{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `thclaws` image uses the latest tag", "shortDescription": {"text": "Compose service `thclaws` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 587 lines (recommend <300)", "shortDescription": {"text": "Average file size is 587 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves", "shortDescription": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files co"}, "fullDescription": {"text": "Replace with: `uses: actions/download-artifact@<40-char-sha>  # v8` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SUPC001", "name": "Supply chain \u2014 curl | bash anti-pattern", "shortDescription": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "fullDescription": {"text": "curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/217"}, "properties": {"repository": "thClaws/thClaws", "repoUrl": "https://github.com/thClaws/thClaws", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `thclaws` image uses the latest tag"}, "properties": {"repobilityId": 49250, "scanner": "repobility-docker", "fingerprint": "d73b3b69d47a59793740199fa1de3d50d358c4bd621c5254512dc5c9083e0dfd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "thclaws/thclaws:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d73b3b69d47a59793740199fa1de3d50d358c4bd621c5254512dc5c9083e0dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 49245, "scanner": "repobility-agent-runtime", "fingerprint": "c81a15e53f25cc755992cc76316172c5534040212ecd15ee7eb9d34ccabc0f6d", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c81a15e53f25cc755992cc76316172c5534040212ecd15ee7eb9d34ccabc0f6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch26-gui-shells.md"}, "region": {"startLine": 185}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 49244, "scanner": "repobility-agent-runtime", "fingerprint": "869e81b9cd54fd1f5b084473938e5636c6276f728f70c37d9cb86a9fc9cf1828", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|869e81b9cd54fd1f5b084473938e5636c6276f728f70c37d9cb86a9fc9cf1828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch05-permissions.md"}, "region": {"startLine": 121}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 49243, "scanner": "repobility-agent-runtime", "fingerprint": "d11c378536e8a7eb994172fb4d2b7b006c11d793b7c2f105f910f2f41dc11426", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d11c378536e8a7eb994172fb4d2b7b006c11d793b7c2f105f910f2f41dc11426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch02-installation.md"}, "region": {"startLine": 270}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 49242, "scanner": "repobility-agent-runtime", "fingerprint": "ed0d695b4ca2ad53d44858f162535e6aec3498cb4b353b07c978504963622284", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ed0d695b4ca2ad53d44858f162535e6aec3498cb4b353b07c978504963622284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual/ch26-gui-shells.md"}, "region": {"startLine": 189}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 49241, "scanner": "repobility-agent-runtime", "fingerprint": "a682b2e2907a115789a3c676407c90611b1c8040eba7d4e072933febb4c5c91c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a682b2e2907a115789a3c676407c90611b1c8040eba7d4e072933febb4c5c91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual/ch05-permissions.md"}, "region": {"startLine": 106}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49217, "scanner": "repobility-threat-engine", "fingerprint": "d9dc023ca7b17bec9c7a345866e2485043989553443f5b6cd1ee83da0412b8ce", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9dc023ca7b17bec9c7a345866e2485043989553443f5b6cd1ee83da0412b8ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ShellPicker.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49212, "scanner": "repobility-threat-engine", "fingerprint": "e3d3da64d5781a08ce78a5985f1e8666de2df1155ae22a2c210f946bb566814e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|95|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TeamView.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49211, "scanner": "repobility-threat-engine", "fingerprint": "1923a8efc40e296a69493aa888f07b1077364abbb8868b9b1f3526730c504101", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|crates/core/src/util.rs|165|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/util.rs"}, "region": {"startLine": 165}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 587 lines (recommend <300)"}, "properties": {"repobilityId": 49182, "scanner": "repobility-core", "fingerprint": "568634fb3a9f8e5bae2d94ce0bb40540448d89b21f87bf1d77724097cf26460e", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|568634fb3a9f8e5bae2d94ce0bb40540448d89b21f87bf1d77724097cf26460e"}}}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13476, "scanner": "repobility", "fingerprint": "11804508f694076b20f0e8f1b38ec39b", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 848}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13475, "scanner": "repobility", "fingerprint": "1f345fa801f102c7228413e959bc6806", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 847}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13474, "scanner": "repobility", "fingerprint": "112135e5328b990488c32a9217b7ac59", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 846}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13473, "scanner": "repobility", "fingerprint": "125a8a816ccf2dd13e710a9e121215f3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 845}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13472, "scanner": "repobility", "fingerprint": "17c331c339c529acb9e65a35e9904bf6", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 