{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 24 more): Same pattern found in 24 additional files", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 34 more): Same pattern found in 34 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `changesets/action` pinned to mutable ref `@v1.7.0`", "shortDescription": {"text": "Action `changesets/action` pinned to mutable ref `@v1.7.0`"}, "fullDescription": {"text": "`uses: changesets/action@v1.7.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /authorize has no auth", "shortDescription": {"text": "Express POST /authorize has no auth"}, "fullDescription": {"text": "Express route POST /authorize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/183"}, "properties": {"repository": "cloudflare/agents", "repoUrl": "https://github.com/cloudflare/agents", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 40255, "scanner": "repobility-journey-contract", "fingerprint": "07a9d43c825d3aebf77e918d0f01cfb3c583d104f54b81a434350c4e8a823161", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|342|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/ai-playground/src/components/McpServers.tsx"}, "region": {"startLine": 342}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 40224, "scanner": "repobility-threat-engine", "fingerprint": "c977e1ee124df3b7f35c3990dd58aa51e720efae4f8b3dd90686fc289f6b7a87", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 50 + 50, [width]);\n  return (\n    <motion.div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c977e1ee124df3b7f35c3990dd58aa51e720efae4f8b3dd90686fc289f6b7a87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/agents/src/components/agent-visual.tsx"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 40219, "scanner": "repobility-threat-engine", "fingerprint": "80b6f8362341c14c9b83bff00856ea33780e0a2491ce7ce0ce3e1a28c8c0c620", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80b6f8362341c14c9b83bff00856ea33780e0a2491ce7ce0ce3e1a28c8c0c620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/browser/shared.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40113, "scanner": "repobility-threat-engine", "fingerprint": "f3eadda6a2d880c3ce00bd99b9f998cab13be1ce672fb18cf854339ba68b3627", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|f3eadda6a2d880c3ce00bd99b9f998cab13be1ce672fb18cf854339ba68b3627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/voice-agent/src/use-sfu-voice.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40112, "scanner": "repobility-threat-engine", "fingerprint": "831622942027d0f70d336c3ebc3ef3807f1162b486754d0b155401d9b3bea0f7", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|831622942027d0f70d336c3ebc3ef3807f1162b486754d0b155401d9b3bea0f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/CallableDemo.tsx"}, "region": {"startLine": 279}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 40098, "scanner": "repobility-threat-engine", "fingerprint": "8406016bf37185001ee72050a3fd664093b674af9fd72ce58c7bdca6b66914ad", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "window.open(window.location.href, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|133|sec041", "duplicate_count": 1, "duplicate_rule_ids": ["SEC041"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["8406016bf37185001ee72050a3fd664093b674af9fd72ce58c7bdca6b66914ad", "b24650bdb79fb497294ffafaf9aeed0bc1a46e631ecee1bd40309edb17d1c852"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/ConnectionsDemo.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 40096, "scanner": "repobility-threat-engine", "fingerprint": "49227f094f45f54ea56fa3e9d54a8808d95854e36af34041a6d852ce312d61c3", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"${clientInfo.clientUri}\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|97|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-worker-authenticated/src/auth-handler.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40071, "scanner": "repobility-threat-engine", "fingerprint": "fc4c88321fdb86b13ca0992614cd64fbd2ed43ef00adbc64b3597e7da965619e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|17|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/sql-agent.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40070, "scanner": "repobility-threat-engine", "fingerprint": "e8f2f9f7e7942021d99d00bf68dd46699f6ff327d6a720fedf8f9f4aad094ae7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|6|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/codemode/src/tools.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40069, "scanner": "repobility-threat-engine", "fingerprint": "3ea2a4edb0116ec8bcdba81015ec93f0fa13526350340ab1bc3d0875c3e6bf06", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|examples/a2a/src/server.ts|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/src/server.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 5283, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 5282, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 5278, "scanner": "repobility-journey-contract", "fingerprint": "56717165ef0c15dad9252a0c37ec7bd5797534cf06482fda008abf37c6c2edd1", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|339|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/ai-playground/src/components/McpServers.tsx"}, "region": {"startLine": 339}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 5277, "scanner": "repobility-journey-contract", "fingerprint": "86d7c7aa9cff32f189a5c6cdec48592f9425f33d6348599774d740c8d66cbf1b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|70|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/ai-playground/src/components/McpServers.