{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 565 lines (recommend <300)", "shortDescription": {"text": "Average file size is 565 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id])"}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Strict-JSON memory extraction from raw user and assistant text can be manipulated by a user message unless extracted facts are schema-validated and filtered before persistence."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/401"}, "properties": {"repository": "vivekchand/clawmetry", "repoUrl": "https://github.com/vivekchand/clawmetry.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 13196, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13195, "scanner": "repobility-journey-contract", "fingerprint": "80d53a06dd1597dd4330ff785e944dc3b932c5e0525270df2bf31ef5ae196ada", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/alerts/rules", "correlation_key": "fp|80d53a06dd1597dd4330ff785e944dc3b932c5e0525270df2bf31ef5ae196ada", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13194, "scanner": "repobility-journey-contract", "fingerprint": "da69b560c0895fedd7c1c766612f8872af62669ce88c7c29433f25c8273f00c7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/resume", "correlation_key": "fp|da69b560c0895fedd7c1c766612f8872af62669ce88c7c29433f25c8273f00c7", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13193, "scanner": "repobility-journey-contract", "fingerprint": "fb8da879777a2d94329286cdfb32e80047931325d4217ceeb57d27f0ab6e577f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/config", "correlation_key": "fp|fb8da879777a2d94329286cdfb32e80047931325d4217ceeb57d27f0ab6e577f", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 120}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13192, "scanner": "repobility-journey-contract", "fingerprint": "56cdf77971257e77ab04879f825f883fc4e07b7751e5a5cc464a57ecb94faf70", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/status", "correlation_key": "fp|56cdf77971257e77ab04879f825f883fc4e07b7751e5a5cc464a57ecb94faf70", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13191, "scanner": "repobility-journey-contract", "fingerprint": "b7ac4c3386ad2c7c775fa36aee5a531043d3872b9bb3623ea127d05f0926acd6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/config", "correlation_key": "fp|b7ac4c3386ad2c7c775fa36aee5a531043d3872b9bb3623ea127d05f0926acd6", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13190, "scanner": "repobility-journey-contract", "fingerprint": "9babe1011dd4f7e8e89eae7a9c5942ee556d53ec0278c429d331bf63dd1c0f6c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|9babe1011dd4f7e8e89eae7a9c5942ee556d53ec0278c429d331bf63dd1c0f6c", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 444}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13189, "scanner": "repobility-journey-contract", "fingerprint": "429c62e0007747218247d71df2b132c39f9a53731a3afaa56d7a1d8efe8eda36", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|429c62e0007747218247d71df2b132c39f9a53731a3afaa56d7a1d8efe8eda36", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 443}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13188, "scanner": "repobility-journey-contract", "fingerprint": "ac5b585db19eb16563ddb9b13244fe8599c5d2bfa954f73b10aef27bb3ee2128", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|ac5b585db19eb16563ddb9b13244fe8599c5d2bfa954f73b10aef27bb3ee2128", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 285}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13187, "scanner": "repobility-journey-contract", "fingerprint": "35a8e16124af935e4538664c4fe9fc14becfba8feb176adc10f7922fd6a33dd1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/channels", "correlation_key": "fp|35a8e16124af935e4538664c4fe9fc14becfba8feb176adc10f7922fd6a33dd1", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13186, "scanner": "repobility-journey-contract", "fingerprint": "54f6412a882ebe4518239d4adb621d4476d57fff5f446e1aa6eb3ae80b6c031a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/alerts/history", "correlation_key": "fp|54f6412a882ebe4518239d4adb621d4476d57fff5f446e1aa6eb3ae80b6c031a", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13185, "scanner": "repobility-journey-contract", "fingerprint": "704daf33ab4d69cd41619c3ad7be38ed0822f54451747379f9e0848d6d6d2596", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts/history", "correlation_key": "fp|704daf33ab4d69cd41619c3ad7be38ed0822f54451747379f9e0848d6d6d2596", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13184, "scanner": "repobility-journey-contract", "fingerprint": "cb47474ce7ace925fd12b9e0ee14bab175dee365163dca5c13b41f971ff95634", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|cb47474ce7ace925fd12b9e0ee14bab175dee365163dca5c13b41f971ff95634", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13183, "scanner": "repobility-journey-contract", "fingerprint": "a8ba0dd9ac23170acc812285744e3dafeced2be2bad889f227d60d9ebcb18114", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/cloud/account", "correlation_key": "fp|a8ba0dd9ac23170acc812285744e3dafeced2be2bad889f227d60d9ebcb18114", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13182, "scanner": "repobility-journey-contract", "fingerprint": "95508e820f732c16caa888ce1812a27f0a275ea0c39d3c59128ef82cc5b06b49", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-cta/status", "correlation_key": "fp|95508e820f732c16caa888ce1812a27f0a275ea0c39d3c59128ef82cc5b06b49", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 