844}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13471, "scanner": "repobility", "fingerprint": "44468c9f735a50e4bb28642cc83fbd90", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 843}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13470, "scanner": "repobility", "fingerprint": "c490b8b23dd75573381dc1716198dad5", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 744}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13469, "scanner": "repobility", "fingerprint": "c581475cb4161cbf885d6ef0f32b4bf1", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/usage.rs"}, "region": {"startLine": 215}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13468, "scanner": "repobility", "fingerprint": "a68f7b2e08c293bb473f6a0a989c78a3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/gui.rs"}, "region": {"startLine": 894}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13467, "scanner": "repobility", "fingerprint": "dea6176bb822b4e304656bae8e579079", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/gui.rs"}, "region": {"startLine": 891}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13466, "scanner": "repobility", "fingerprint": "2c6ef67a2de0889bee534a8dfd7cddc3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/mcp.rs"}, "region": {"startLine": 894}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13465, "scanner": "repobility", "fingerprint": "ee7c5d04ca96736809a6301c97d6c3e0", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/mcp.rs"}, "region": {"startLine": 893}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13464, "scanner": "repobility", "fingerprint": "f8c45b66d3dab99e2642411fa907ac13", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/mcp.rs"}, "region": {"startLine": 885}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6906, "scanner": "repobility-threat-engine", "fingerprint": "81a3f7faf0426e76666febf61cd6b47ac48d0c6079d77c23f6bc2982b0cfd0f5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|81a3f7faf0426e76666febf61cd6b47ac48d0c6079d77c23f6bc2982b0cfd0f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "paperclip-adapter/src/server/execute.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6901, "scanner": "repobility-agent-runtime", "fingerprint": "74b75c4d73d3ff3f7010ec871b499476a24a3301bb24534887a9a5c3a727e8a9", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|74b75c4d73d3ff3f7010ec871b499476a24a3301bb24534887a9a5c3a727e8a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch11-built-in-tools.md"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6900, "scanner": "repobility-agent-runtime", "fingerprint": "11cf02f63d33a9c24429cb0f84dc1d30ae79c566ebcfc1ad97a6dc04f619316a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|11cf02f63d33a9c24429cb0f84dc1d30ae79c566ebcfc1ad97a6dc04f619316a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch05-permissions.md"}, "region": {"startLine": 66}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6899, "scanner": "repobility-agent-runtime", "fingerprint": "547e6452a95591d572299cc70ad79a6001ad724be52a2c3830342a29cc11700f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|547e6452a95591d572299cc70ad79a6001ad724be52a2c3830342a29cc11700f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual-th/ch02-installation.md"}, "region": {"startLine": 144}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6898, "scanner": "repobility-agent-runtime", "fingerprint": "1a1145b9cfc9a6eca9c4d5ddcf01ce61e4b33a8408c26d99d762a2a3c51e3e3a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1a1145b9cfc9a6eca9c4d5ddcf01ce61e4b33a8408c26d99d762a2a3c51e3e3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual/ch11-built-in-tools.md"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6897, "scanner": "repobility-agent-runtime", "fingerprint": "1bc8fd7c0c98bd236c14e21bf4a105bee59e88049552e1429db9d055e3b90dbb", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1bc8fd7c0c98bd236c14e21bf4a105bee59e88049552e1429db9d055e3b90dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "user-manual/ch05-permissions.md"}, "region": {"startLine": 49}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 6896, "scanner": "repobility-agent-runtime", "fingerprint": "0f29259d90a343316aafad9ff912aeb588c17651e52a6a60047e5785068d40f4", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0f29259d90a343316aafad9ff912aeb588c17651e52a6a60047e5785068d40f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ModelPickerModal.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80c09a99cec787181e8c98b4423780889c74b3e66df39994f29800fae80ab6da", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/BackgroundAgentsSidebar.tsx", "duplicate_line": 175, "correlation_key": "fp|80c09a99cec787181e8c98b4423780889c74b3e66df39994f29800fae80ab6da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/KmsBrowserSidebar.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47f89fd64e9b4df37663550992ceb2d3398ca496cc0e64baa837015522606e33", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/providers/ollama_cloud.rs", "duplicate_line": 26, "correlation_key": "fp|47f89fd64e9b4df37663550992ceb2d3398ca496cc0e64baa837015522606e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/providers/opencode_go.rs"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74c21d4b82153686968d3841559dc38dfa34e8dee2c7dc736d35889187a49042", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/providers/ollama.rs", "duplicate_line": 74, "correlation_key": "fp|74c21d4b82153686968d3841559dc38dfa34e8dee2c7dc736d35889187a49042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/providers/opencode_go.