint": "f8629e196d6fc0c6b1142aad9b7d73b2e8c868ac172043f0b771e1b249cde2ab", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/tinyhumansai/openhuman_ci:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8629e196d6fc0c6b1142aad9b7d73b2e8c868ac172043f0b771e1b249cde2ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5184, "scanner": "repobility-docker", "fingerprint": "e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5178, "scanner": "repobility-docker", "fingerprint": "4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 5175, "scanner": "repobility-threat-engine", "fingerprint": "76f6efcd1c7652dd306d7edc263faf37cad7d1957d4b038f749bc09af87d21ad", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|34|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/workerThreadRef.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5166, "scanner": "repobility-threat-engine", "fingerprint": "1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/camera_bridge.js"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5165, "scanner": "repobility-threat-engine", "fingerprint": "9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function () {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/webview_accounts/runtime.js"}, "region": {"startLine": 159}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5164, "scanner": "repobility-threat-engine", "fingerprint": "61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/recipes/google-meet/recipe.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5163, "scanner": "repobility-agent-runtime", "fingerprint": "ed6e349a6bdfc1c4ddac8e94498e55105bb82063aa97ec398c35b6094fe911f2", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ed6e349a6bdfc1c4ddac8e94498e55105bb82063aa97ec398c35b6094fe911f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/vite.config.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5162, "scanner": "repobility-agent-runtime", "fingerprint": "0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/userScopedStorage.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5161, "scanner": "repobility-agent-runtime", "fingerprint": "29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/index.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5160, "scanner": "repobility-agent-runtime", "fingerprint": "85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/components/BetaBanner.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 5159, "scanner": "repobility-agent-runtime", "fingerprint": "f538455b9cdcee2a2849e4f64ee81bdacac7f5a99a3012c4c0a82b42804a1a8a", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f538455b9cdcee2a2849e4f64ee81bdacac7f5a99a3012c4c0a82b42804a1a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 618}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5158, "scanner": "repobility-agent-runtime", "fingerprint": "4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/overlay/OverlayApp.tsx"}, "region": {"startLine": 412}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5157, "scanner": "repobility-agent-runtime", "fingerprint": "45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AgentChatPanel.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/mod.rs", "duplicate_line": 15, "correlation_key": "fp|7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 5144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "clean", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/openhuman/memory/tree/canonicalize/email.rs", "correlation_key": "fp|3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/canonicalize/email_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 5143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "alt", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "remotion/src/Mascot/mascot-yellow-wave.tsx", "correlation_key": "fp|b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "remotion/src/Mascot/mascot-yellow-wave-alt.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 40722, "scanner": "repobility-docker", "fingerprint": "29428cca41fa8395017c3767bc95ad6eb62c8eaa0b13ac3a9d4232da3c6e5e4c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openhuman-core", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|29428cca41fa8395017c3767bc95ad6eb62c8eaa0b13ac3a9d4232da3c6e5e4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ba44228037106dfc498362615e1a49b096e61690dc9889371666a88d6f464f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/LogoutAndClearActions.tsx", "duplicate_line": 139, "correlation_key": "fp|1ba44228037106dfc498362615e1a49b096e61690dc9889371666a88d6f464f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamMembersPanel.tsx"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a97265726057d19914baf5f7666d2d2b4eee8af68da0c0aa9b0e111419200d75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/TeamInvitesPanel.tsx", "duplicate_line": 149, "correlation_key": "fp|a97265726057d19914baf5f7666d2d2b4eee8af68da0c0aa9b0e111419200d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamMembersPanel.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35aead919cb4d0d0343d050dadfae6b9858a7e2254eb8c67b6ecce3d945827d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/LogoutAndClearActions.tsx", "duplicate_line": 138, "correlation_key": "fp|35aead919cb4d0d0343d050dadfae6b9858a7e2254eb8c67b6ecce3d945827d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamInvitesPanel.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "567b7600edff72d09ac34d03bb489cf6331e142a1f2e9b1535d7dda25ab957e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/RecoveryPhrasePanel.tsx", "duplicate_line": 396, "correlation_key": "fp|567b7600edff72d09ac34d03bb489cf6331e142a1f2e9b1535d7dda25ab957e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamInvitesPanel.tsx"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "788b42d23e89187c7423aad69c448495f2157f36fa30946c77aea5b9520db808", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/AutocompletePanel.tsx", "duplicate_line": 187, "correlation_key": "fp|788b42d23e89187c7423aad69c448495f2157f36fa30946c77aea5b9520db808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/ScreenIntelligencePanel.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "51b14159408d88eefac29aa87c472495356fab1749c51b0388dd439af44b3c1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/LogoutAndClearActions.tsx", "duplicate_line": 138, "correlation_key": "fp|51b14159408d88eefac29aa87c472495356fab1749c51b0388dd439af44b3c1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/RecoveryPhrasePanel.tsx"}, "region": {"startLine": 397}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "735d81f665b3b721d7505b4f04ca36820267f6f4c563e0d9010a5d667419eff1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/LogoutAndClearActions.tsx", "duplicate_line": 139, "correlation_key": "fp|735d81f665b3b721d7505b4f04ca36820267f6f4c563e0d9010a5d667419eff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/DevicesPanel.tsx"}, "region": {"startLine": 227}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "864a971c154d83fa66fa1639851f90cedcdad0b730d222ce04d0be39731de7c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/AutocompleteDebugPanel.tsx", "duplicate_line": 13, "correlation_key": "fp|864a971c154d83fa66fa1639851f90cedcdad0b730d222ce04d0be39731de7c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AutocompletePanel.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e80d7d2e143e4f86a7b743b6ac76666ad0d527c6a1fc4233cde807468cd4466e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/BottomTabBar.tsx", "duplicate_line": 106, "correlation_key": "fp|e80d7d2e143e4f86a7b743b6ac76666ad0d527c6a1fc4233cde807468cd4466e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/ios/MobileTabBar.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92bc76018415b5ae3ae988d08bd585fb148be4317455bcaea2c05354568166a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/MemorySources.tsx", "duplicate_line": 340, "correlation_key": "fp|92bc76018415b5ae3ae988d08bd585fb148be4317455bcaea2c05354568166a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/MemoryWorkspace.tsx"}, "region": {"startLine": 420}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d751646748cec6bafbba842cc8145f557b348d1764c2f051e3d240606fc74a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/MemorySources.tsx", "duplicate_line": 38, "correlation_key": "fp|3d751646748cec6bafbba842cc8145f557b348d1764c2f051e3d240606fc74a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/MemorySyncConnections.