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5271, "scanner": "repobility-threat-engine", "fingerprint": "0a049ce8c576f7a3bea8089a78b7ebe47e20e90b7661f4b74681f17f7508aebf", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a049ce8c576f7a3bea8089a78b7ebe47e20e90b7661f4b74681f17f7508aebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/worker-bundler/src/bundler.ts"}, "region": {"startLine": 361}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5270, "scanner": "repobility-threat-engine", "fingerprint": "b1162d8ff9f4fe8e7e4a69a33a0bb48ac993952a079df75ec7ef50c550fbbbb9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1162d8ff9f4fe8e7e4a69a33a0bb48ac993952a079df75ec7ef50c550fbbbb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/worker-bundler/src/installer.ts"}, "region": {"startLine": 377}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5269, "scanner": "repobility-threat-engine", "fingerprint": "ed6f9bfe3989842386e6b0a280346f83b42089c1340de2a1910d1fd2039d8217", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ed6f9bfe3989842386e6b0a280346f83b42089c1340de2a1910d1fd2039d8217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/think/src/think.ts"}, "region": {"startLine": 3469}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5264, "scanner": "repobility-agent-runtime", "fingerprint": "bc5ac4bbe85d9d177259e2787c898126b85c75d4168669317b669a7928248cb8", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bc5ac4bbe85d9d177259e2787c898126b85c75d4168669317b669a7928248cb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/browser/cdp-session.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 5263, "scanner": "repobility-agent-runtime", "fingerprint": "a8388768ffa92d985c304d3986bb42fc73ddc859bc2e203c34d80306f1e48a89", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|a8388768ffa92d985c304d3986bb42fc73ddc859bc2e203c34d80306f1e48a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/ScheduleDemo.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b062a0168978ba3b6a30e1d14fbc4e0e5935b0cb92a3b6a9e51f4649f663df33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "guides/anthropic-patterns/vite.config.ts", "duplicate_line": 6, "correlation_key": "fp|b062a0168978ba3b6a30e1d14fbc4e0e5935b0cb92a3b6a9e51f4649f663df33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/human-in-the-loop/vite.config.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cba2282e8b06087d0911c00f10540e5c5e8945da3e230eeb6534fb41af4ae0ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-search/src/server.ts", "duplicate_line": 43, "correlation_key": "fp|cba2282e8b06087d0911c00f10540e5c5e8945da3e230eeb6534fb41af4ae0ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-skills/src/server.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e68ddf2e212ac1675a32d29a83ed298fd991fc76c51eb41605f8184ecd55b7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 31, "correlation_key": "fp|9e68ddf2e212ac1675a32d29a83ed298fd991fc76c51eb41605f8184ecd55b7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-skills/src/client.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1da2b4bcada876e0e38c969cf4f1d73d5cc367e63539410814199b4147feb38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-chat/src/client.tsx", "duplicate_line": 440, "correlation_key": "fp|d1da2b4bcada876e0e38c969cf4f1d73d5cc367e63539410814199b4147feb38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-skills/src/client.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9809c7792b61d0862220ed152e7e7401a57c50ebd0853c693ce8ce4714f5b01c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/client.tsx", "duplicate_line": 40, "correlation_key": "fp|9809c7792b61d0862220ed152e7e7401a57c50ebd0853c693ce8ce4714f5b01c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-skills/src/client.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43e1a162c793959a36d5cdf53fcc1c483bcec882dcc912ae7a71eb614199a677", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/server.ts", "duplicate_line": 50, "correlation_key": "fp|43e1a162c793959a36d5cdf53fcc1c483bcec882dcc912ae7a71eb614199a677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-search/src/server.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "925246ecd54d6b98a403a3295c7606d7b6dd79e03b4a84d59b9d84387af90e54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-multichat/src/server.ts", "duplicate_line": 44, "correlation_key": "fp|925246ecd54d6b98a403a3295c7606d7b6dd79e03b4a84d59b9d84387af90e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-search/src/server.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5d090a127f5f2ce475648025444859cd80b1e28f62d6ddaffb639bd115482a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 31, "correlation_key": "fp|d5d090a127f5f2ce475648025444859cd80b1e28f62d6ddaffb639bd115482a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-search/src/client.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38669d4d8624392232335f2dc1c3c60ad9bca7f8bd02e4bcb4db8d59fb561aec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-chat/src/client.tsx", "duplicate_line": 440, "correlation_key": "fp|38669d4d8624392232335f2dc1c3c60ad9bca7f8bd02e4bcb4db8d59fb561aec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-search/src/client.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c14e91ce0354164212bd2a1b27cae0be8385bc781f1127bef689fb67d8cb476", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/client.tsx", "duplicate_line": 1, "correlation_key": "fp|6c14e91ce0354164212bd2a1b27cae0be8385bc781f1127bef689fb67d8cb476"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-search/src/client.