{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `pyotp` has no version pin: Unpinned pip requirement means every fresh install may resolve ", "shortDescription": {"text": "[MINED124] requirements.txt: `pyotp` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible install"}, "fullDescription": {"text": "Replace `pyotp` with `pyotp==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN008", "name": "Temporal access helper does not visibly require active status and time window", "shortDescription": {"text": "Temporal access helper does not visibly require active status and time window"}, "fullDescription": {"text": "Gate sensitive flows on explicit status allowlists plus strict start/end time windows at the shared lookup layer, not only in individual serializers or actions."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/shell/stream."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 44.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `ntfy` image has no explicit tag", "shortDescription": {"text": "Compose service `ntfy` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC005", "name": "Compose service adds dangerous Linux capabilities", "shortDescription": {"text": "Compose service adds dangerous Linux capabilities"}, "fullDescription": {"text": "Drop all capabilities by default and add only narrowly required capabilities after review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `chromadb` image uses the latest tag", "shortDescription": {"text": "Compose service `chromadb` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC042", "name": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently s", "shortDescription": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend t"}, "fullDescription": {"text": "Use psycopg2.sql.SQL() + sql.Identifier() for identifiers:\n  from psycopg2 import sql\n  cr.execute(sql.SQL('UPDATE {} SET x=%s').format(sql.Identifier(table)), (value,))\nNever use f-string in cr.execute(). Values go through %s parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `models` has cognitive complexity 15 (SonarSource scale). Cognitive comple", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `models` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all we"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED027] React State Array Mutation (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build ti", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production ima"}, "fullDescription": {"text": "Replace with: `FROM python:3.12-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /api/gallery/albums/{album_id}/remove has no auth: Handler `remove_from_album` is registered wit", "shortDescription": {"text": "[MINED112] FastAPI POST /api/gallery/albums/{album_id}/remove has no auth: Handler `remove_from_album` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_blocks_ssh_authorized_keys: Test function `test_blocks_ssh_authorized_keys` runs ", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_blocks_ssh_authorized_keys: Test function `test_blocks_ssh_authorized_keys` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verif"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._execute_research_task` used but never assigned in __init__: Method `_execute_task_locked` of class `Ta", "shortDescription": {"text": "[MINED108] `self._execute_research_task` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._execute_research_task`, but no assignment to it exists in __init__ (and no class-level fallbac"}, "fullDescription": {"text": "Initialize `self._execute_research_task = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{memory_id}."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Validate extracted facts with a schema, enforce length and count limits, reject code-fence/prompt-looking content, and discard facts that contain instruction-like phrases or raw JSON prompt fragments."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT003", "name": "User-editable role instructions are inserted into the system prompt", "shortDescription": {"text": "User-editable role instructions are inserted into the system prompt"}, "fullDescription": {"text": "Limit role instruction length, strip control characters, store it as quoted untrusted role description, and append a non-overridable safety/policy footer after the user-editable section."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRM) in source: Line 69 contains a Unicode bidirectional override character (U+", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 69 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diffe"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. T", "shortDescription": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import html` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/935"}, "properties": {"repository": "pewdiepie-archdaemon/odysseus", "repoUrl": "https://github.com/pewdiepie-archdaemon/odysseus", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pyotp` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87688, "scanner": "repobility-supply-chain", "fingerprint": "e9bad529db083ab1e5d59b160fd44808cc8cf6a8753e7c7a3f4d5d060585a990", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9bad529db083ab1e5d59b160fd44808cc8cf6a8753e7c7a3f4d5d060585a990"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mcp` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87687, "scanner": "repobility-supply-chain", "fingerprint": "1343e217a6ea35cd943e6fe14af7436a9669f0794b9c05a6b035d5f0deb7d9c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1343e217a6ea35cd943e6fe14af7436a9669f0794b9c05a6b035d5f0deb7d9c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `bcrypt` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87686, "scanner": "repobility-supply-chain", "fingerprint": "99b35bdbe4811286a70c6afae05f9f8211ce5061e96a9e8b70ff6443830c8394", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99b35bdbe4811286a70c6afae05f9f8211ce5061e96a9e8b70ff6443830c8394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cryptography` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87685, "scanner": "repobility-supply-chain", "fingerprint": "756f4e673f08788cb05b66fe2af080e572705de19774c78686e07e2351093b55", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|756f4e673f08788cb05b66fe2af080e572705de19774c78686e07e2351093b55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `caldav` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87684, "scanner": "repobility-supply-chain", "fingerprint": "41debab83b4ba2bb0b67df38c3e37d514136c3ec4bb9de8dce8573b7b0cbdf2e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41debab83b4ba2bb0b67df38c3e37d514136c3ec4bb9de8dce8573b7b0cbdf2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-dateutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87683, "scanner": "repobility-supply-chain", "fingerprint": "4070701a065dbb6556c80ff54da1c84c4bcf5cc4824cba61282b280442a55571", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4070701a065dbb6556c80ff54da1c84c4bcf5cc4824cba61282b280442a55571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `icalendar` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87682, "scanner": "repobility-supply-chain", "fingerprint": "57244712045032b8add7698761b695703e13bd40e772254e497b47501cc44008", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57244712045032b8add7698761b695703e13bd40e772254e497b47501cc44008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `nh3` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87681, "scanner": "repobility-supply-chain", "fingerprint": "2ef98dc22541ac9c32332282f53c95f331fcb0ef9ab45f01b3697adc79baeba7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ef98dc22541ac9c32332282f53c95f331fcb0ef9ab45f01b3697adc79baeba7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `markdown` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87680, "scanner": "repobility-supply-chain", "fingerprint": "aa717f09d4874d0d8ae0112fceb0fb77c26b774723fcbb9535c438199f5b9c28", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa717f09d4874d0d8ae0112fceb0fb77c26b774723fcbb9535c438199f5b9c28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `youtube-transcript-api` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87679, "scanner": "repobility-supply-chain", "fingerprint": "33da5a0b929d99900b34a916c04cd56afb7a234838ece5bfd53f5cb4856a526a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33da5a0b929d99900b34a916c04cd56afb7a234838ece5bfd53f5cb4856a526a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `fastembed` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87678, "scanner": "repobility-supply-chain", "fingerprint": "b79e480cf7a27ea8918759def64609fb921f76e6d1e64c821f331b5a5fea06c6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b79e480cf7a27ea8918759def64609fb921f76e6d1e64c821f331b5a5fea06c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `chromadb-client` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87677, "scanner": "repobility-supply-chain", "fingerprint": "2ab0b1bcb8b4553b720868b1dfdadef751d66cff70f3e51e5a988c7f60b21a94", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ab0b1bcb8b4553b720868b1dfdadef751d66cff70f3e51e5a988c7f60b21a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `numpy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87676, "scanner": "repobility-supply-chain", "fingerprint": "310a082a5a8c50d703869656fedab3a88aab1872e4191893003a91f934731c32", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|310a082a5a8c50d703869656fedab3a88aab1872e4191893003a91f934731c32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `charset-normalizer` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87675, "scanner": "repobility-supply-chain", "fingerprint": "4ba6b4dc1258f02a2aa6e2209214d4f9e11d14c09f8886adfb4ef5592301e4a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ba6b4dc1258f02a2aa6e2209214d4f9e11d14c09f8886adfb4ef5592301e4a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `beautifulsoup4` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87674, "scanner": "repobility-supply-chain", "fingerprint": "77f572d28437fc98e69a4bab142f8a7959d42538ff5fde81f4813de84d1f0bf8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77f572d28437fc98e69a4bab142f8a7959d42538ff5fde81f4813de84d1f0bf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pypdf` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87673, "scanner": "repobility-supply-chain", "fingerprint": "b7d06dc9187dc860439b36de1bb43af659f856dc571971a7b6af8530cbebd421", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7d06dc9187dc860439b36de1bb43af659f856dc571971a7b6af8530cbebd421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `SQLAlchemy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87672, "scanner": "repobility-supply-chain", "fingerprint": "fde5e35fa8fe7d09573e097987dce15c8925ccae10269be5bbd78f605bd5eaa6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fde5e35fa8fe7d09573e097987dce15c8925ccae10269be5bbd78f605bd5eaa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `httpx` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