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1f07047eb81cbbbd8c0934465b2ae03bb8347ccf0e2fa98e88fec393be73d64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/ActionableCard.tsx", "duplicate_line": 266, "correlation_key": "fp|e1f07047eb81cbbbd8c0934465b2ae03bb8347ccf0e2fa98e88fec393be73d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/IntelligenceSubconsciousTab.tsx"}, "region": {"startLine": 381}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7639fe7f0fa4e5c7d36438e2d04eb22657fcad1ca3935288921e658dd9fcdd41", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/channels/DiscordConfig.tsx", "duplicate_line": 5, "correlation_key": "fp|7639fe7f0fa4e5c7d36438e2d04eb22657fcad1ca3935288921e658dd9fcdd41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/channels/TelegramConfig.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa8eace53f596edf0e93bdc4531b5a917423057e3d68d4fcefcfa54935b3b97e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/idb.rs", "duplicate_line": 158, "correlation_key": "fp|aa8eace53f596edf0e93bdc4531b5a917423057e3d68d4fcefcfa54935b3b97e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/whatsapp_scanner/idb.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11803e90f4f3e72733d510dd47bf4d50fdd5093c24c8e39acf835041251c318f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|11803e90f4f3e72733d510dd47bf4d50fdd5093c24c8e39acf835041251c318f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/whatsapp_scanner/idb.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c77b9616351c326402d90de9fd8726a2a12fc8718451afecd72a8b2f53f2026a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/telegram_scanner/dom_snapshot.rs", "duplicate_line": 125, "correlation_key": "fp|c77b9616351c326402d90de9fd8726a2a12fc8718451afecd72a8b2f53f2026a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/wechat_scanner/dom_snapshot.rs"}, "region": {"startLine": 227}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72e267f1013ebc6b2e972ca95aaea0bdb4de2d8bbbdea8209ffed8d1e6d3ef48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|72e267f1013ebc6b2e972ca95aaea0bdb4de2d8bbbdea8209ffed8d1e6d3ef48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 418}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "076022a516d0d75bbd5948ce694be4a5ed1448458d38bf0f565e8d118bcc0c44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|076022a516d0d75bbd5948ce694be4a5ed1448458d38bf0f565e8d118bcc0c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 381}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4bb3c83895b808aedbb85df6785885502b5f6e33fc87b669140a3a8c0e7fc72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/mod.rs", "duplicate_line": 1, "correlation_key": "fp|d4bb3c83895b808aedbb85df6785885502b5f6e33fc87b669140a3a8c0e7fc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b12a95be21208160116695a7114fc58965d1471bf0790e3bc8d0bdbc2701620", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|0b12a95be21208160116695a7114fc58965d1471bf0790e3bc8d0bdbc2701620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/idb.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d676de0123da4123b6a064a49839a1f7b5c9dbe9709caa6a70ee5f5a24aabfe9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/deep_link_ipc.rs", "duplicate_line": 70, "correlation_key": "fp|d676de0123da4123b6a064a49839a1f7b5c9dbe9709caa6a70ee5f5a24aabfe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/deep_link_ipc_windows.rs"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 40612, "scanner": "repobility-threat-engine", "fingerprint": "a034e988571a45e0667847cd04e51c56e2e2561d5d9e7c5dea9a6d43dd04630a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[openhuman-audio-bridge] AudioContext created requested_rate=\" +\n        requestedRate +\n        \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a034e988571a45e0667847cd04e51c56e2e2561d5d9e7c5dea9a6d43dd04630a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/audio_bridge.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 5185, "scanner": "repobility-docker", "fingerprint": "6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openhuman-core", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5183, "scanner": "repobility-docker", "fingerprint": "43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5180, "scanner": "repobility-docker", "fingerprint": "e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 5179, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/idb.rs", "duplicate_line": 11, "correlation_key": "fp|83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/idb.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 26, "correlation_key": "fp|ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/dom_snapshot.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 505}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 468}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/idb.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 1, "correlation_key": "fp|d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/dom_snapshot.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 82, "correlation_key": "fp|05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/inject.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 56, "correlation_key": "fp|d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_scanner/mod.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/mod.rs", "duplicate_line": 30, "correlation_key": "fp|ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/imessage_scanner/mod.rs"}, "region": {"startLine": 321}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `inference-e2e` image is selected through a build variable"}, "properties": {"repobilityId": 40724, "scanner": "repobility-docker", "fingerprint": "a86f4f33d2f27c2a86c4714f187d606db8de7e4c061f9902c40aa9d815c23e2b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPENHUMAN_CI_IMAGE:-ghcr.io/tinyhumansai/openhuman_ci:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a86f4f33d2f27c2a86c4714f187d606db8de7e4c061f9902c40aa9d815c23e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `e2e` image is selected through a build variable"}, "properties": {"repobilityId": 40723, "scanner": "repobility-docker", "fingerprint": "1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPENHUMAN_CI_IMAGE:-ghcr.io/tinyhumansai/openhuman_ci:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40680, "scanner": "repobility-threat-engine", "fingerprint": "ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40679, "scanner": "repobility-threat-engine", "fingerprint": "aa3d4c7c849da25f55ebdb712b32c31e735796cb178e41b38403fef069a1e44f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa3d4c7c849da25f55ebdb712b32c31e735796cb178e41b38403fef069a1e44f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-subconscious-ticks.sh"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40678, "scanner": "repobility-threat-engine", "fingerprint": "5f4228be82c7bb8d4e362a3facb8b9f952253734160cdfe6cc7ec84d3c17bcb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f4228be82c7bb8d4e362a3facb8b9f952253734160cdfe6cc7ec84d3c17bcb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-proactive-welcome.sh"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40677, "scanner": "repobility-threat-engine", "fingerprint": "9f35fb06680a6e38d927a6f60a3e3214f841eb5e16342417b39021fa3cb2f920", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f35fb06680a6e38d927a6f60a3e3214f841eb5e16342417b39021fa3cb2f920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-channel-receive.mjs"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 40674, "scanner": "repobility-threat-engine", "fingerprint": "270b7ee0d6a9a2a0b02af920a05b8af3d22a55ffd8bb719a818aa298e06bf419", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "evidence": {"match": "url: \"https://example.com", "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|270b7ee0d6a9a2a0b02af920a05b8af3d22a55ffd8bb719a818aa298e06bf419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/routes/llm/dynamic.mjs"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 40659, "scanner": "repobility-threat-engine", "fingerprint": "686a60fcaf9c0f821363dbc6fdb712aa8b856e4f7384dd5b5c0e53c3b8b89db4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|686a60fcaf9c0f821363dbc6fdb712aa8b856e4f7384dd5b5c0e53c3b8b89db4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/people/types.