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d62b4c92ffb2740c28b8a126d156b20951d51224f4a67c8c1f0f787538629d03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-multichat/src/client.tsx", "duplicate_line": 489, "correlation_key": "fp|d62b4c92ffb2740c28b8a126d156b20951d51224f4a67c8c1f0f787538629d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-planetscale/src/client.tsx"}, "region": {"startLine": 440}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1d0c060f800baf424ff81aa6f928fb546c881c566d1b412dad850aeefe99eaf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 31, "correlation_key": "fp|f1d0c060f800baf424ff81aa6f928fb546c881c566d1b412dad850aeefe99eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-planetscale/src/client.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd55b45207a7737ce1b3a5cc887e0cd9a3bd5f2b1c2ff513bae99c4c8b6098ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-chat/src/client.tsx", "duplicate_line": 440, "correlation_key": "fp|cd55b45207a7737ce1b3a5cc887e0cd9a3bd5f2b1c2ff513bae99c4c8b6098ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-planetscale/src/client.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "feb971310782974d598645e12829e92a95659d644f9d3f8d9ae0eca4bd18e893", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/client.tsx", "duplicate_line": 1, "correlation_key": "fp|feb971310782974d598645e12829e92a95659d644f9d3f8d9ae0eca4bd18e893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-planetscale/src/client.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4334423e9ec565d494a37afd1c54963d853c50ff1e87c65b6a5d0afc299ff155", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/server.ts", "duplicate_line": 8, "correlation_key": "fp|4334423e9ec565d494a37afd1c54963d853c50ff1e87c65b6a5d0afc299ff155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-multichat/src/server.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ebfeac239d7fc4cba99dfd04f20afbb4734405f9a5a26b385cbe89d4aeb82ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-chat/src/client.tsx", "duplicate_line": 440, "correlation_key": "fp|3ebfeac239d7fc4cba99dfd04f20afbb4734405f9a5a26b385cbe89d4aeb82ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-multichat/src/client.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "19d345010eb4553d0a4eafb7f4ebde9ea76d3f2f54dbcd83dc1a5cd84db089d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/session-memory/src/client.tsx", "duplicate_line": 34, "correlation_key": "fp|19d345010eb4553d0a4eafb7f4ebde9ea76d3f2f54dbcd83dc1a5cd84db089d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-multichat/src/client.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cc386ae9a2ccbc82d374fb8a363a6857442b243a0908870e7fcf157d50bfe44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 6, "correlation_key": "fp|5cc386ae9a2ccbc82d374fb8a363a6857442b243a0908870e7fcf157d50bfe44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-multichat/src/client.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 5281, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 5280, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 5279, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "381d868c55d15cc51a68568ea7b1aa33a72158ecfdc8b17b1ca21d270a1f7d4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 31, "correlation_key": "fp|381d868c55d15cc51a68568ea7b1aa33a72158ecfdc8b17b1ca21d270a1f7d4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-memory/src/client.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcfe25993142ef247f09339673d75c4c7f10f199c5af5d022f647203e5daa6c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-chat/src/client.tsx", "duplicate_line": 440, "correlation_key": "fp|dcfe25993142ef247f09339673d75c4c7f10f199c5af5d022f647203e5daa6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-memory/src/client.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca0f11156757c9b8b52bac4a61ef45ec7b9fdaae85f3a6e65c21a69180a66913", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-gatekeeper/src/server.ts", "duplicate_line": 268, "correlation_key": "fp|ca0f11156757c9b8b52bac4a61ef45ec7b9fdaae85f3a6e65c21a69180a66913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-subagents/src/server.ts"}, "region": {"startLine": 240}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91c5b78fb6c7eedb07cf4348b69e8bd6eb1e12df073604a498bf7c2cfa8e3c09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-gatekeeper/src/client.tsx", "duplicate_line": 298, "correlation_key": "fp|91c5b78fb6c7eedb07cf4348b69e8bd6eb1e12df073604a498bf7c2cfa8e3c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-subagents/src/client.tsx"}, "region": {"startLine": 246}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fee2855312f91089cab0ec47bdf923d3243c9be772fb32d4b7554739d8fa7060", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-sandbox/src/client.tsx", "duplicate_line": 7, "correlation_key": "fp|fee2855312f91089cab0ec47bdf923d3243c9be772fb32d4b7554739d8fa7060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-subagents/src/client.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "007eeab24d6955bcefc554ebe74afc0b359a7323e305bb66149df598925b7b27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 5, "correlation_key": "fp|007eeab24d6955bcefc554ebe74afc0b359a7323e305bb66149df598925b7b27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-subagents/src/client.