87671, "scanner": "repobility-supply-chain", "fingerprint": "ece6c089a299bc36816593080f04bd7fc972e65f63a8ef7ea32c8353d236790a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ece6c089a299bc36816593080f04bd7fc972e65f63a8ef7ea32c8353d236790a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-dotenv` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87670, "scanner": "repobility-supply-chain", "fingerprint": "aa57482839016999c8a6dbb36eb6120531e6d90c42b07b09c204b85714fe49ec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa57482839016999c8a6dbb36eb6120531e6d90c42b07b09c204b85714fe49ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-multipart` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87669, "scanner": "repobility-supply-chain", "fingerprint": "799708e700787aaf78a645c1d7f443e2c14c5c3cdffc2ef27f9aaf6505aab055", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|799708e700787aaf78a645c1d7f443e2c14c5c3cdffc2ef27f9aaf6505aab055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87668, "scanner": "repobility-supply-chain", "fingerprint": "21ae4a85b3fc0b475b743d311821687b23bdddc76a2cd78467dd492b2d4f7432", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21ae4a85b3fc0b475b743d311821687b23bdddc76a2cd78467dd492b2d4f7432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87667, "scanner": "repobility-supply-chain", "fingerprint": "62b08992a4bb6a2e02a5a8f9029c9ebffec3c5d010cef765bdd74c5526c7e1a8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62b08992a4bb6a2e02a5a8f9029c9ebffec3c5d010cef765bdd74c5526c7e1a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `PyMuPDF` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87666, "scanner": "repobility-supply-chain", "fingerprint": "cc79b3dc9730206c162380be58f3ac33c209063ae4e264ee90df09e4c60184e8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc79b3dc9730206c162380be58f3ac33c209063ae4e264ee90df09e4c60184e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements-optional.txt"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `duckduckgo-search` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87665, "scanner": "repobility-supply-chain", "fingerprint": "0df9510d65206f2143874fb453b9840d725e6de6904ce57c202f956c910f6c37", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0df9510d65206f2143874fb453b9840d725e6de6904ce57c202f956c910f6c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements-optional.txt"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `faster-whisper` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 87664, "scanner": "repobility-supply-chain", "fingerprint": "6473dd3c122d8b3c9a6efd8d9f4f2ad0f865f4b322bcbdc878e580a250b5e3a8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6473dd3c122d8b3c9a6efd8d9f4f2ad0f865f4b322bcbdc878e580a250b5e3a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements-optional.txt"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87607, "scanner": "repobility-ast-engine", "fingerprint": "4ff92a2a9095de8149feedf6690318d9c81ff1b5c57a52ea304676a31f5fc852", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ff92a2a9095de8149feedf6690318d9c81ff1b5c57a52ea304676a31f5fc852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tool_implementations.py"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87606, "scanner": "repobility-ast-engine", "fingerprint": "c4016df908ab039c9266605d408c8083c64192c890157190909cd159a41dfebd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4016df908ab039c9266605d408c8083c64192c890157190909cd159a41dfebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tool_implementations.py"}, "region": {"startLine": 384}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87605, "scanner": "repobility-ast-engine", "fingerprint": "9d82fb7d5bf809910ef0f7c37592f31fde72d8c7a39c478e20a9d1b964ca02e3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d82fb7d5bf809910ef0f7c37592f31fde72d8c7a39c478e20a9d1b964ca02e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tool_implementations.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87603, "scanner": "repobility-ast-engine", "fingerprint": "7e9d88d45791cc1e7b55f83e79b6d6c4acaabdbe59fa04937527e376a44eb1d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e9d88d45791cc1e7b55f83e79b6d6c4acaabdbe59fa04937527e376a44eb1d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/email_thread_parser.py"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87602, "scanner": "repobility-ast-engine", "fingerprint": "1841b77dc2eb64a388724706be56dac943f087e7f81d729096afb88de7000e19", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1841b77dc2eb64a388724706be56dac943f087e7f81d729096afb88de7000e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/email_thread_parser.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87601, "scanner": "repobility-ast-engine", "fingerprint": "29def5f92cfed958ff35fa33a10c1e274346bac978d850672778fcb77c1b4919", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29def5f92cfed958ff35fa33a10c1e274346bac978d850672778fcb77c1b4919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tool_index.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87600, "scanner": "repobility-ast-engine", "fingerprint": "bce6e6fa47b5fec76b0483e6f99f53d25d7b4530c9e7af3d8728e2d73820ecc5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bce6e6fa47b5fec76b0483e6f99f53d25d7b4530c9e7af3d8728e2d73820ecc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/model_context.