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4caf9780f65b4c01ca81902922b08bf625b9e889fab22c724abfe3c19747ca9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/providers/ollama.rs", "duplicate_line": 214, "correlation_key": "fp|a4caf9780f65b4c01ca81902922b08bf625b9e889fab22c724abfe3c19747ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/providers/openai_responses.rs"}, "region": {"startLine": 215}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 648 lines (recommend <300)"}, "properties": {"repobilityId": 6883, "scanner": "repobility-core", "fingerprint": "bc42845f26419b885af3fae72e68a077bfe1e7b2d2982557857b41ce65bbb397", "category": "quality", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|bc42845f26419b885af3fae72e68a077bfe1e7b2d2982557857b41ce65bbb397"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 49252, "scanner": "repobility-docker", "fingerprint": "872241b558b8b55f0767215f26cef5dfe392937f22388c51aff5d3085caa3aad", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "thclaws", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|872241b558b8b55f0767215f26cef5dfe392937f22388c51aff5d3085caa3aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 49251, "scanner": "repobility-docker", "fingerprint": "d13962a2b9173e3fa084872a692b6ec0ca7339b49b835f3a4337900bfadfc6f4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "thclaws", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d13962a2b9173e3fa084872a692b6ec0ca7339b49b835f3a4337900bfadfc6f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 49249, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a364757b42bcc824aceb2430cbf6083a5f0793831e82ab5c353294fea2d60bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/BackgroundAgentsSidebar.tsx", "duplicate_line": 175, "correlation_key": "fp|4a364757b42bcc824aceb2430cbf6083a5f0793831e82ab5c353294fea2d60bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TodoSidebar.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa126f5becc2b99c81193c65e00c28b93b426b08c86f82229db83e1ae580dfd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/KmsBrowserSidebar.tsx", "duplicate_line": 77, "correlation_key": "fp|fa126f5becc2b99c81193c65e00c28b93b426b08c86f82229db83e1ae580dfd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TodoSidebar.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "152a529f42885e43be41d2cdb0dca6b9f07ad70b51ca04e8dbff484cb808ce94", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/LineConnectModal.tsx", "duplicate_line": 86, "correlation_key": "fp|152a529f42885e43be41d2cdb0dca6b9f07ad70b51ca04e8dbff484cb808ce94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TelegramConnectModal.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e83d0f569c7ecbf8259281fef43b3b3e237361387b42b46f70caf1aa5c353f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/FilesView.tsx", "duplicate_line": 17, "correlation_key": "fp|9e83d0f569c7ecbf8259281fef43b3b3e237361387b42b46f70caf1aa5c353f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Sidebar.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb1938b5371640fd36649fb78dcd43d83464ade36f8372c0a341195180495a50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/KmsBrowserSidebar.tsx", "duplicate_line": 77, "correlation_key": "fp|eb1938b5371640fd36649fb78dcd43d83464ade36f8372c0a341195180495a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ResearchSidebar.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f7f02622c211cfdc042225b95b7a11726f5e2f88472ea2c63760bb3bf759c31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/BackgroundAgentsSidebar.tsx", "duplicate_line": 185, "correlation_key": "fp|9f7f02622c211cfdc042225b95b7a11726f5e2f88472ea2c63760bb3bf759c31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/PlanSidebar.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb61caf22b8daacff6d200ea71d01d113d2bbd55dea6822733621907e23b3b78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/LineConnectModal.tsx", "duplicate_line": 39, "correlation_key": "fp|eb61caf22b8daacff6d200ea71d01d113d2bbd55dea6822733621907e23b3b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/MessengerConnectModal.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2866a0f855e237e8b1848f90d0f3821346ed3354d558e04b7d0daaf38cf6955a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/BackgroundAgentsSidebar.tsx", "duplicate_line": 175, "correlation_key": "fp|2866a0f855e237e8b1848f90d0f3821346ed3354d558e04b7d0daaf38cf6955a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/KmsBrowserSidebar.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a00b06f68f9ee1aa09de329560ad37f76976f09efba1d9d88e17e888d8e65cdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/messenger/headless.rs", "duplicate_line": 53, "correlation_key": "fp|a00b06f68f9ee1aa09de329560ad37f76976f09efba1d9d88e17e888d8e65cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/workflow/headless.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d91660a04e58d15a7ebb299522a52079a4180da724bd4597cc60bd23216a89e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/telegram/session.rs", "duplicate_line": 372, "correlation_key": "fp|9d91660a04e58d15a7ebb299522a52079a4180da724bd4597cc60bd23216a89e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/topic.