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1002b7ec88392342cae61c204fd1291a680f702810697332317a5e1c219230eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-gatekeeper/src/server.ts", "duplicate_line": 264, "correlation_key": "fp|1002b7ec88392342cae61c204fd1291a680f702810697332317a5e1c219230eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-sandbox/src/server.ts"}, "region": {"startLine": 313}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29f04b640dbac8adb47fff2bbf35bb635c99f80aee60a9474f2fe15d5d3e447a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/gadgets-gatekeeper/src/client.tsx", "duplicate_line": 231, "correlation_key": "fp|29f04b640dbac8adb47fff2bbf35bb635c99f80aee60a9474f2fe15d5d3e447a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-sandbox/src/client.tsx"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34f9874ebab51950c7505238d27bfd6eca646ac09c690386b956097eb719fcf3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 2, "correlation_key": "fp|34f9874ebab51950c7505238d27bfd6eca646ac09c690386b956097eb719fcf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-sandbox/src/client.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5962f45969a5ec754032b46397f7a6b15a95500cfee7e6f55c3bb9e6e7617b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 2, "correlation_key": "fp|e5962f45969a5ec754032b46397f7a6b15a95500cfee7e6f55c3bb9e6e7617b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-gatekeeper/src/client.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d4eb8df5f44e6150e0964bb379f2896e2d9f464a2b3ba05a65a2a7bb93c0a7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 31, "correlation_key": "fp|6d4eb8df5f44e6150e0964bb379f2896e2d9f464a2b3ba05a65a2a7bb93c0a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-chat/src/client.tsx"}, "region": {"startLine": 441}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02cea4b59b5f661083cc161b50914d87f3451c11e556b31e3e6c14e7f4ae4a5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "experimental/forever-chat/src/client.tsx", "duplicate_line": 32, "correlation_key": "fp|02cea4b59b5f661083cc161b50914d87f3451c11e556b31e3e6c14e7f4ae4a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/forever-fibers/src/app.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40220, "scanner": "repobility-threat-engine", "fingerprint": "efdd9aa3bc4d2d5d06a42459346ee9331c213bf07c576e89b62dc23a7c1db4b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efdd9aa3bc4d2d5d06a42459346ee9331c213bf07c576e89b62dc23a7c1db4b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/sub-routing.ts"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 40218, "scanner": "repobility-threat-engine", "fingerprint": "fbfe1d7a5bb59f9e559e3cef0bd32ddb8fa0c4b8507ae15e00a98ea5edbf48c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbfe1d7a5bb59f9e559e3cef0bd32ddb8fa0c4b8507ae15e00a98ea5edbf48c0", "aggregated_count": 11}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40217, "scanner": "repobility-threat-engine", "fingerprint": "79daf7cfb71dab713de14106f7f8d1ab9a2e28ee89471cfca20cd4f344e718b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79daf7cfb71dab713de14106f7f8d1ab9a2e28ee89471cfca20cd4f344e718b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/chat/abort-registry.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40216, "scanner": "repobility-threat-engine", "fingerprint": "b5b32641ef0cde7fc1f7766be9e9e4107b248e299d4cf6184923d46eb977cd75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5b32641ef0cde7fc1f7766be9e9e4107b248e299d4cf6184923d46eb977cd75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/browser/shared.ts"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40214, "scanner": "repobility-threat-engine", "fingerprint": "1e98155e3dd4ea4c313e7339933b56299965d338a505340843833492bbc0030e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e98155e3dd4ea4c313e7339933b56299965d338a505340843833492bbc0030e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/browser/cdp-session.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 40206, "scanner": "repobility-threat-engine", "fingerprint": "caf8176269167066c55b52cf28ea7b7720bbf567f1c23a9ec49bda1b559de778", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|caf8176269167066c55b52cf28ea7b7720bbf567f1c23a9ec49bda1b559de778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openai-sdk/call-my-agent/src/client.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40203, "scanner": "repobility-threat-engine", "fingerprint": "632955af1152403bb3d3da477ec4d6c6aea71ec30969bcffd80d8c2007263311", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|632955af1152403bb3d3da477ec4d6c6aea71ec30969bcffd80d8c2007263311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/voice/src/voice-input.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40199, "scanner": "repobility-threat-engine", "fingerprint": "f5cf3e2a69460c8af9d8325d34d05997dd552399d5c67769f1516febbfb097cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5cf3e2a69460c8af9d8325d34d05997dd552399d5c67769f1516febbfb097cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/experimental/memory/session/skills.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40198, "scanner": "repobility-threat-engine", "fingerprint": "20c1f7e9221854ff8a333244a6c061ce84f689bd568e70626875afbf4cda5336", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20c1f7e9221854ff8a333244a6c061ce84f689bd568e70626875afbf4cda5336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/session-skills/src/server.