13181, "scanner": "repobility-journey-contract", "fingerprint": "5072feef6f25073617c912b7c866587b8d0d9ce7c2111c27dcc123a0f9494ca1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/plugin/events", "correlation_key": "fp|5072feef6f25073617c912b7c866587b8d0d9ce7c2111c27dcc123a0f9494ca1", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/src/service.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13180, "scanner": "repobility-journey-contract", "fingerprint": "66da608453443fb1c753ef81902e2fda4ebf2ca9770b7d59ccabc91d11fd1acf", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|9312|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 9312}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13179, "scanner": "repobility-journey-contract", "fingerprint": "0f3c5d4a54135ae1fd5212f775d61b86a598a7fec8fee0a6c611046fd1daff72", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8818|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8818}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13178, "scanner": "repobility-journey-contract", "fingerprint": "adf6d82228719714d1dde66141056e1c32b1c964135c930e1078f34d8dbb8628", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8817|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8817}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13177, "scanner": "repobility-journey-contract", "fingerprint": "8fdc066ae087e65756ebf18d32578236123e3e971a66efc689d5d2d4c77bbb01", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8816|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8816}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13176, "scanner": "repobility-journey-contract", "fingerprint": "4bd67b1a37c2e1e818b26967e1a199641b2e91477de226df15121d28895a93dc", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8526|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8526}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13175, "scanner": "repobility-journey-contract", "fingerprint": "8a937997065f913e32f14ab0e130d079587d8486604d68ef3b2cfe6aa5926858", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8330|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8330}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13174, "scanner": "repobility-journey-contract", "fingerprint": "697a0e7d9eee355168ae43f4373e0fd944b22ddf0900babe95600eb2b8141e31", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|6098|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 6098}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13173, "scanner": "repobility-journey-contract", "fingerprint": "d6c20f86aec7f91891b66743e3941933e788e101647bd63f01cf603a9eed43dd", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3370|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3370}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13172, "scanner": "repobility-journey-contract", "fingerprint": "88e8dfd9ec4d1ab3239cd978a54a56252dfe53f9915f1cb225f146e0502ba8dd", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3369|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3369}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13171, "scanner": "repobility-journey-contract", "fingerprint": "828b4d8cd03f4bc5b74eea0ad96fea8148c863dc0c30c73a74411dd38bc51ef8", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3368|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3368}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 13170, "scanner": "repobility-access-control", "fingerprint": "25721e1726c6b6eab588613c2400fbc69db7a8eb7073595bab815cd9704eb92f", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 13, "correlation_key": "fp|25721e1726c6b6eab588613c2400fbc69db7a8eb7073595bab815cd9704eb92f", "auth_visible_percent": 23.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 13169, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 13167, "scanner": "repobility-docker", "fingerprint": "d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13166, "scanner": "repobility-threat-engine", "fingerprint": "43a974d40bc851635780ae43507ebce6a51fe716ac18bc88fa36e283366e2046", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43a974d40bc851635780ae43507ebce6a51fe716ac18bc88fa36e283366e2046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/gw-setup.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 13161, "scanner": "repobility-threat-engine", "fingerprint": "79fd1d228354b6dc27de894ab4c171bf29b4760a9550cb793cea17bc05190bbe", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79fd1d228354b6dc27de894ab4c171bf29b4760a9550cb793cea17bc05190bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/local_store.py"}, "region": {"startLine": 801}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 13160, "scanner": "repobility-threat-engine", "fingerprint": "feae44c5d3c30088923d4a39e3e9ec5023a556868b3b01274688afb1a7c3fa21", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|feae44c5d3c30088923d4a39e3e9ec5023a556868b3b01274688afb1a7c3fa21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/gateway_tap.