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d39885aa0c239ad4f7ee26f694894d48d4a787c15bab4deda9849c48202842d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/messenger/headless.rs", "duplicate_line": 51, "correlation_key": "fp|3d39885aa0c239ad4f7ee26f694894d48d4a787c15bab4deda9849c48202842d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/headless.rs"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c61354e8cebdb5f2ff0b0f50c11c44553b5455475f55ae161fa71945938513f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/config.rs", "duplicate_line": 54, "correlation_key": "fp|c61354e8cebdb5f2ff0b0f50c11c44553b5455475f55ae161fa71945938513f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/config.rs"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4720064e323cf3f65df223ecbbfd23ad8c8164d6050eaa6828e4ba471d3d541", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/client.rs", "duplicate_line": 253, "correlation_key": "fp|a4720064e323cf3f65df223ecbbfd23ad8c8164d6050eaa6828e4ba471d3d541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/client.rs"}, "region": {"startLine": 259}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0670e5d5ba5967d4020863039dbfabaec194be9a8d280ebd370d5f2719b9374d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/messenger/approver.rs", "duplicate_line": 90, "correlation_key": "fp|0670e5d5ba5967d4020863039dbfabaec194be9a8d280ebd370d5f2719b9374d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/approver.rs"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb6b5906f5670d8953d4e5e0de2b09c31684e1e845d8caaa556e1c97d1541baf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/approver.rs", "duplicate_line": 43, "correlation_key": "fp|cb6b5906f5670d8953d4e5e0de2b09c31684e1e845d8caaa556e1c97d1541baf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/telegram/approver.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e446c0f4bdd7956d7aa5d2748663a114578655ad79dfd54884b8f3d25b22b473", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/config.rs", "duplicate_line": 54, "correlation_key": "fp|e446c0f4bdd7956d7aa5d2748663a114578655ad79dfd54884b8f3d25b22b473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/config.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "516c45b717f421a861f55209f25f7a071ddf3d9726611f5550893b1ae6df0f4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/client.rs", "duplicate_line": 23, "correlation_key": "fp|516c45b717f421a861f55209f25f7a071ddf3d9726611f5550893b1ae6df0f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/client.rs"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a99b8340decb1ec91a3e1648e65a2089efdc009f723039aa76dc9ac18e1f6cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/bootstrap.rs", "duplicate_line": 42, "correlation_key": "fp|2a99b8340decb1ec91a3e1648e65a2089efdc009f723039aa76dc9ac18e1f6cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/bootstrap.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33c554aa7cf65d7a4f36a2c719f89c4d9c5de8e8d079b526b700968bc48c942b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/line/approver.rs", "duplicate_line": 9, "correlation_key": "fp|33c554aa7cf65d7a4f36a2c719f89c4d9c5de8e8d079b526b700968bc48c942b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/approver.rs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88d93b9c6745d0c060321fa6cfe508116d4c047c3e9c7433677a0c1c913ecf67", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/gui_shell/registry.rs", "duplicate_line": 118, "correlation_key": "fp|88d93b9c6745d0c060321fa6cfe508116d4c047c3e9c7433677a0c1c913ecf67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/gui_shell/serve.rs"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49220, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c6614666dca5aabc2d5108cb517f4b120472350c92509ecb1528172e62bfc37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/api_v1/deploy.rs", "duplicate_line": 12, "correlation_key": "fp|8c6614666dca5aabc2d5108cb517f4b120472350c92509ecb1528172e62bfc37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/deploy_client.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 49193, "scanner": "repobility-threat-engine", "fingerprint": "1ecd19f4de309fbf1e7c503a21228fd62b66b897efa7108ec42a48781155e7a9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|142|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/assets/gui-shells/session-explorer/main.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "464ebb4790d63ee4974908103e22c1a86472883fee935db46c321b9813dee834", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/KmsBrowserSidebar.tsx", "duplicate_line": 77, "correlation_key": "fp|464ebb4790d63ee4974908103e22c1a86472883fee935db46c321b9813dee834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/PlanSidebar.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0f86c861a73e5a131d604ec658ef88bc0ba3ce7666fd95dde18e4a38cf8ba1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/ModelPickerDropdown.tsx", "duplicate_line": 173, "correlation_key": "fp|c0f86c861a73e5a131d604ec658ef88bc0ba3ce7666fd95dde18e4a38cf8ba1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ModelPickerModal.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23cfab226d90e3ab5d6599dd85ecd28fd9c8e405b1aff863adfc270d3ec1127a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/InstructionsEditorModal.tsx", "duplicate_line": 197, "correlation_key": "fp|23cfab226d90e3ab5d6599dd85ecd28fd9c8e405b1aff863adfc270d3ec1127a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/MarkdownEditor.