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40162, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40117, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 40109, "scanner": "repobility-threat-engine", "fingerprint": "c07a12c9d5f45436c83721dcc490266cabfdca7ffd616949e9cf68990d55d95d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c07a12c9d5f45436c83721dcc490266cabfdca7ffd616949e9cf68990d55d95d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/components/CodeExplanation.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 40108, "scanner": "repobility-threat-engine", "fingerprint": "d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "aggregated_count": 8}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40106, "scanner": "repobility-threat-engine", "fingerprint": "3a9304f5f351d78e7a70c9074d6d382c9d1a7a93777e19c367524525062a1ba5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a9304f5f351d78e7a70c9074d6d382c9d1a7a93777e19c367524525062a1ba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/StateDemo.tsx"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40105, "scanner": "repobility-threat-engine", "fingerprint": "427437e16c714b3e836edfe311af93f0c0a5178a6a79f0d5f61cf6554b4e398e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|427437e16c714b3e836edfe311af93f0c0a5178a6a79f0d5f61cf6554b4e398e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/ConnectionsDemo.tsx"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40104, "scanner": "repobility-threat-engine", "fingerprint": "5b1b9be7dddd922241a37f7c25f9095778e87955fc5a4fce2bd80b998b0ca55f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b1b9be7dddd922241a37f7c25f9095778e87955fc5a4fce2bd80b998b0ca55f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/components/CodeExplanation.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 40101, "scanner": "repobility-threat-engine", "fingerprint": "0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40094, "scanner": "repobility-threat-engine", "fingerprint": "52c121cf4164a0cce0c2154cd75a9d9604af25b34e952496fb12a03b49fe8e21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52c121cf4164a0cce0c2154cd75a9d9604af25b34e952496fb12a03b49fe8e21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/server.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40093, "scanner": "repobility-threat-engine", "fingerprint": "52e07a543895a779c9db14299a52f4e9b02d0b6ce345fff64297a8e0c50f1a63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52e07a543895a779c9db14299a52f4e9b02d0b6ce345fff64297a8e0c50f1a63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/client.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 40086, "scanner": "repobility-threat-engine", "fingerprint": "e830cd30742f9d16f13a5cf35e94eaca62f71dd7ffefa970dbd3605b70563260", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e830cd30742f9d16f13a5cf35e94eaca62f71dd7ffefa970dbd3605b70563260"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40085, "scanner": "repobility-threat-engine", "fingerprint": "8454e3034b7e96c70c9c67088d9402a00b69d1addb5c4017ce1303c2cd4b525e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|195|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/assistant/src/auth.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40083, "scanner": "repobility-threat-engine", "fingerprint": "943bbd3c8b23d7513ec75a7e09f40adf025eebb4107910ff21600b80c9c59c1c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|43|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents-as-tools/src/server.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40082, "scanner": "repobility-threat-engine", "fingerprint": "2068abec79037c1f6000c2e077f48c81cb2bc277c8b8903f695df693376ab494", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|examples/a2a/src/server.ts|143|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/src/server.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 40076, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 40068, "scanner": "repobility-threat-engine", "fingerprint": "2900725e081c18be6e9c4fbfdf28221481fcf25c24b104bb8991957e21eb1ca6", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2900725e081c18be6e9c4fbfdf28221481fcf25c24b104bb8991957e21eb1ca6"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "properties": {"repobilityId": 40064, "scanner": "repobility-threat-engine", "fingerprint": "f641040879442a860270dad01cc43bc83d7026afdf2e94dfe5e62b5ba6e1a13e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 77 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f641040879442a860270dad01cc43bc83d7026afdf2e94dfe5e62b5ba6e1a13e", "aggregated_count": 77}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40063, "scanner": "repobility-threat-engine", "fingerprint": "88700b18fda0305b76471cd2eb9a268d15fed99969f3d3749f38469012def512", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88700b18fda0305b76471cd2eb9a268d15fed99969f3d3749f38469012def512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/client.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40060, "scanner": "repobility-threat-engine", "fingerprint": "aba253184bda3f337049ba3ae81de0816c3885f099e93572bab5de7e8a0f8b50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aba253184bda3f337049ba3ae81de0816c3885f099e93572bab5de7e8a0f8b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/version-script.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40046, "scanner": "repobility-threat-engine", "fingerprint": "898d2ba80e1bf3c28dfc7a4dc097ebae113a6a08f2dad2179af651ca2fe88a1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|898d2ba80e1bf3c28dfc7a4dc097ebae113a6a08f2dad2179af651ca2fe88a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/resolve-workspace-versions.