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 40658, "scanner": "repobility-threat-engine", "fingerprint": "f60ebe13aa46e25e9f80a57b42424c59714a51d4fb03224d3ecd64d99fedef49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f60ebe13aa46e25e9f80a57b42424c59714a51d4fb03224d3ecd64d99fedef49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/services/api/teamApi.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40657, "scanner": "repobility-threat-engine", "fingerprint": "6de4d9dd02632a772f29a9671c29c633e1cb993c827f1d699582d9e915fb42b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6de4d9dd02632a772f29a9671c29c633e1cb993c827f1d699582d9e915fb42b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/polyfills.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40656, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 40655, "scanner": "repobility-threat-engine", "fingerprint": "bc40816171c7f79cfa7b52183b0ac42e586c1b1ef89eeed9bff147e7e11c9233", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[onboarding:api-keys] oauth status check failed', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.debug onboarding:api-keys oauth status check failed err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/steps/ApiKeysStep.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 40654, "scanner": "repobility-threat-engine", "fingerprint": "9a383c383ff62abfbab7de3f53ff8367aff01aa9591d2f43d8996a3499518966", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[onboarding:api-keys-page] completeAndExit failed', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|console.error onboarding:api-keys-page completeandexit failed err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/pages/ApiKeysPage.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 40652, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40648, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 40644, "scanner": "repobility-threat-engine", "fingerprint": "702527090bb20c74c37e35a060fb0e6d4d89aa5fa69163dfbbc2a7ad676a40a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|702527090bb20c74c37e35a060fb0e6d4d89aa5fa69163dfbbc2a7ad676a40a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/features/human/Mascot/backend/BackendMascot.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 40643, "scanner": "repobility-threat-engine", "fingerprint": "7a22f802c71cc1723f025b5db799c2b6849484890a55434351fcd72bcded651f", "category": "injection", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "evidence": {"match": ".innerHTML = i", "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|injection|token|87|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/features/human/Mascot/backend/BackendMascot.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40642, "scanner": "repobility-threat-engine", "fingerprint": "4b6c8cecbe5d7bb2225a54c79d2f56eb472e2ac5e711479e324cbc4f3184d14c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|12|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/deviceFingerprint.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40641, "scanner": "repobility-threat-engine", "fingerprint": "25a1a3623f3609372855ce615b276deb73a696c448de5d5268edf650ddd0349c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|265|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/services/transport/TunnelTransport.ts"}, "region": {"startLine": 265}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40640, "scanner": "repobility-threat-engine", "fingerprint": "8e1cef2820bf0425900995a6ebc4ec0a2ee6e08517b55aa8b33b5e82d2537b40", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|179|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/walkthrough/walkthroughSteps.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 40639, "scanner": "repobility-threat-engine", "fingerprint": "d58905a1ad7225fcb74a0ff1017c7a5fed9af46990fa74c56191c107cac351a6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d58905a1ad7225fcb74a0ff1017c7a5fed9af46990fa74c56191c107cac351a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/chat/UnsubscribeApprovalCard.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 40638, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 40634, "scanner": "repobility-threat-engine", "fingerprint": "29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "aggregated_count": 5}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40633, "scanner": "repobility-threat-engine", "fingerprint": "95fd0c51c20d5a5929c9f903210789b981308b8afdbb754f25c2c12baf260dbd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95fd0c51c20d5a5929c9f903210789b981308b8afdbb754f25c2c12baf260dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/oauth/oauthAuthReadiness.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40632, "scanner": "repobility-threat-engine", "fingerprint": "9de7da8e4c576847e08c3c0af9c7bf5633778706eff925476a84af87a62d791f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9de7da8e4c576847e08c3c0af9c7bf5633778706eff925476a84af87a62d791f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/commands/CommandPalette.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40631, "scanner": "repobility-threat-engine", "fingerprint": "58ccf6ef85c0e1b79e34e6a191364414db53a3fa9b60995b0ed64353dc0cda5c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58ccf6ef85c0e1b79e34e6a191364414db53a3fa9b60995b0ed64353dc0cda5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/channels/mcp/InstallDialog.tsx"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 40630, "scanner": "repobility-threat-engine", "fingerprint": "da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "aggregated_count": 7}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40629, "scanner": "repobility-threat-engine", "fingerprint": "e86386ced6f50feb19efe3f6ba8d27f5c7bd5d520fc45789b39621a647ba9e1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e86386ced6f50feb19efe3f6ba8d27f5c7bd5d520fc45789b39621a647ba9e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/commands/Kbd.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40628, "scanner": "repobility-threat-engine", "fingerprint": "53989dacc8ddeb8afaa9814da7a5553f2459746f6fb4511a27a78bed95f33430", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53989dacc8ddeb8afaa9814da7a5553f2459746f6fb4511a27a78bed95f33430"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/channels/mcp/ConfigAssistantPanel.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40627, "scanner": "repobility-threat-engine", "fingerprint": "7bc944b54cbafb9d16d822c869e9126aa493b3eb2fdb053940c435206fa23329", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7bc944b54cbafb9d16d822c869e9126aa493b3eb2fdb053940c435206fa23329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/ProgressIndicator.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 40626, "scanner": "repobility-threat-engine", "fingerprint": "fb51731bfc742257f9e0277d73b57db475a16915fb1766421979b26cc6f87386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fb51731bfc742257f9e0277d73b57db475a16915fb1766421979b26cc6f87386", "aggregated_count": 20}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 40625, "scanner": "repobility-threat-engine", "fingerprint": "d0d8f41571c92f39a28cf53c8ce7e3426ccfa904ac9cec866af7e741a05b865b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d0d8f41571c92f39a28cf53c8ce7e3426ccfa904ac9cec866af7e741a05b865b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/agent/dispatcher_tests.