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87599, "scanner": "repobility-ast-engine", "fingerprint": "b5cc4cf9b238d07bb947d1537b32c270125522a38a7975f238cb25a7b6c25e4f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5cc4cf9b238d07bb947d1537b32c270125522a38a7975f238cb25a7b6c25e4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/model_context.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87598, "scanner": "repobility-ast-engine", "fingerprint": "a96f9844fe53d275ba32ca16e92dfee8ea4e2ebbc4d3cc7cb5316b2625970cf4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a96f9844fe53d275ba32ca16e92dfee8ea4e2ebbc4d3cc7cb5316b2625970cf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 871}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87597, "scanner": "repobility-ast-engine", "fingerprint": "1691a203e2711598deca8d5557036c00bf05405653a8dc2c0c99c929432e60b0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1691a203e2711598deca8d5557036c00bf05405653a8dc2c0c99c929432e60b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1438}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87596, "scanner": "repobility-ast-engine", "fingerprint": "cd0fdf50faac6678c23afe4fb5ace1ae208f17f15a791513775f112cbff83934", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd0fdf50faac6678c23afe4fb5ace1ae208f17f15a791513775f112cbff83934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1284}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87595, "scanner": "repobility-ast-engine", "fingerprint": "e86d65dbb05a5a0225383d1d3971d501e46e9ff4e69008068ad0dbe6dda1e4d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e86d65dbb05a5a0225383d1d3971d501e46e9ff4e69008068ad0dbe6dda1e4d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1930}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87594, "scanner": "repobility-ast-engine", "fingerprint": "e99a95a82afc4dbe14e8f0a34471f5c956736db825abe9b3b6ee76e94a385335", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e99a95a82afc4dbe14e8f0a34471f5c956736db825abe9b3b6ee76e94a385335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1727}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87593, "scanner": "repobility-ast-engine", "fingerprint": "739b8b6fe453415a203be4ca8b30c80644017a30ffdc667d6dd854d8e2baa97d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|739b8b6fe453415a203be4ca8b30c80644017a30ffdc667d6dd854d8e2baa97d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1601}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87592, "scanner": "repobility-ast-engine", "fingerprint": "44d55b5d61ced239b64b8747d7282b5750dfe497bd363a387062ed0d909689b4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44d55b5d61ced239b64b8747d7282b5750dfe497bd363a387062ed0d909689b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1346}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87591, "scanner": "repobility-ast-engine", "fingerprint": "35a788cf5cf0571d4485166bda67b1fddaf8038da393cb253ade25635f5990a2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35a788cf5cf0571d4485166bda67b1fddaf8038da393cb253ade25635f5990a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1158}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87590, "scanner": "repobility-ast-engine", "fingerprint": "4ab7764f8349c1a1d50dd2aa4ff5a6ff22c094ed34431b36dc27fdbb997e51ca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ab7764f8349c1a1d50dd2aa4ff5a6ff22c094ed34431b36dc27fdbb997e51ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1151}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87589, "scanner": "repobility-ast-engine", "fingerprint": "8c600aa687372b1766690518bc75dd0c6ffc4d3c1609b550e958bf486811981d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c600aa687372b1766690518bc75dd0c6ffc4d3c1609b550e958bf486811981d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 1107}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87588, "scanner": "repobility-ast-engine", "fingerprint": "5841fb7fad373f932e61689ec69fa949d487ce6120c7b8739d1ce3949777f80a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5841fb7fad373f932e61689ec69fa949d487ce6120c7b8739d1ce3949777f80a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87587, "scanner": "repobility-ast-engine", "fingerprint": "b2deceabd10a8dc0c09bd21926f73419d01f35b59261f8a4453118fb49d30f80", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2deceabd10a8dc0c09bd21926f73419d01f35b59261f8a4453118fb49d30f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87565, "scanner": "repobility-ast-engine", "fingerprint": "35ee5ad3414dcbe18fd9a35393c19e506f2f9f5a8180fec029896a42f804a03c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35ee5ad3414dcbe18fd9a35393c19e506f2f9f5a8180fec029896a42f804a03c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/context_compactor.py"}, "region": {"startLine": 398}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87559, "scanner": "repobility-ast-engine", "fingerprint": "cfb605416bca9e18325a891021ab7c1bd8e5ab3012d862556a30a650978a5542", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cfb605416bca9e18325a891021ab7c1bd8e5ab3012d862556a30a650978a5542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87558, "scanner": "repobility-ast-engine", "fingerprint": "777909a6f802e8277d3018b05af997d2e69a0d7cf819dc8fdf7a712b4ab74728", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|777909a6f802e8277d3018b05af997d2e69a0d7cf819dc8fdf7a712b4ab74728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87557, "scanner": "repobility-ast-engine", "fingerprint": "60e2c8f5487a8747eccdef39f2d411d66b05ccb52831e900205e95bc94e9426c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60e2c8f5487a8747eccdef39f2d411d66b05ccb52831e900205e95bc94e9426c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app.py"}, "region": {"startLine": 