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5273, "scanner": "repobility-threat-engine", "fingerprint": "955a5649d80de804811d56ea8b3b64ece8a2a51760b49352b4f2f5e3704b3c22", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(\"Invalid errorRedirect URL:\", config.errorRedirect, e)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|860|console.error invalid errorredirect url: config.errorredirect e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/index.ts"}, "region": {"startLine": 8609}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 5272, "scanner": "repobility-threat-engine", "fingerprint": "bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 5268, "scanner": "repobility-threat-engine", "fingerprint": "b4c918ed5dfa102ebf1aa8f27b71dc1fd8f4d8c22680aaaaac1383ccbac36421", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b4c918ed5dfa102ebf1aa8f27b71dc1fd8f4d8c22680aaaaac1383ccbac36421"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5267, "scanner": "repobility-threat-engine", "fingerprint": "8abda8f9e74d3d0f17b73720c363e5740ac4e1a252244a439f552440d14d96c4", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|60|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/forever-chat/src/server.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5266, "scanner": "repobility-threat-engine", "fingerprint": "f34effe8f92ceaa17d6396dc622d08630060f2a398cd5a1077c00071343fff4c", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|130|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/forever-fibers/src/server.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5265, "scanner": "repobility-threat-engine", "fingerprint": "398046936686185d7e6cebb31e883ea828abe099643a7ffd95148d3d253634e2", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|147|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-chat/src/server.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 40223, "scanner": "repobility-threat-engine", "fingerprint": "cc4b29daf980048062b1516153a0bf07c875d7ae96d157e46210a11be2425e01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc4b29daf980048062b1516153a0bf07c875d7ae96d157e46210a11be2425e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shell/src/prompt.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 40222, "scanner": "repobility-threat-engine", "fingerprint": "648f115ff7f3cfc47ec6ec545167918d5478c8356cd019d0db0ea41a0e4151e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|648f115ff7f3cfc47ec6ec545167918d5478c8356cd019d0db0ea41a0e4151e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shell/src/backend.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 40211, "scanner": "repobility-threat-engine", "fingerprint": "738693e922561137ff657f0fa4782067d55600ae859f6e003513f1d6061150a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|738693e922561137ff657f0fa4782067d55600ae859f6e003513f1d6061150a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openai-sdk/chess-app/src/chess.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40161, "scanner": "repobility-threat-engine", "fingerprint": "4c2496faba49ad9498115e3f7d5960f9cfb351b065ff8268e618e215caf2447d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((w) => `\"${w.replace(/\"/g, '\"\"')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c2496faba49ad9498115e3f7d5960f9cfb351b065ff8268e618e215caf2447d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/experimental/memory/session/search.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40160, "scanner": "repobility-threat-engine", "fingerprint": "8705278297e883d43ab224f12f5da51ee373d80f8a4ab14e37af1d0765007b73", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((r) => `[${r.key as string}]\\n${r.content as string}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8705278297e883d43ab224f12f5da51ee373d80f8a4ab14e37af1d0765007b73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/experimental/memory/session/providers/postgres-search.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40118, "scanner": "repobility-threat-engine", "fingerprint": "dda59c6de685336bcbafab0fac23222035402545ef54594c1e6603ceba2a6259", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((r) => `## ${r.name}\\n${r.analysis}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dda59c6de685336bcbafab0fac23222035402545ef54594c1e6603ceba2a6259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-subagents/src/server.ts"}, "region": {"startLine": 285}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40116, "scanner": "repobility-threat-engine", "fingerprint": "ade8bdd127a19a8fd701f1515809372d92ffdfeb482d79df336fb49df7d04b54", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.controllers.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ade8bdd127a19a8fd701f1515809372d92ffdfeb482d79df336fb49df7d04b54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agents/src/chat/abort-registry.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40115, "scanner": "repobility-threat-engine", "fingerprint": "eeeec8ca4b04d2799c22bc3e54357d72cec6b78f19f9837d765d1a98a896ed2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.connectionToUser.delete(connection.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eeeec8ca4b04d2799c22bc3e54357d72cec6b78f19f9837d765d1a98a896ed2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/multi-agent/room-agent.