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 40624, "scanner": "repobility-threat-engine", "fingerprint": "6a44db73c58ee1429ac5c1c7c23ae4fb2dabf6be4c69431d209c013e0f71badd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a44db73c58ee1429ac5c1c7c23ae4fb2dabf6be4c69431d209c013e0f71badd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/event_bus/native_request_tests.rs"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 40623, "scanner": "repobility-threat-engine", "fingerprint": "a5ea76921fc633a6d1f9ca35274b2e24a7425fa12b5a7802c510bc5de9aef23b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5ea76921fc633a6d1f9ca35274b2e24a7425fa12b5a7802c510bc5de9aef23b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/frame_bus.rs"}, "region": {"startLine": 265}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 40622, "scanner": "repobility-threat-engine", "fingerprint": "60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e"}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 40619, "scanner": "repobility-threat-engine", "fingerprint": "ea45d8829d6de9e4e0852b1b377c0535e61b095408952948f9230795ac18812b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea45d8829d6de9e4e0852b1b377c0535e61b095408952948f9230795ac18812b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/camera_bridge.js"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 40618, "scanner": "repobility-threat-engine", "fingerprint": "4aaf29d62d34fd532a4286ac9712660816d652056a97a491b6071fb547bb87ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4aaf29d62d34fd532a4286ac9712660816d652056a97a491b6071fb547bb87ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/captions_bridge.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 40617, "scanner": "repobility-threat-engine", "fingerprint": "65b4bdcfa9f9cef0e3b8de74f4a7ab31aad96960b894785523f9aeb7baa7e925", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65b4bdcfa9f9cef0e3b8de74f4a7ab31aad96960b894785523f9aeb7baa7e925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/audio_bridge.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "properties": {"repobilityId": 40616, "scanner": "repobility-threat-engine", "fingerprint": "f641040879442a860270dad01cc43bc83d7026afdf2e94dfe5e62b5ba6e1a13e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 77 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f641040879442a860270dad01cc43bc83d7026afdf2e94dfe5e62b5ba6e1a13e", "aggregated_count": 77}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40615, "scanner": "repobility-threat-engine", "fingerprint": "de67ceefbc2295b4b74bf28a978f8232694107efe0903c868b71a43ea2254e6a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de67ceefbc2295b4b74bf28a978f8232694107efe0903c868b71a43ea2254e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/App.tsx"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40614, "scanner": "repobility-threat-engine", "fingerprint": "ea562234356ddd8fa0b9599cf3b0b9a932d12cd68e9469c81d3bac6ceeeeb3ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea562234356ddd8fa0b9599cf3b0b9a932d12cd68e9469c81d3bac6ceeeeb3ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/camera_bridge.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40613, "scanner": "repobility-threat-engine", "fingerprint": "72f1cc3b35d9338ef04a8bd12186d6a384b64d8ccd168849f9bceddce3c18abb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72f1cc3b35d9338ef04a8bd12186d6a384b64d8ccd168849f9bceddce3c18abb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/audio_bridge.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 40611, "scanner": "repobility-threat-engine", "fingerprint": "e6e87df05fa0fe570cd92b1a7e92f3113b03e16ac77fd1b3eef7e9c7e390350d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e6e87df05fa0fe570cd92b1a7e92f3113b03e16ac77fd1b3eef7e9c7e390350d", "aggregated_count": 12}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 40610, "scanner": "repobility-threat-engine", "fingerprint": "aae4b7fca5ada0b0a5a97dba104798b3665614c0bff4a78b969bf3df475451d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aae4b7fca5ada0b0a5a97dba104798b3665614c0bff4a78b969bf3df475451d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/native_notifications/mod.rs"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 40609, "scanner": "repobility-threat-engine", "fingerprint": "53edd1f0fe550dac4d0e1fb0a7f0d551f94a0e53b2a3ab9417258babc979a1cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53edd1f0fe550dac4d0e1fb0a7f0d551f94a0e53b2a3ab9417258babc979a1cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/main.rs"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 40608, "scanner": "repobility-threat-engine", "fingerprint": "3f7d3196fa9f54db0eff23f68795d0885990a29e3bda3f436217307451e6f27f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f7d3196fa9f54db0eff23f68795d0885990a29e3bda3f436217307451e6f27f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/deep_link_ipc_windows.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 40607, "scanner": "repobility-threat-engine", "fingerprint": "ade48a0ef3640f4a385a7c274cf93444d0b91b16b370dc43fd18f27c99e88f62", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ade48a0ef3640f4a385a7c274cf93444d0b91b16b370dc43fd18f27c99e88f62"}}}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 278 more): Same pattern found in 278 additional files. Review if needed."}, "properties": {"repobilityId": 40603, "scanner": "repobility-threat-engine", "fingerprint": "b55fd124eaffddb9e622becf90916c2d3ac166ef5ccad86ba765e194cec9f5fd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 278 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b55fd124eaffddb9e622becf90916c2d3ac166ef5ccad86ba765e194cec9f5fd", "aggregated_count": 278}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 40599, "scanner": "repobility-threat-engine", "fingerprint": "d5ac058700426ed14325971139efba634921cffda7e8461a0ef98ec4b5b76f22", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d5ac058700426ed14325971139efba634921cffda7e8461a0ef98ec4b5b76f22", "aggregated_count": 26}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40598, "scanner": "repobility-threat-engine", "fingerprint": "76b24737373a31ac26910f0f7c7312e0688cb0dee40b0a064834e645eafe8658", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76b24737373a31ac26910f0f7c7312e0688cb0dee40b0a064834e645eafe8658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/ollamaUrlValidation.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40597, "scanner": "repobility-threat-engine", "fingerprint": "28afc1c88d95e00dc8377ad5b92a0c8f3cef44f06aba9a119dcfbdd3461d272f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28afc1c88d95e00dc8377ad5b92a0c8f3cef44f06aba9a119dcfbdd3461d272f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/LanguageSelect.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40596, "scanner": "repobility-threat-engine", "fingerprint": "899383773e98d2c4c691ac515b01d610f8f961f8aa511f04a7c01621ab535aef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|899383773e98d2c4c691ac515b01d610f8f961f8aa511f04a7c01621ab535aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/cdp/target.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 127 more): Same pattern found in 127 additional files. Review if needed."