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 13159, "scanner": "repobility-threat-engine", "fingerprint": "aca28600c7ba737618e7423802f6201ce84a2afba98c71c8cb62fa8081925dfb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aca28600c7ba737618e7423802f6201ce84a2afba98c71c8cb62fa8081925dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard_claudecode.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13149, "scanner": "repobility-agent-runtime", "fingerprint": "76581d078afdb79fe070d5bf8256f4babb05c29bb6d97cfaf5d2a1e3713be00a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|76581d078afdb79fe070d5bf8256f4babb05c29bb6d97cfaf5d2a1e3713be00a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install-clawmetry.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 13148, "scanner": "repobility-agent-runtime", "fingerprint": "433ccbbbb099cea2bc3a7bbf538b244052c9175d72517cb1beaedacb94d3b7ae", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|433ccbbbb099cea2bc3a7bbf538b244052c9175d72517cb1beaedacb94d3b7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/gw-setup.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 13147, "scanner": "repobility-agent-runtime", "fingerprint": "022f06296c8ed904503a8238725a4a7cd9d6d553bb05a0536478aaa494d5e145", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|022f06296c8ed904503a8238725a4a7cd9d6d553bb05a0536478aaa494d5e145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/approvals.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13146, "scanner": "repobility-agent-runtime", "fingerprint": "53115a4d55a71f9e6675b9c97c152e063cb64dc4f50be7d92046a154f083c268", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|53115a4d55a71f9e6675b9c97c152e063cb64dc4f50be7d92046a154f083c268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/uninstall.sh"}, "region": {"startLine": 96}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13145, "scanner": "repobility-agent-runtime", "fingerprint": "acb8d54183f074986bebc3cc9121b477f822ed7f3e5556c847b6563a4e7be391", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|acb8d54183f074986bebc3cc9121b477f822ed7f3e5556c847b6563a4e7be391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/README.md"}, "region": {"startLine": 18}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13144, "scanner": "repobility-agent-runtime", "fingerprint": "236d1d7eca649783ecfb46e8471a9345878eaa9c47075203af5c94adbeda2ea8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|236d1d7eca649783ecfb46e8471a9345878eaa9c47075203af5c94adbeda2ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "170c7dcf0e9406e954688e87c61e67a11a93d13de0b70beac8318850b3f49982", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/accuracy_harness/alerts.py", "duplicate_line": 430, "correlation_key": "fp|170c7dcf0e9406e954688e87c61e67a11a93d13de0b70beac8318850b3f49982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/accuracy_harness/tokens.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74ad450027a9c2beef9fe71f4ea5eb464976340025471fec3e7039d43f124ae8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/accuracy_harness/alerts.py", "duplicate_line": 430, "correlation_key": "fp|74ad450027a9c2beef9fe71f4ea5eb464976340025471fec3e7039d43f124ae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/accuracy_harness/approvals.py"}, "region": {"startLine": 385}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48e8abef102c7208fda166d85e9c50b27cdb0613887808edf9dea9daf2f025d6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "routes/heartbeat.py", "duplicate_line": 56, "correlation_key": "fp|48e8abef102c7208fda166d85e9c50b27cdb0613887808edf9dea9daf2f025d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/skills.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d38f80640d93baf1ddf512fe3f3f9af830926e339173f22e8fcf5e901736f0f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "routes/agents.py", "duplicate_line": 21, "correlation_key": "fp|8d38f80640d93baf1ddf512fe3f3f9af830926e339173f22e8fcf5e901736f0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/plugins.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 565 lines (recommend <300)"}, "properties": {"repobilityId": 13139, "scanner": "repobility-core", "fingerprint": "95b2c67277779d38dec9000d90754bdbc1f404791e3bb912a22650e13fb44a84", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|95b2c67277779d38dec9000d90754bdbc1f404791e3bb912a22650e13fb44a84"}}}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 13168, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 13158, "scanner": "repobility-threat-engine", "fingerprint": "4cb2e8c2d64a87b5a56d907adee6bfce9214961045d12d8db36fc7d714fe73d9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = a", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|155|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 13157, "scanner": "repobility-threat-engine", "fingerprint": "0427f11819cd5370042932cda8e7d7d2ac22c6cb24a7ab732c6c0db035d7bebe", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = '<h2>' + e", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|routes/insights.py|224|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/insights.