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "caa4851c6876574e3e7805255948e8eb57ab5e4753dc9c7fe55e7fabcb452b68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/tools/docx_edit.rs", "duplicate_line": 112, "correlation_key": "fp|caa4851c6876574e3e7805255948e8eb57ab5e4753dc9c7fe55e7fabcb452b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/pptx_edit.rs"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13aef6d89c064d6944ac7e9c5a1f38aab55f35f62a0af5a7eb7777353860a086", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/tools/docx_edit.rs", "duplicate_line": 216, "correlation_key": "fp|13aef6d89c064d6944ac7e9c5a1f38aab55f35f62a0af5a7eb7777353860a086"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/pptx_create.rs"}, "region": {"startLine": 216}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c963ee60a504f3b8600241cedaea8a3999d334064ec2d9add425c639be0b4de8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/tools/kms.rs", "duplicate_line": 378, "correlation_key": "fp|c963ee60a504f3b8600241cedaea8a3999d334064ec2d9add425c639be0b4de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/memory.rs"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d370ffbadbeb0e4212bcd4dc021dcebd3322b29badedf27bdbf63f8368754baf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/providers/ollama_cloud.rs", "duplicate_line": 138, "correlation_key": "fp|d370ffbadbeb0e4212bcd4dc021dcebd3322b29badedf27bdbf63f8368754baf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/providers/openai_responses.rs"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "792ff2a077b6b83125322f4e28c96dc4166b0f2ea40f1f65f0d246221954c327", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/core/src/providers/ollama.rs", "duplicate_line": 73, "correlation_key": "fp|792ff2a077b6b83125322f4e28c96dc4166b0f2ea40f1f65f0d246221954c327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/providers/ollama_cloud.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 49248, "scanner": "repobility-docker", "fingerprint": "f815e70b10fc8cfee6884a5dbf758e212fab7cc16f1c5084028d347ebcddd518", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${RUNTIME_BASE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f815e70b10fc8cfee6884a5dbf758e212fab7cc16f1c5084028d347ebcddd518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 49247, "scanner": "repobility-docker", "fingerprint": "c2aad20c161028ec3cfd311e052444898d5e66680b8a1f882fb0185092da575c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "rust:${RUST_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c2aad20c161028ec3cfd311e052444898d5e66680b8a1f882fb0185092da575c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 49246, "scanner": "repobility-docker", "fingerprint": "e82a37b0ba0366caab19b55eebb3331e2795ed75c21101bb8df110cbee7631a4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e82a37b0ba0366caab19b55eebb3331e2795ed75c21101bb8df110cbee7631a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49219, "scanner": "repobility-threat-engine", "fingerprint": "dead10f141e03f73393a1b7633cddd2389908b3ff79118670f5f5375c1e4fe59", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dead10f141e03f73393a1b7633cddd2389908b3ff79118670f5f5375c1e4fe59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TeamView.tsx"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49216, "scanner": "repobility-threat-engine", "fingerprint": "059226b953c2cb2eea6d4bf29e2af14148db792e95a8fa2f49e72b0480202d45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|059226b953c2cb2eea6d4bf29e2af14148db792e95a8fa2f49e72b0480202d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ShellView.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49215, "scanner": "repobility-threat-engine", "fingerprint": "d661ad9fbba4252a658187064d363a63d09fb22804b725c180a68154031ccf46", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d661ad9fbba4252a658187064d363a63d09fb22804b725c180a68154031ccf46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ShellPicker.tsx"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49214, "scanner": "repobility-threat-engine", "fingerprint": "9e9ae833504936ed8d83a57d63a40b80607f11ae1f7ab63ea7b63bf43681bdde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e9ae833504936ed8d83a57d63a40b80607f11ae1f7ab63ea7b63bf43681bdde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useIPC.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49213, "scanner": "repobility-threat-engine", "fingerprint": "800842721fba45b0d8d81f62ea4ed8a2bfe5f7ac44cc4d32c4d025bf5adcc1a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|800842721fba45b0d8d81f62ea4ed8a2bfe5f7ac44cc4d32c4d025bf5adcc1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/SettingsMenu.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 49210, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49209, "scanner": "repobility-threat-engine", "fingerprint": "c0d29a0cf79169a58896bf3d7c51dec1078aff51f88d770cf00e650c3fcebed0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0d29a0cf79169a58896bf3d7c51dec1078aff51f88d770cf00e650c3fcebed0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/config.rs"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49208, "scanner": "repobility-threat-engine", "fingerprint": "8c02a5260dfc25cb1f2007695b6c5b93b9c6157b77635948e04a79738d485295", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c02a5260dfc25cb1f2007695b6c5b93b9c6157b77635948e04a79738d485295"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/line/config.rs"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49207, "scanner": "repobility-threat-engine", "fingerprint": "42ab638e0f9441587b2cae54205ef77d1c5f2c9c3bcb2088caf974a190b5d296", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42ab638e0f9441587b2cae54205ef77d1c5f2c9c3bcb2088caf974a190b5d296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/external_url.