}, "properties": {"repobilityId": 40595, "scanner": "repobility-threat-engine", "fingerprint": "34a43d8eff57749d34d08ed65d70bd4ff49eba7cd36cdd9606fdc7ed61035a71", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 127 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|34a43d8eff57749d34d08ed65d70bd4ff49eba7cd36cdd9606fdc7ed61035a71", "aggregated_count": 127}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 40594, "scanner": "repobility-threat-engine", "fingerprint": "2d895ad6a775e1029a119acf533c605c40d5755201f1cb52523cb5e7f63a64ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d895ad6a775e1029a119acf533c605c40d5755201f1cb52523cb5e7f63a64ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/gmessages_scanner/idb.rs"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 40593, "scanner": "repobility-threat-engine", "fingerprint": "d845534058c470efbbb3125d877db6e117b867f231082762d1155159ceae68b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d845534058c470efbbb3125d877db6e117b867f231082762d1155159ceae68b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/fake_camera/mod.rs"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 40592, "scanner": "repobility-threat-engine", "fingerprint": "830ac4917c363ae45367627022491ed2c878c1ac5142ae96988a76a8192c66ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|830ac4917c363ae45367627022491ed2c878c1ac5142ae96988a76a8192c66ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri-mobile/src/lib.rs"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5174, "scanner": "repobility-threat-engine", "fingerprint": "015624d54588e78b188bc9104a95afc6319bd4ac8d54e067e19d0b8385b57e46", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[memory] syncMemoryClientToken: <redacted> \u2014 skipped (not Tauri)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.debug memory syncmemoryclienttoken: redacted skipped not tauri"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/tauriCommands/memory.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5173, "scanner": "repobility-threat-engine", "fingerprint": "5b4980565e80304d74e1e652a6bbcd9ae87940ce6c059f11a5aec38420d4193c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[configPersistence] Stored core token (cloud mode)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|17|console.debug configpersistence stored core token cloud mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5172, "scanner": "repobility-threat-engine", "fingerprint": "71437094899e087d012e34c909d026c76b82ca0c89436d075cb270e3992cb3b9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[DeepLink] URL did not contain a token query parameter')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.warn deeplink url did not contain a token query parameter"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/desktopDeepLinkListener.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 5171, "scanner": "repobility-threat-engine", "fingerprint": "ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5170, "scanner": "repobility-threat-engine", "fingerprint": "a930699a5b77c7407e13c615ed42d0956012af7420debcfeff8989b329e88e24", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|77|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Intelligence.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5169, "scanner": "repobility-threat-engine", "fingerprint": "133cd7a0aa39891f85c6121ae9c725fbbcaa93dbcefaae9aa9a04461c1d4460f", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/accounts.tsx|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Accounts.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5168, "scanner": "repobility-threat-engine", "fingerprint": "48f304abcfea4752a3392db7e385376dd3f225994e7c32b8873be7c61648e337", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/skills.tsx|303|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Skills.tsx"}, "region": {"startLine": 303}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 5167, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40782, "scanner": "repobility-supply-chain", "fingerprint": "5c54f348c1d44ac8e95b974fbf8f1dc43803e6d190ddaf30f0b75c04cefce2cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c54f348c1d44ac8e95b974fbf8f1dc43803e6d190ddaf30f0b75c04cefce2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40781, "scanner": "repobility-supply-chain", "fingerprint": "0a2e2632e7e465318032aeb5c09f179042c9828c9b9f2005a587b639ffd71c1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a2e2632e7e465318032aeb5c09f179042c9828c9b9f2005a587b639ffd71c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-quality.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40780, "scanner": "repobility-supply-chain", "fingerprint": "06bca77862199814a5c6dceebf8fb3fd43b8c578a71bfba3b384efb22feb3eee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06bca77862199814a5c6dceebf8fb3fd43b8c578a71bfba3b384efb22feb3eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-quality.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40779, "scanner": "repobility-supply-chain", "fingerprint": "7f4c0efd6b9bac88c87beaa674ddeb11e8be63d5a1ac4d1620cbc428249d17c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f4c0efd6b9bac88c87beaa674ddeb11e8be63d5a1ac4d1620cbc428249d17c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-reusable.yml"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40778, "scanner": "repobility-supply-chain", "fingerprint": "1d1f3d30b81f68525a1a290de73089c40d1d4cd24c6d0302518d47c32963658d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d1f3d30b81f68525a1a290de73089c40d1d4cd24c6d0302518d47c32963658d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-reusable.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40777, "scanner": "repobility-supply-chain", "fingerprint": "f8570bab40ad17f356ab63d70432a151733af9079a22da997d770d000913b126", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8570bab40ad17f356ab63d70432a151733af9079a22da997d770d000913b126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-reusable.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40776, "scanner": "repobility-supply-chain", "fingerprint": "54e2eb4d9e04a49a05416cbe3282b0c72ffb63fb10c31ea654c4464195a7b711", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54e2eb4d9e04a49a05416cbe3282b0c72ffb63fb10c31ea654c4464195a7b711"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-reusable.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40775, "scanner": "repobility-supply-chain", "fingerprint": "61b0f0f417b780fed0f27f2813eed0fa7e7283535f4a2fa5dade0a47f1081279", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61b0f0f417b780fed0f27f2813eed0fa7e7283535f4a2fa5dade0a47f1081279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/weekly-code-review.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40774, "scanner": "repobility-supply-chain", "fingerprint": "38d138de295ed5104bcef0a858d22175baefe4caf637d27a0e8687ecda6e9ace", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38d138de295ed5104bcef0a858d22175baefe4caf637d27a0e8687ecda6e9ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40773, "scanner": "repobility-supply-chain", "fingerprint": "c1e42030fbed28490f6566ad75d9bd4a9fbb88671b0a00ceb1e4cec109181c90", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1e42030fbed28490f6566ad75d9bd4a9fbb88671b0a00ceb1e4cec109181c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40772, "scanner": "repobility-supply-chain", "fingerprint": "735900a0da6fd53c3c0c068b3d15f556736ae802204b9763e295f04967f64c96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|735900a0da6fd53c3c0c068b3d15f556736ae802204b9763e295f04967f64c96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40771, "scanner": "repobility-supply-chain", "fingerprint": "40e2bbe70077ffcbb57f1bbab451fede3a7ed1be4087671ff0bb17f70fdb51e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40e2bbe70077ffcbb57f1bbab451fede3a7ed1be4087671ff0bb17f70fdb51e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40770, "scanner": "repobility-supply-chain", "fingerprint": "c2058b77882b440000566f2a655ec619c0dd3b0b5f53a04a9dcc14d0734fc2c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2058b77882b440000566f2a655ec619c0dd3b0b5f53a04a9dcc14d0734fc2c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40769, "scanner": "repobility-supply-chain", "fingerprint": "075f86fe2850f510edb3bb4e94f336489b87cf44bba9c959843b332719bc9895", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|075f86fe2850f510edb3bb4e94f336489b87cf44bba9c959843b332719bc9895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40768, "scanner": "repobility-supply-chain", "fingerprint": "305d3461b4256fd10257a2b2508b432ffb52d9d6b597e1ca3a4a334acfb4dff4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|305d3461b4256fd10257a2b2508b432ffb52d9d6b597e1ca3a4a334acfb4dff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40767, "scanner": "repobility-supply-chain", "fingerprint": "7a1d7b3bb5e0fc5acb530db4650cb12340f93b0ec89cf6a3434297bf57af5bcc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a1d7b3bb5e0fc5acb530db4650cb12340f93b0ec89cf6a3434297bf57af5bcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-reusable.