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 13156, "scanner": "repobility-threat-engine", "fingerprint": "e908a4e7edb30090f2a320a11bf3f821c2caf5c5ae58897165ac2d287a278162", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|dashboard_claudecode.py|1097|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard_claudecode.py"}, "region": {"startLine": 1097}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 13164, "scanner": "repobility-threat-engine", "fingerprint": "299095e5e0ae15b79593f09369a8b3605df300236b2397c8256a7ab507882110", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(f\"[harness] tokens accuracy audit \u2014 {datetime.now(timezone.utc)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|18|print f harness tokens accuracy audit datetime.now timezone.utc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/accuracy_harness/tokens.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 13162, "scanner": "repobility-threat-engine", "fingerprint": "f0155ff201d6e310a8480a86ffed8f5f6323137dc032950d189e590bfa56d891", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f0155ff201d6e310a8480a86ffed8f5f6323137dc032950d189e590bfa56d891"}}}, {"ruleId": "SEC004", "level": "none", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 13154, "scanner": "repobility-threat-engine", "fingerprint": "1c324c2e171f4a316421651228f500cfec73ad2df685c764cacb3d07a2d0f268", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'rules' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": ".execute(f\"UPDATE", "reason": "Line contains 'rules' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|routes/alerts.py|380|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/alerts.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 13165, "scanner": "repobility-threat-engine", "fingerprint": "e009a3d3f88ee06033273116d9c942cb4ecb58e349c67e7f222417dba169c42a", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(LOCAL_QUERY", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|152|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/accuracy_harness/_lib.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 13163, "scanner": "repobility-threat-engine", "fingerprint": "b1da64c23e00add9a173d8f4be3730c0387732db369b6e263fc2d2700b235d5c", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Formatted expression outputs a credential-bearing value directly.", "evidence": {"match": "print(f\"  API key:      {api_key}\")", "reason": "Formatted expression outputs a credential-bearing value directly.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|clawmetry/cli.py|58|print f api key: api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/cli.py"}, "region": {"startLine": 586}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 13155, "scanner": "repobility-threat-engine", "fingerprint": "19432ce226a7329f1a68cc462c76efa2ef1a12c6f09c0c4f1d2061438e264ad4", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n                f\"SELECT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|212|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/adapters/hermes.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 13153, "scanner": "repobility-threat-engine", "fingerprint": "297e5048a57c3373ed62c45bb7559ed73b9e564d7c32d37a0998a8b4626dcdc7", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f'SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|history.py|239|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "history.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 13152, "scanner": "repobility-agent-runtime", "fingerprint": "990d81bb9073e2a4b484b240d052a64df96ddf98556e9eec983b3d432a6f315d", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|990d81bb9073e2a4b484b240d052a64df96ddf98556e9eec983b3d432a6f315d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/infra.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 13151, "scanner": "repobility-agent-runtime", "fingerprint": "c7b33651ba241ecbffc89f2161442a1beee69fc6f880e8c50ff102201c255030", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|c7b33651ba241ecbffc89f2161442a1beee69fc6f880e8c50ff102201c255030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/heartbeat.py"}, "region": {"startLine": 311}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 13150, "scanner": "repobility-agent-runtime", "fingerprint": "cd8b1efbe63d26f3d7b75c84c3e31d69a83877c57fa7e53d8ac745ec7e1c9d5c", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|cd8b1efbe63d26f3d7b75c84c3e31d69a83877c57fa7e53d8ac745ec7e1c9d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/components.py"}, "region": {"startLine": 226}}}]}]}]}