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 49206, "scanner": "repobility-threat-engine", "fingerprint": "9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "aggregated_count": 3}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49205, "scanner": "repobility-threat-engine", "fingerprint": "9e06f2b92199f6c5b04f9406c56c0d1333dca37312e2d89766754dd6fff4ab29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e06f2b92199f6c5b04f9406c56c0d1333dca37312e2d89766754dd6fff4ab29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/client.rs"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49204, "scanner": "repobility-threat-engine", "fingerprint": "09d697c1bf640cafaa848b47ff2624711d98751b6b76fc5bd1d706f2fd54c396", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09d697c1bf640cafaa848b47ff2624711d98751b6b76fc5bd1d706f2fd54c396"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/line/protocol.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49203, "scanner": "repobility-threat-engine", "fingerprint": "840845468ee414fe4ca74cb00d0051c24d0010e7b7a073883c5c258b6eaf0df0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|840845468ee414fe4ca74cb00d0051c24d0010e7b7a073883c5c258b6eaf0df0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/cancel.rs"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 49202, "scanner": "repobility-threat-engine", "fingerprint": "e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "aggregated_count": 9}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49201, "scanner": "repobility-threat-engine", "fingerprint": "fb14b2756617c937a3a7319f3bd7b901d3a27dfe0cc8f7c923de81225a83bad1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb14b2756617c937a3a7319f3bd7b901d3a27dfe0cc8f7c923de81225a83bad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/line/upload.rs"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49200, "scanner": "repobility-threat-engine", "fingerprint": "11e409ad2e0e59a91a7696c9275aa6b5c090344f48daeb2fa0e19a3e8ad77c8e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11e409ad2e0e59a91a7696c9275aa6b5c090344f48daeb2fa0e19a3e8ad77c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/commands.rs"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49199, "scanner": "repobility-threat-engine", "fingerprint": "aed180b25e72aeee4690a3f2eaaef76359266185a8eef6432250b1566e1506ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aed180b25e72aeee4690a3f2eaaef76359266185a8eef6432250b1566e1506ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/api_v1/oauth_callback.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 49198, "scanner": "repobility-threat-engine", "fingerprint": "6294f71c8a1ee19869694f4881b62e6942323a56ee28ec995161c9265d7388c9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6294f71c8a1ee19869694f4881b62e6942323a56ee28ec995161c9265d7388c9", "aggregated_count": 27}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49192, "scanner": "repobility-threat-engine", "fingerprint": "cc07645e876682a166fd3dba0a5d2cf326adc5a723695b2f98363564154ad938", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc07645e876682a166fd3dba0a5d2cf326adc5a723695b2f98363564154ad938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useIPC.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49191, "scanner": "repobility-threat-engine", "fingerprint": "b8e167d8bc6a8aa1d96320347e4cd98f510aa5977628a85a44ef6571576a9cde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8e167d8bc6a8aa1d96320347e4cd98f510aa5977628a85a44ef6571576a9cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/assets/gui-shell-bridge.js"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 49190, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 49186, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 6905, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6904, "scanner": "repobility-threat-engine", "fingerprint": "68418923ebc6fd489b5164c365ab8e09e4f132fdab115faba51c894adf2a9da1", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Sidebar.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6903, "scanner": "repobility-threat-engine", "fingerprint": "710b865af4fddcc38bd761c1561ca3ece53560d1b752c997423e3c89972fe189", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|150|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/KmsGraphView.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6902, "scanner": "repobility-threat-engine", "fingerprint": "3fe1c1e0d346428a1b0f3c3307eb295e934b608334e4d5e94ebcd2f2032491ac", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|34|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/FilesView.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49278, "scanner": "repobility-supply-chain", "fingerprint": "755a77a51c2a342571cd5a6e39edf1fe6b97cd9a930efb3e52fee2c79aeab34a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|755a77a51c2a342571cd5a6e39edf1fe6b97cd9a930efb3e52fee2c79aeab34a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49276, "scanner": "repobility-supply-chain", "fingerprint": "37a6cd6bf15f1ed4920c2c6cb346fb261a2269404e2864a9a5e103ed3480037e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37a6cd6bf15f1ed4920c2c6cb346fb261a2269404e2864a9a5e103ed3480037e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49274, "scanner": "repobility-supply-chain", "fingerprint": "41051f8ce247fdba23662ffeba6521503d78fe63b52cbd872bf8fcfb249559d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41051f8ce247fdba23662ffeba6521503d78fe63b52cbd872bf8fcfb249559d