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40766, "scanner": "repobility-supply-chain", "fingerprint": "3a6f14f85cd62d36ad0d07de71735c80a56514994fde7b422d4510c60a8339a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a6f14f85cd62d36ad0d07de71735c80a56514994fde7b422d4510c60a8339a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/contributor-rewards.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40765, "scanner": "repobility-supply-chain", "fingerprint": "31ea877743a9ed75d6b064c31df4ab8e9eeebe14219e595abbf3c459df9f00b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31ea877743a9ed75d6b064c31df4ab8e9eeebe14219e595abbf3c459df9f00b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40764, "scanner": "repobility-supply-chain", "fingerprint": "be69153e4c6b7b8950dfe8d15bcb23a6d664f6aaad15b902a908354da3dd19d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be69153e4c6b7b8950dfe8d15bcb23a6d664f6aaad15b902a908354da3dd19d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40763, "scanner": "repobility-supply-chain", "fingerprint": "2462eecc09b74ef6b8e08e02040eab17eaf292ed919a5406d8a3e797cc1d58f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2462eecc09b74ef6b8e08e02040eab17eaf292ed919a5406d8a3e797cc1d58f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40762, "scanner": "repobility-supply-chain", "fingerprint": "2dc2d22194e28d510f8b6362a0bbe87b7997227e3bbd6c508f8a6f131c610a71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2dc2d22194e28d510f8b6362a0bbe87b7997227e3bbd6c508f8a6f131c610a71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40761, "scanner": "repobility-supply-chain", "fingerprint": "925062eab3270c94550ed9abbf1a2fa5ad230c1aa4918cefa6f8926a15ffb510", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|925062eab3270c94550ed9abbf1a2fa5ad230c1aa4918cefa6f8926a15ffb510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40760, "scanner": "repobility-supply-chain", "fingerprint": "da0c0c6aee06ccb7ce4b6415203e72182980f91de7f02c35690e8680a1895ecd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da0c0c6aee06ccb7ce4b6415203e72182980f91de7f02c35690e8680a1895ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typecheck.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40759, "scanner": "repobility-supply-chain", "fingerprint": "628a741adcd9dff503ec39278deb62bd47409bf1805464cfe44c7be9efab8bd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|628a741adcd9dff503ec39278deb62bd47409bf1805464cfe44c7be9efab8bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40758, "scanner": "repobility-supply-chain", "fingerprint": "3465ef2e985995c4354675eb47eae13af2ab48b3b8a1099d48befb0f0ace4e94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3465ef2e985995c4354675eb47eae13af2ab48b3b8a1099d48befb0f0ace4e94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 40757, "scanner": "repobility-supply-chain", "fingerprint": "c612c3ac2dc59bd6bc6af44e85e486e80963e7fd4f50c66521c8d8c80c0b2351", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c612c3ac2dc59bd6bc6af44e85e486e80963e7fd4f50c66521c8d8c80c0b2351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40756, "scanner": "repobility-supply-chain", "fingerprint": "3bc6a7b8a5cdd94508cc972081801a05cc6e2e24ab71ffecef94b7c6d757959b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bc6a7b8a5cdd94508cc972081801a05cc6e2e24ab71ffecef94b7c6d757959b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v5`: `uses: actions/download-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40755, "scanner": "repobility-supply-chain", "fingerprint": "d8b37a2d018ba40b989d9990cbee70bdbbe2dc560a55a0f0b263e53437986e71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8b37a2d018ba40b989d9990cbee70bdbbe2dc560a55a0f0b263e53437986e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40754, "scanner": "repobility-supply-chain", "fingerprint": "d48344002ab5f7bb93f7d500631ba9e3cfcc3df6da9fd1fe5b6685941b090f75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d48344002ab5f7bb93f7d500631ba9e3cfcc3df6da9fd1fe5b6685941b090f75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40753, "scanner": "repobility-supply-chain", "fingerprint": "ad56b7ade36129d100d0bf6bd09945487a9694afe166b8183dd70eb4574fe84f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad56b7ade36129d100d0bf6bd09945487a9694afe166b8183dd70eb4574fe84f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40752, "scanner": "repobility-supply-chain", "fingerprint": "9ea1becec50af4f3e369d18bcaa601761971408f6a3ce3bc715ba4ab5e987e73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ea1becec50af4f3e369d18bcaa601761971408f6a3ce3bc715ba4ab5e987e73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40751, "scanner": "repobility-supply-chain", "fingerprint": "59c2e4d2d24361c2589285e884fad634059352bc13885caaf9235d477d4e357d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59c2e4d2d24361c2589285e884fad634059352bc13885caaf9235d477d4e357d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40750, "scanner": "repobility-supply-chain", "fingerprint": "03a86f05e8e449845e75a216414378cf104414a21782521ca27567523e9ca82f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03a86f05e8e449845e75a216414378cf104414a21782521ca27567523e9ca82f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40749, "scanner": "repobility-supply-chain", "fingerprint": "42c433175c3095c014f5f3afef6b6cb7986881c4f15a6374be20e7ca76015548", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42c433175c3095c014f5f3afef6b6cb7986881c4f15a6374be20e7ca76015548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40748, "scanner": "repobility-supply-chain", "fingerprint": "4b6354e6b0ead88aabdc77002e9f054a738c404130efb06da37ba54b0a107cf0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6354e6b0ead88aabdc77002e9f054a738c404130efb06da37ba54b0a107cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40747, "scanner": "repobility-supply-chain", "fingerprint": "0824b5ba4923f2ee339216b86fb90bae6900133e98b1210a0be2750388908dcd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0824b5ba4923f2ee339216b86fb90bae6900133e98b1210a0be2750388908dcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40746, "scanner": "repobility-supply-chain", "fingerprint": "e1b579319206c29b02a74e900d41332b150efe22fbfc3d774ad70b27d35a813e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1b579319206c29b02a74e900d41332b150efe22fbfc3d774ad70b27d35a813e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40745, "scanner": "repobility-supply-chain", "fingerprint": "1af3a3de9899c5d907689e645513c9bc9ec45c1ffb5970c162cf87799eb8c930", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1af3a3de9899c5d907689e645513c9bc9ec45c1ffb5970c162cf87799eb8c930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40744, "scanner": "repobility-supply-chain", "fingerprint": "4ad81666b5d567f9b4513e47b5bb2cad606a26ab2b74d1eadc07c4e748774041", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ad81666b5d567f9b4513e47b5bb2cad606a26ab2b74d1eadc07c4e748774041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40743, "scanner": "repobility-supply-chain", "fingerprint": "d8b88c801e5e442dad8b3cd11109fb08c57a16d8bdbac0a9854a0dca27b7fb2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8b88c801e5e442dad8b3cd11109fb08c57a16d8bdbac0a9854a0dca27b7fb2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverage.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40742, "scanner": "repobility-supply-chain", "fingerprint": "a2130180fc21551eed1ae5c13bdea60087e160f80a6eb43f73171bb0b6d925ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2130180fc21551eed1ae5c13bdea60087e160f80a6eb43f73171bb0b6d925ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40741, "scanner": "repobility-supply-chain", "fingerprint": "4fdfc7b68446a5b5aa92088fa6efc43c329079417bef328f9214d553e96559f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fdfc7b68446a5b5aa92088fa6efc43c329079417bef328f9214d553e96559f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40740, "scanner": "repobility-supply-chain", "fingerprint": "62b1315b4d24f8706865920cd1612e39fff84d7128988394e62949af9efb3a2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62b1315b4d24f8706865920cd1612e39fff84d7128988394e62949af9efb3a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.93-bookworm` not pinned by digest: `FROM rust:1.93-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40739, "scanner": "repobility-supply-chain", "fingerprint": "b363c15b15186c6c373054804f54a3180dad217377161d6c38d5c53be174b208", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b363c15b15186c6c373054804f54a3180dad217377161d6c38d5c53be174b208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 40738, "scanner": "repobility-journey-contract", "fingerprint": "9022d58f38d9ba9859996f343dcd71104aecd473be9520f586e64c2e5e82ec58", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|295|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/ComposioPanel.tsx"}, "region": {"startLine": 295}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 40737, "scanner": "repobility-journey-contract", "fingerprint": "cdae77bd94c8eccfca9bcb85287df719f2561d0c29a350ad06bc5b95312293c3", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2741|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AIPanel.tsx"}, "region": {"startLine": 2741}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 40721, "scanner": "repobility-docker", "fingerprint": "a6918b0e3beda1ad5415d1c2ea105971cdd374c76cb27b8e626d783e83676981", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a6918b0e3beda1ad5415d1c2ea105971cdd374c76cb27b8e626d783e83676981"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 40686, "scanner": "repobility-threat-engine", "fingerprint": "4a472e0eb51c3cdd1ccce514b5f4df0f03726b9aa98ee723d86c0bb646e87d5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a472e0eb51c3cdd1ccce514b5f4df0f03726b9aa98ee723d86c0bb646e87d5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 40685, "scanner": "repobility-threat-engine", "fingerprint": "37c8023b929165844afd831e68be43f7732994a358495168a77e7d77330692cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37c8023b929165844afd831e68be43f7732994a358495168a77e7d77330692cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/agent_experience/types.rs"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 40682, "scanner": "repobility-threat-engine", "fingerprint": "b59816beb8237690c6cdb7f16aee644c67329442ab2ea6639f979d08ea480989", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b59816beb8237690c6cdb7f16aee644c67329442ab2ea6639f979d08ea480989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-proactive-welcome.sh"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 40681, "scanner": "repobility-threat-engine", "fingerprint": "a739c295651354cc3cd302a705fe613873ebf0cd49bc577ac5f15697269e6288", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a739c295651354cc3cd302a705fe613873ebf0cd49bc577ac5f15697269e6288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/socket/websocket.mjs"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40673, "scanner": "repobility-threat-engine", "fingerprint": "64f9ab56420f78c0bd9a2806d44c86fc8c07a0e6eb2932655c32d7d90e5b6a1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64f9ab56420f78c0bd9a2806d44c86fc8c07a0e6eb2932655c32d7d90e5b6a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/http.mjs"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 40672, "scanner": "repobility-threat-engine", "fingerprint": "3ac8dee03754375485c775184c31b1d7c3178a128a8117adfb008076f0f2c0c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(rule", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ac8dee03754375485c775184c31b1d7c3178a128a8117adfb008076f0f2c0c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/server.mjs"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 40671, "scanner": "repobility-threat-engine", "fingerprint": "0c2467dfafc4037a1559c08d2f88a94f867df59aaa479d6cdea8e41362b2f90e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c2467dfafc4037a1559c08d2f88a94f867df59aaa479d6cdea8e41362b2f90e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cancel-stale-pr-ci.mjs"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 40668, "scanner": "repobility-threat-engine", "fingerprint": "c220aae4940aeae4b91288a27f8492ce771fd0d45bfe1d0fcbfedc13e1b5d6f4", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'^Architecture:\\s+' + re.escape(arch)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/build-apt-repo.sh|35|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-apt-repo.sh"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40667, "scanner": "repobility-threat-engine", "fingerprint": "846f666fc942781c756e93018bf5f7f0d864e95d344ca3e9e3f2b80e758d2203", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((sentence) => `- ${truncate(sentence, 90)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|846f666fc942781c756e93018bf5f7f0d864e95d344ca3e9e3f2b80e758d2203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/routes/llm/dynamic.mjs"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40666, "scanner": "repobility-threat-engine", "fingerprint": "a130a704f682c35fdc64a283e801c5f91c5fcff72fb84f4320a2968882f0d4cd", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${JSON.stringify(String(v))}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a130a704f682c35fdc64a283e801c5f91c5fcff72fb84f4320a2968882f0d4cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/act-staging.sh"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 40665, "scanner": "repobility-threat-engine", "fingerprint": "6d173e086266afd3eb778ba9ec4336022313ada8bcd5996716656cea7ac8b97b", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|scripts/act-staging.sh|12|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/act-staging.sh"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 40664, "scanner": "repobility-threat-engine", "fingerprint": "33ef39654f20473eb235cee21b2aed00b1540b102e69e7617e8085551654f6fd", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|7|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/act-build-desktop.sh"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 40661, "scanner": "repobility-threat-engine", "fingerprint": "b92016bccb4df8db6e9ff9045cb2602c5d37b33f1b6e89b2032e2f90394dc095", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b92016bccb4df8db6e9ff9045cb2602c5d37b33f1b6e89b2032e2f90394dc095"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/notificationSlice.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 40660, "scanner": "repobility-threat-engine", "fingerprint": "be94d774b9d9dafb908f05ba026e75c99d73c013eb45f1abcf8ff12b64a0c5e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be94d774b9d9dafb908f05ba026e75c99d73c013eb45f1abcf8ff12b64a0c5e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/accountsSlice.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 40653, "scanner": "repobility-threat-engine", "fingerprint": "ad6806818731143276c77d330aaaa94bfc89196268b59e84c81ea633ea9b9513", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`[telegram-mock] ${method} token=<redacted>, 8)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|5|console.log telegram-mock method token redacted 8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock-api/routes/telegram.mjs"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40651, "scanner": "repobility-threat-engine", "fingerprint": "1350d36a4b245daf44e5dda78948c2110368b94816c3c79a91c3655ca5e17116", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(agent", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1350d36a4b245daf44e5dda78948c2110368b94816c3c79a91c3655ca5e17116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/agent-batch/lib.mjs"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40650, "scanner": "repobility-threat-engine", "fingerprint": "b1f8b95126f8990cf23551204017cc251d15120f62460830b1e8ff5fee447aef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1f8b95126f8990cf23551204017cc251d15120f62460830b1e8ff5fee447aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/workerThreadRef.