1052}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 87556, "scanner": "repobility-ast-engine", "fingerprint": "2543048f591f1c10f85d006357b0f936967c1208656bc0f54aa9641eae94e6c3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2543048f591f1c10f85d006357b0f936967c1208656bc0f54aa9641eae94e6c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app.py"}, "region": {"startLine": 822}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 87554, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN008", "level": "warning", "message": {"text": "Temporal access helper does not visibly require active status and time window"}, "properties": {"repobilityId": 87549, "scanner": "repobility-journey-contract", "fingerprint": "2e47630ffa304730a4bdca6a804efa0664d6f01c847a2758092683544ff417b5", "category": "auth", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "is_active combines status/time concepts but lacks visible confirmed-status and terminal-state denial evidence.", "evidence": {"rule_id": "JRN008", "scanner": "repobility-journey-contract", "references": ["https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/"], "correlation_key": "code|auth|core/database.py|136|jrn008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/database.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87548, "scanner": "repobility-journey-contract", "fingerprint": "1a28dd501877906defaea759d995c654e067b476bcefc80fedfaf095d646cbfc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/personal/file", "correlation_key": "fp|1a28dd501877906defaea759d995c654e067b476bcefc80fedfaf095d646cbfc", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1812}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87547, "scanner": "repobility-journey-contract", "fingerprint": "54070810b6f36e590268e5bb6a0175ec71f52e28bc1833586dce28dcb84c3c9b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/personal/remove_directory", "correlation_key": "fp|54070810b6f36e590268e5bb6a0175ec71f52e28bc1833586dce28dcb84c3c9b", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1792}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87546, "scanner": "repobility-journey-contract", "fingerprint": "3940998afc1672dda2794abd7d15d4dff07b7a015392a08970ac7887f2242c51", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/personal", "correlation_key": "fp|3940998afc1672dda2794abd7d15d4dff07b7a015392a08970ac7887f2242c51", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1780}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87545, "scanner": "repobility-journey-contract", "fingerprint": "3e6fee226071596c4cb036f429bfe7c8834138abb910b9dc16115d70dc968435", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/oauth/authorize/{param}", "correlation_key": "fp|3e6fee226071596c4cb036f429bfe7c8834138abb910b9dc16115d70dc968435", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1759}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87544, "scanner": "repobility-journey-contract", "fingerprint": "2fbc34aa1bcab3a15f265bd3c2b57b51aca95fc0f84c2438bf0929635684d895", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers", "correlation_key": "fp|2fbc34aa1bcab3a15f265bd3c2b57b51aca95fc0f84c2438bf0929635684d895", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1756}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87543, "scanner": "repobility-journey-contract", "fingerprint": "2d9fd4f63bb70e98b46d179d795c612759e56a186168747616a70060dafb7943", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers/{param}/tools", "correlation_key": "fp|2d9fd4f63bb70e98b46d179d795c612759e56a186168747616a70060dafb7943", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1557}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87542, "scanner": "repobility-journey-contract", "fingerprint": "46e12a89e563816cb9ed2d831b8e2d0c96848893314d5798f5c265919e2885c3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers/{param}/tools", "correlation_key": "fp|46e12a89e563816cb9ed2d831b8e2d0c96848893314d5798f5c265919e2885c3", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1513}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87541, "scanner": "repobility-journey-contract", "fingerprint": "733bb4719a70cebc1b9c7a16096218eebce40d61b7da6fb0155190382b5cc78d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers/{param}", "correlation_key": "fp|733bb4719a70cebc1b9c7a16096218eebce40d61b7da6fb0155190382b5cc78d", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1487}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87540, "scanner": "repobility-journey-contract", "fingerprint": "88c5e0abfecdc2d0db53c64dc5be2886bd6b6830342f7b54a15ce82fb8c21bc5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers/{param}", "correlation_key": "fp|88c5e0abfecdc2d0db53c64dc5be2886bd6b6830342f7b54a15ce82fb8c21bc5", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1480}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87539, "scanner": "repobility-journey-contract", "fingerprint": "1efd3af869153b730605d0b9b198be90bd798ad44038fe5092d205a51ff2e7b0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers/{param}/reconnect", "correlation_key": "fp|1efd3af869153b730605d0b9b198be90bd798ad44038fe5092d205a51ff2e7b0", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1469}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87538, "scanner": "repobility-journey-contract", "fingerprint": "6499bd9146616b04c47554b4234934da76829e5b1bcb79fca00920d819d49a21", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/oauth/authorize/{param}", "correlation_key": "fp|6499bd9146616b04c47554b4234934da76829e5b1bcb79fca00920d819d49a21", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1455}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87537, "scanner": "repobility-journey-contract", "fingerprint": "795adcf3d8bb8abdd41f7e1c02ec35c4ee98d972bd4c248bbdd29172ecc72c85", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers", "correlation_key": "fp|795adcf3d8bb8abdd41f7e1c02ec35c4ee98d972bd4c248bbdd29172ecc72c85", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1439}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87536, "scanner": "repobility-journey-contract", "fingerprint": "e1454b6f2eb78a1f964ac2f615b5bdab0c49795938e338abb25e3a0d26e79868", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/copilot/device/poll", "correlation_key": "fp|e1454b6f2eb78a1f964ac2f615b5bdab0c49795938e338abb25e3a0d26e79868", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 969}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87535, "scanner": "repobility-journey-contract", "fingerprint": "9643935677eb0f843ad8288771f3db2ec74bf18af1c39b7a05ab98abe5776d2e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/copilot/device/start", "correlation_key": "fp|9643935677eb0f843ad8288771f3db2ec74bf18af1c39b7a05ab98abe5776d2e", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 929}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87534, "scanner": "repobility-journey-contract", "fingerprint": "3a9eca1a49b20b37f8e3ebc6f52fb24d927e09587a161c009692c63e6a5cc8aa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/auth", "correlation_key": "fp|3a9eca1a49b20b37f8e3ebc6f52fb24d927e09587a161c009692c63e6a5cc8aa", "backend_endpoint_count": 449}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/app.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 87533, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 80, "file_path": "app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 54, "file_path": "scripts/diffusion_server.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 117, "file_path": "tests/test_history_compact_tool_calls.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 154, "file_path": "tests/test_history_compact_tool_calls.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 158, "file_path": "tests/test_cleanup_owner_scope.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /delete/{uid}."}, "properties": {"repobilityId": 87532, "scanner": "repobility-access-control", "fingerprint": "731c432ef4552d3c0067cd51caf7453d056109742bae00552b827c3c05c91fee", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/delete/{uid}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/email_routes.py|1723|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/email_routes.py"}, "region": {"startLine": 1723}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /archive/{uid}."}, "properties": {"repobilityId": 87531, "scanner": "repobility-access-control", "fingerprint": "6bf77a1b254301c4a29cfee69170535ad834d238daebe6f5db965a70134d21a5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/archive/{uid}", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/email_routes.py|1709|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/email_routes.py"}, "region": {"startLine": 1709}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{comp_id}."}, "properties": {"repobilityId": 87530, "scanner": "repobility-access-control", "fingerprint": "631d1871e7d14aefe21ba0b0af4a6767bc612b2d2d315fd7c0e267ebc5ce8b9f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{comp_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/compare_routes.py|258|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/compare_routes.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/chat."}, "properties": {"repobilityId": 87529, "scanner": "repobility-access-control", "fingerprint": "c0140246d4420d851dc56a4deb6dc9b2c626e7b4daa1efe422f167d73aeafc26", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/chat", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/webhook_routes.py|232|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/webhook_routes.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/cookbook/packages."}, "properties": {"repobilityId": 87528, "scanner": "repobility-access-control", "fingerprint": "b1c8d71b9cc557cd07ebe9e69e44430c0de6c3511658cf63e77b51e523c7cc1b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/packages", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/shell_routes.py|882|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/shell_routes.py"}, "region": {"startLine": 882}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/gallery/albums/{album_id}/add."}, "properties": {"repobilityId": 87527, "scanner": "repobility-access-control", "fingerprint": "2e9c28318849e663e77a388a334c7aa0ba40723b0d17fee1c0933b1699c4d7c5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/albums/{album_id}/add", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|1647|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1647}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/gallery/albums/{album_id}."}, "properties": {"repobilityId": 87526, "scanner": "repobility-access-control", "fingerprint": "9d2320aa15f5a6fe10f81ad15a7d3b79b16a8193291fa6b69c51aad09e4f3fe8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/albums/{album_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|1632|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1632}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/gallery/{image_id}."