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49272, "scanner": "repobility-supply-chain", "fingerprint": "66ec154a36dbc800d7cc25371e3fa6ae3520734ab81345d3b0d1296a76b1dbab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66ec154a36dbc800d7cc25371e3fa6ae3520734ab81345d3b0d1296a76b1dbab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49270, "scanner": "repobility-supply-chain", "fingerprint": "d7df14c61bc9660a393269a4f8956f8fc292f737fc6d32d79ab452a3fc4924ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7df14c61bc9660a393269a4f8956f8fc292f737fc6d32d79ab452a3fc4924ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49269, "scanner": "repobility-supply-chain", "fingerprint": "d55ca3c63f00f15e058b08dd8a38dc3ea8149d9d9862a9d5b143c3aea550fb97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d55ca3c63f00f15e058b08dd8a38dc3ea8149d9d9862a9d5b143c3aea550fb97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49268, "scanner": "repobility-supply-chain", "fingerprint": "0c493936ed3f24f181fc697ba81cdc61872963e12c42dc08aa90139d937c7b1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c493936ed3f24f181fc697ba81cdc61872963e12c42dc08aa90139d937c7b1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49267, "scanner": "repobility-supply-chain", "fingerprint": "9695ba2e39e581ab7264543baef185af7568d6a4fe9c4e911961665e4910e5c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9695ba2e39e581ab7264543baef185af7568d6a4fe9c4e911961665e4910e5c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49266, "scanner": "repobility-supply-chain", "fingerprint": "8ec9799fc5376f356531b741f1efc3a9f359c4228ea6d7483063da13a4c522a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ec9799fc5376f356531b741f1efc3a9f359c4228ea6d7483063da13a4c522a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49264, "scanner": "repobility-supply-chain", "fingerprint": "a15eff4e8dd3a6b5feda38064928609068c8e94c1c9f57b208e0ad9084d3b977", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a15eff4e8dd3a6b5feda38064928609068c8e94c1c9f57b208e0ad9084d3b977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49263, "scanner": "repobility-supply-chain", "fingerprint": "c99d29ad2ff5fda3dd8d12eeef42e0bdd6f1ddeea6a36e61b6ca506270ae27ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c99d29ad2ff5fda3dd8d12eeef42e0bdd6f1ddeea6a36e61b6ca506270ae27ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49262, "scanner": "repobility-supply-chain", "fingerprint": "d38c1a5dd50295175f684e4c2a7c2dc5d8c5b2d1e3983fc11de77f65d221c1f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d38c1a5dd50295175f684e4c2a7c2dc5d8c5b2d1e3983fc11de77f65d221c1f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49261, "scanner": "repobility-supply-chain", "fingerprint": "1360f8facab651355860b04a3d286f242a969681f16be72f26a60ae7b4238c0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1360f8facab651355860b04a3d286f242a969681f16be72f26a60ae7b4238c0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49260, "scanner": "repobility-supply-chain", "fingerprint": "3fd31c17f41fe482a55eef3a11f5a515006998e5683c47c06e6d165fa64b6d88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fd31c17f41fe482a55eef3a11f5a515006998e5683c47c06e6d165fa64b6d88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49259, "scanner": "repobility-supply-chain", "fingerprint": "ef13e96e04c0ce6b6a4449bb4cbd1967dc25e2cd37e650c5530af67879c7631b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef13e96e04c0ce6b6a4449bb4cbd1967dc25e2cd37e650c5530af67879c7631b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49258, "scanner": "repobility-supply-chain", "fingerprint": "c588b0e0d293af0cc07145bc149c30b5a1e31005f92b610b6abfa25b59984964", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c588b0e0d293af0cc07145bc149c30b5a1e31005f92b610b6abfa25b59984964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49257, "scanner": "repobility-supply-chain", "fingerprint": "b497fdd05bfe7bf6a80eaab674236ce293b58df14a84860386862542b30688e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b497fdd05bfe7bf6a80eaab674236ce293b58df14a84860386862542b30688e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49256, "scanner": "repobility-supply-chain", "fingerprint": "682129dde065631a778d56fa38753d8e99534a2c266a4e4fdd0b5a65bed04c59", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|682129dde065631a778d56fa38753d8e99534a2c266a4e4fdd0b5a65bed04c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49255, "scanner": "repobility-supply-chain", "fingerprint": "46bb83656e9d4112dae5ce6e3f303d3f2042711b259390c8a39701bef82550dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46bb83656e9d4112dae5ce6e3f303d3f2042711b259390c8a39701bef82550dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cargo-audit.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49254, "scanner": "repobility-supply-chain", "fingerprint": "bd4dc5df623d7ce15f5f5eece3a81f7bc5b1baaaa47f7967eb8012770b3362b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd4dc5df623d7ce15f5f5eece3a81f7bc5b1baaaa47f7967eb8012770b3362b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cargo-audit.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49253, "scanner": "repobility-supply-chain", "fingerprint": "d6542357d1c4bcc3c97234c684db78faecb805d2643a014ab06dd0697dd21411", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6542357d1c4bcc3c97234c684db78faecb805d2643a014ab06dd0697dd21411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cargo-audit.