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40649, "scanner": "repobility-threat-engine", "fingerprint": "881b0b483f6582a6d226f231f925faffa0fbb0d9773baa8151d0890e5e0d7600", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|881b0b483f6582a6d226f231f925faffa0fbb0d9773baa8151d0890e5e0d7600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/format.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40637, "scanner": "repobility-threat-engine", "fingerprint": "1d4daba1fd129f49c17819a0cb9e2cb7e674feae2397701db30d328d37c7354e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d4daba1fd129f49c17819a0cb9e2cb7e674feae2397701db30d328d37c7354e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/SubconsciousReflectionCards.tsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40636, "scanner": "repobility-threat-engine", "fingerprint": "fc05835c48d40b94ff6a9b13c8c90a2ccf7ec4081d29c4f1a02f30487fd21f1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(sig);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc05835c48d40b94ff6a9b13c8c90a2ccf7ec4081d29c4f1a02f30487fd21f1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/TriggerToggles.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40635, "scanner": "repobility-threat-engine", "fingerprint": "37f0323e9a98e60d817168fede110359fe1115c65b9363abac1dfbf8da467960", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37f0323e9a98e60d817168fede110359fe1115c65b9363abac1dfbf8da467960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/channels/mcp/McpServersTab.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40606, "scanner": "repobility-threat-engine", "fingerprint": "18adbbeb55767e274cf8212895aed6a1defdd3eab7ef9c6ed5eef4b6405fa4d5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18adbbeb55767e274cf8212895aed6a1defdd3eab7ef9c6ed5eef4b6405fa4d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/accounts/RespondQueuePanel.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40605, "scanner": "repobility-threat-engine", "fingerprint": "2ca64332ca1d6678374417fee6e2c103c86853b89eed313d03f54c149badc6c9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(L", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ca64332ca1d6678374417fee6e2c103c86853b89eed313d03f54c149badc6c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/ErrorFallbackScreen.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40604, "scanner": "repobility-threat-engine", "fingerprint": "85434884486fd4e105401331a5c9910e0e1683ce8c89d2cddab7f6add812326b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85434884486fd4e105401331a5c9910e0e1683ce8c89d2cddab7f6add812326b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/deep_link_ipc_windows.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 40602, "scanner": "repobility-threat-engine", "fingerprint": "1378597b92e22ace0c72025d66a338bef86ec06a1f7f6ee3ce23a19a429267a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1378597b92e22ace0c72025d66a338bef86ec06a1f7f6ee3ce23a19a429267a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/file_logging.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 40601, "scanner": "repobility-threat-engine", "fingerprint": "6214893ad99bd0c741c77c6b275c4e013cd35d7ac047e1b669577beaaa1d0f0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6214893ad99bd0c741c77c6b275c4e013cd35d7ac047e1b669577beaaa1d0f0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/fake_camera/mod.rs"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 40600, "scanner": "repobility-threat-engine", "fingerprint": "880b9e1a74bd4248c90ab7620b1feeb64b03f74c08e2f6748cb99922f72c9072", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|880b9e1a74bd4248c90ab7620b1feeb64b03f74c08e2f6748cb99922f72c9072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/companion_commands.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 5194, "scanner": "repobility-journey-contract", "fingerprint": "1232694db8c2b2fc5cecfba646d9c6ae31fbf053f3eac027f687dded4384d329", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|465|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/BackendProviderPanel.tsx"}, "region": {"startLine": 465}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 5193, "scanner": "repobility-journey-contract", "fingerprint": "47b063b78c9a78d360378ac42736eb6afeb9cf92693b821682b6b83ae82cad74", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|519|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/ComposioConnectModal.tsx"}, "region": {"startLine": 519}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5182, "scanner": "repobility-docker", "fingerprint": "b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5181, "scanner": "repobility-docker", "fingerprint": "1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5177, "scanner": "repobility-docker", "fingerprint": "61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5176, "scanner": "repobility-docker", "fingerprint": "b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 40732, "scanner": "repobility-journey-contract", "fingerprint": "1df562c4a41d6fd03da330f9a417acc47fe334ea3e6efe1d8fe3acdb25a32818", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|251|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/oauth/OAuthProviderButton.tsx"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 40691, "scanner": "repobility-threat-engine", "fingerprint": "68515b815993df2d7d2a425270920ba65207a2fdbc005394659cf976d997f626", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68515b815993df2d7d2a425270920ba65207a2fdbc005394659cf976d997f626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/wallet/rpc.rs"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 40690, "scanner": "repobility-threat-engine", "fingerprint": "5d98d5c55f429b2b9c0442f23267100f14ba65bacfaadf61c75519c5bb75bd2e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d98d5c55f429b2b9c0442f23267100f14ba65bacfaadf61c75519c5bb75bd2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/util/redact.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 40689, "scanner": "repobility-threat-engine", "fingerprint": "4ba8aa121578b92a046c9b4386fff343efdacc67c1894e10aff1a64693d7e5bb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ba8aa121578b92a046c9b4386fff343efdacc67c1894e10aff1a64693d7e5bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC019", "level": "error", "message": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "properties": {"repobilityId": 40688, "scanner": "repobility-threat-engine", "fingerprint": "3330eedba6e2d21e124b3576d171670b765335978153f162e7a049c4ebf02c7f", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Authorization: Bearer <redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC019", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|13|authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 40687, "scanner": "repobility-threat-engine", "fingerprint": "a716b52bc632dbbc309270da44c6c0f7728ed4a508714cc689610895bf06a02b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a716b52bc632dbbc309270da44c6c0f7728ed4a508714cc689610895bf06a02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/integrations/twilio.rs"}, "region": {"startLine": 198}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 40684, "scanner": "repobility-threat-engine", "fingerprint": "77ab4178fb1cf9116e203670175d9172423df880e0d3a6b03bde6e00cf289425", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xoxb-1234567890-abcdEFG", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|16|xoxb-1234567890-abcdefg"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 40683, "scanner": "repobility-threat-engine", "fingerprint": "bba088f442548024b2f2f26690510c0491a156faff2eec4e24196baf2c236419", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sk-abcdefghijklmnopqrstuvwxyz123456", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|12|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/agent_experience/types.rs"}, "region": {"startLine": 128}}}]}]}]}