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40114, "scanner": "repobility-threat-engine", "fingerprint": "95b9ca50a507f58497fa5ba28d3fc83c187892a6b8ea61c4481dc362aa22d712", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95b9ca50a507f58497fa5ba28d3fc83c187892a6b8ea61c4481dc362aa22d712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/multi-agent/WorkersDemo.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 40103, "scanner": "repobility-threat-engine", "fingerprint": "a8d17e8497d9b96d96fc437ba01cb381d0e0cf65dfd4b482498b5dbdf3d34fe8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/authorize\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8d17e8497d9b96d96fc437ba01cb381d0e0cf65dfd4b482498b5dbdf3d34fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-worker-authenticated/src/auth-handler.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40091, "scanner": "repobility-threat-engine", "fingerprint": "1d4913ed1ccb1fb3698eace0948f01e330d8be0bbebac65526a8eeb14d9f9a89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(sqlText", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d4913ed1ccb1fb3698eace0948f01e330d8be0bbebac65526a8eeb14d9f9a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "experimental/gadgets-gatekeeper/src/server.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40090, "scanner": "repobility-threat-engine", "fingerprint": "84c14e74bb78059093bbdc3ad33a9cb3a29aa1eff4d7efb119d78f879a710f1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|84c14e74bb78059093bbdc3ad33a9cb3a29aa1eff4d7efb119d78f879a710f1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/playground/src/demos/core/sql-agent.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40088, "scanner": "repobility-threat-engine", "fingerprint": "e3862832175b0774b950e6903791e923f7203e9a71f33d868f210e6dfa8adbd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3862832175b0774b950e6903791e923f7203e9a71f33d868f210e6dfa8adbd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/codemode/src/tools.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40080, "scanner": "repobility-threat-engine", "fingerprint": "e49c567a7dabbcbd04f3e13a5fa6120cbc32c486581de8a582a1943506745dbb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e49c567a7dabbcbd04f3e13a5fa6120cbc32c486581de8a582a1943506745dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-server/src/index.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40079, "scanner": "repobility-threat-engine", "fingerprint": "5c0490a71bb98ae26f782334353f366a2a23315022c3c7318a25b51ed7bdaad1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c0490a71bb98ae26f782334353f366a2a23315022c3c7318a25b51ed7bdaad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/server.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40077, "scanner": "repobility-threat-engine", "fingerprint": "46caff0411dd2d11958ed724aad6d6421342ea717312c98296f64caa78d20569", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46caff0411dd2d11958ed724aad6d6421342ea717312c98296f64caa78d20569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/src/server.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40067, "scanner": "repobility-threat-engine", "fingerprint": "0b29a214f01f2768a0d10b866fc2c2b60b1e4a771e752835fb47b92a3a5b9d4d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b29a214f01f2768a0d10b866fc2c2b60b1e4a771e752835fb47b92a3a5b9d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/auth-agent/src/auth.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40066, "scanner": "repobility-threat-engine", "fingerprint": "32a50e9a3d420b05451a93c2b53102106d80210c13220fd98435eac112be6826", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32a50e9a3d420b05451a93c2b53102106d80210c13220fd98435eac112be6826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/assistant/src/auth.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40065, "scanner": "repobility-threat-engine", "fingerprint": "02e6a5862160a553b351c124016942527b6aeda1ba9d6228f808277a7f18178a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02e6a5862160a553b351c124016942527b6aeda1ba9d6228f808277a7f18178a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/src/server.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `changesets/action` pinned to mutable ref `@v1.7.0`"}, "properties": {"repobilityId": 40044, "scanner": "repobility-supply-chain", "fingerprint": "d52e0dae5a2543071c45c085df970851ffa67868220b21da18fb68adcdf50223", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d52e0dae5a2543071c45c085df970851ffa67868220b21da18fb68adcdf50223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40043, "scanner": "repobility-supply-chain", "fingerprint": "4b18756dba7d6a34f561e0b151780c2ff7d23a21594d3c8926424df1b01bea4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b18756dba7d6a34f561e0b151780c2ff7d23a21594d3c8926424df1b01bea4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40041, "scanner": "repobility-supply-chain", "fingerprint": "784502eeb120aa0d19c091c1ec9406a761743249fb44a4c7728ac27134cd5f07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|784502eeb120aa0d19c091c1ec9406a761743249fb44a4c7728ac27134cd5f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40040, "scanner": "repobility-supply-chain", "fingerprint": "aaef08febfd464e797b7c4a10523f84449bd78c7feb35135a80b211c8bef663b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aaef08febfd464e797b7c4a10523f84449bd78c7feb35135a80b211c8bef663b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40039, "scanner": "repobility-supply-chain", "fingerprint": "a4593463cce49a57d0749214d1ecc2eecd1a44ded6fd4e958ef34fd5c4b2bbbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4593463cce49a57d0749214d1ecc2eecd1a44ded6fd4e958ef34fd5c4b2bbbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40038, "scanner": "repobility-supply-chain", "fingerprint": "4b3ebcaf375d7dea6b88ba98b296dd74e4d09c250bc1478ad6482c0b9dfd8d56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b3ebcaf375d7dea6b88ba98b296dd74e4d09c250bc1478ad6482c0b9dfd8d56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ask-bonk/ask-bonk/github` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 