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49218, "scanner": "repobility-threat-engine", "fingerprint": "4c7c9b2d241a5d2ef6930e0b0069a62405a89bf159942505f14a5ce7d0ffa2f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(escaped", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c7c9b2d241a5d2ef6930e0b0069a62405a89bf159942505f14a5ce7d0ffa2f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TeamView.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49197, "scanner": "repobility-threat-engine", "fingerprint": "f33c6ea8664c5f19e968c063d42eb228be897fc424f4ebfec6440cf5c811a1c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f33c6ea8664c5f19e968c063d42eb228be897fc424f4ebfec6440cf5c811a1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/commands.rs"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49196, "scanner": "repobility-threat-engine", "fingerprint": "7b84dff7ee698a8fdfe8dd856a8324879b1a56716c26633bd6048a3fcbf0709a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b84dff7ee698a8fdfe8dd856a8324879b1a56716c26633bd6048a3fcbf0709a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/auto_learn.rs"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49195, "scanner": "repobility-threat-engine", "fingerprint": "157617ebf7a01ed3ed76df96560d9582d3d7158e3391957feb3d39a7c8c6c056", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|157617ebf7a01ed3ed76df96560d9582d3d7158e3391957feb3d39a7c8c6c056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/api_v1/info.rs"}, "region": {"startLine": 322}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49194, "scanner": "repobility-threat-engine", "fingerprint": "f710bfe615d31e90de9602555ff1b50cfd299fed9bad4bf6232984d07d71df0d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<div class=\"id\">${escapeHtml(row.id)}</div><div class=\"title\">${escapeHtml(row.snippet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f710bfe615d31e90de9602555ff1b50cfd299fed9bad4bf6232984d07d71df0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/assets/gui-shells/session-explorer/main.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49189, "scanner": "repobility-threat-engine", "fingerprint": "096a3729ea4f1775d9375185ca51fa187a532c7bc5753d275c847fa74f272646", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "view.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|096a3729ea4f1775d9375185ca51fa187a532c7bc5753d275c847fa74f272646"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CodeEditor.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49188, "scanner": "repobility-threat-engine", "fingerprint": "c65867ead46221f38a8a613e97b655ae525f78e70e0725d80680fa9f0f7d13ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "store.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c65867ead46221f38a8a613e97b655ae525f78e70e0725d80680fa9f0f7d13ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/api_v1/oauth_callback.rs"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49187, "scanner": "repobility-threat-engine", "fingerprint": "bac77d7b4da529017ce8079df6e267174df94b31690ff2d0323a060225f65c17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pending.delete(data.replyTo);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bac77d7b4da529017ce8079df6e267174df94b31690ff2d0323a060225f65c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/assets/gui-shell-bridge.js"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49185, "scanner": "repobility-threat-engine", "fingerprint": "7975498ee453f6642bc8c2f55fc739a55b5dc2f2213cb58538e8f0571ffbaa6b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7975498ee453f6642bc8c2f55fc739a55b5dc2f2213cb58538e8f0571ffbaa6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/messenger/client.rs"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49184, "scanner": "repobility-threat-engine", "fingerprint": "38a9b2faf0e5f2e8de6dcdade9c5b011775f3f8e8ee49457869b11a3c52e98ac", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38a9b2faf0e5f2e8de6dcdade9c5b011775f3f8e8ee49457869b11a3c52e98ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/external_url.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49183, "scanner": "repobility-threat-engine", "fingerprint": "75b0236f0d7ec5a611306d9dae9edf464eca88a7b8813c9c1f48feec0ec1c85a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75b0236f0d7ec5a611306d9dae9edf464eca88a7b8813c9c1f48feec0ec1c85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/assets/gui-shell-bridge.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15518, "scanner": "repobility", "fingerprint": "5feb980b2ec58297796d15200122de54", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl http://x)\"));\n        assert!(is_destructive_command(\"python <(curl http://x)\"));\n        assert!(is_destructive_command(\"cat script.sh | bash", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 847}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15517, "scanner": "repobility", "fingerprint": "7fe09475b1937f1bdb6217fcc2a17772", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl http://x | bash", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 843}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15516, "scanner": "repobility", "fingerprint": "540a76aff89685940059bb98475623bf", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl http://x | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 744}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15515, "scanner": "repobility", "fingerprint": "d7f1b4eeb1a6bfddb8a4614959c07eca", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl ... | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/tools/bash.rs"}, "region": {"startLine": 619}}}]}]}]}