40037, "scanner": "repobility-supply-chain", "fingerprint": "95dc6351c008a3657ec3e04686f129bfea0d838c3d4778895cb41b7446de9904", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95dc6351c008a3657ec3e04686f129bfea0d838c3d4778895cb41b7446de9904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bonk.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40036, "scanner": "repobility-supply-chain", "fingerprint": "f7dec7e1cee05ed097e9f1610cd82ca67360695042070f1f8099dcd359c1aece", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7dec7e1cee05ed097e9f1610cd82ca67360695042070f1f8099dcd359c1aece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bonk.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40035, "scanner": "repobility-supply-chain", "fingerprint": "eeb998de9771b53d783bf8821fa0c455dc652e54a880197a8e8996d4b9422eda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eeb998de9771b53d783bf8821fa0c455dc652e54a880197a8e8996d4b9422eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pullrequest.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40034, "scanner": "repobility-supply-chain", "fingerprint": "d384538ed55eb998a0da45645e4a396fa03a92d9b53fdb0689ee07ee051fc32c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d384538ed55eb998a0da45645e4a396fa03a92d9b53fdb0689ee07ee051fc32c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pullrequest.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `nrwl/nx-set-shas` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40033, "scanner": "repobility-supply-chain", "fingerprint": "6b62853e85dc93fd0d10f20c451a8de459a80bd44a0e6ac4c4648c25998b97d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b62853e85dc93fd0d10f20c451a8de459a80bd44a0e6ac4c4648c25998b97d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pullrequest.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40032, "scanner": "repobility-supply-chain", "fingerprint": "279cb2b84a27a34a825dc8303a5bbe9d7282259e6cb6274217bad48077a9c54a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|279cb2b84a27a34a825dc8303a5bbe9d7282259e6cb6274217bad48077a9c54a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pullrequest.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40031, "scanner": "repobility-supply-chain", "fingerprint": "9c0f77c79f944785f982086900b61b5405db93bb57110ab8bde0224bc03c7e55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c0f77c79f944785f982086900b61b5405db93bb57110ab8bde0224bc03c7e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/semgrep.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40025, "scanner": "repobility-supply-chain", "fingerprint": "88ab091c2d2d54f2a07c44143f765bcbe096e17e7f978cba5725abb73ed4b711", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88ab091c2d2d54f2a07c44143f765bcbe096e17e7f978cba5725abb73ed4b711"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/semgrep.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /authorize has no auth"}, "properties": {"repobilityId": 40013, "scanner": "repobility-route-auth", "fingerprint": "f2fc1f85ce97f1c720d57ccca53614dab10dd6f47059e48fc31d66e8fcbb7de6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f2fc1f85ce97f1c720d57ccca53614dab10dd6f47059e48fc31d66e8fcbb7de6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-worker-authenticated/src/auth-handler.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5276, "scanner": "repobility-threat-engine", "fingerprint": "191bc027de5c2b7fc2867f372d16eabd212115a9c30477150c3b1c9f4034e5c9", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML+=", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|374|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/worker-bundler-playground/src/server.ts"}, "region": {"startLine": 374}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5275, "scanner": "repobility-threat-engine", "fingerprint": "4d39b2e601414c3a23b080983a33d39a54a7e1bf8b6072c4b5990bb2576c75fb", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(\"Token found:\", token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|6|console.log token found: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/server.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5274, "scanner": "repobility-threat-engine", "fingerprint": "f0a9d9ab3e80ae041f63de0c272802b953e15c36996209f1b6d1c43c3d92d76c", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(\"\u2705 Auth data fetched:\", { token, userId: user.id })", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|console.log auth data fetched: token userid: user.id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-domain/src/client.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 40221, "scanner": "repobility-threat-engine", "fingerprint": "83d2469d86522b2a84f13e4dbccfaff7d1b1c31a7e2f5c6f623a7b1453e71664", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83d2469d86522b2a84f13e4dbccfaff7d1b1c31a7e2f5c6f623a7b1453e71664"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemode/src/iframe-runtime.ts"}, "region": {"startLine": 131}}}]}]}]}