}, "properties": {"repobilityId": 87525, "scanner": "repobility-access-control", "fingerprint": "e9048eba630f582aa0164056dc90a1144c17e068b48cc0ce6bba9086173ed4e6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/{image_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|808|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 808}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/gallery/tags."}, "properties": {"repobilityId": 87524, "scanner": "repobility-access-control", "fingerprint": "d42344812e62dffa041fd4abba0adfe436457ad9e8ad10a21889275518c3a59f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/tags", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|335|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 335}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/gallery/style-transfer."}, "properties": {"repobilityId": 87523, "scanner": "repobility-access-control", "fingerprint": "b75d437db159e23a8fa124e12d0096736ea11c97ad8563bd2b5ad6ad183267ba", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/style-transfer", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|289|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/shell/stream."}, "properties": {"repobilityId": 87522, "scanner": "repobility-access-control", "fingerprint": "4c594d4c1e3efb2d21964500fe2d2adc0c74e73d845fddb89927c15552e141ee", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/shell/stream", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/shell_routes.py|759|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/shell_routes.py"}, "region": {"startLine": 759}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/shell/exec."}, "properties": {"repobilityId": 87521, "scanner": "repobility-access-control", "fingerprint": "afddfd73bb69f0c72e0fe4f034efd1b7cfce2316dc6d242c30b1d379bbb25c28", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/shell/exec", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/shell_routes.py|747|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/shell_routes.py"}, "region": {"startLine": 747}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/cookbook/state."}, "properties": {"repobilityId": 87520, "scanner": "repobility-access-control", "fingerprint": "6a0d6e976ee2df1ba6748d7e867fd80b3295e533d6c3a96824ec8c20a31d7906", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/state", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|1805|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 1805}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/cookbook/state."}, "properties": {"repobilityId": 87519, "scanner": "repobility-access-control", "fingerprint": "50cacbe8ca3e16a2826ead6f3b730e9d8622ad3a6b9a277928b2410f966a32b8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/state", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|1794|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 1794}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/cookbook/kill-pid."}, "properties": {"repobilityId": 87518, "scanner": "repobility-access-control", "fingerprint": "0f673d624c71eba2c4cb61b537d09bb6c30240db92982d499be1683b79939631", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/kill-pid", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|1742|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 1742}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/cookbook/setup."}, "properties": {"repobilityId": 87517, "scanner": "repobility-access-control", "fingerprint": "9ba186f8c39e240447eb280b11f75f047a0ee79cdd900d9ea9ea71cecf5c3210", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/setup", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|1344|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 1344}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/model/cached."}, "properties": {"repobilityId": 87516, "scanner": "repobility-access-control", "fingerprint": "bd1ba815125acfb1e7d6f23eaf6a15bac436cb22adce68c5db6a639cf77374a5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/model/cached", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|659|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 659}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/model/download."}, "properties": {"repobilityId": 87515, "scanner": "repobility-access-control", "fingerprint": "68d5b2077f39482e510fbafb301efeb0e03b3b077c9265c84f9763213c9d969d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/model/download", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|392|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 392}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/cookbook/ssh-key."}, "properties": {"repobilityId": 87514, "scanner": "repobility-access-control", "fingerprint": "f3215e84d83d1c943414c8da7d5c4c0d4661eebea3a35aafa7951b9d35cdcf85", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/ssh-key", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|272|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/cookbook/ssh-key."}, "properties": {"repobilityId": 87513, "scanner": "repobility-access-control", "fingerprint": "fc4c8e784649ac2f4c32b2176eb1a8b517962c40b7e0f74a971b3237eb4768e6", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/cookbook/ssh-key", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/cookbook_routes.py|263|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 87502, "scanner": "repobility-access-control", "fingerprint": "7642a5ef616a8939fc12da2afc9dc7c8c19c1ee5972cd4a0a24a130943e4bc55", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 449, "correlation_key": "fp|7642a5ef616a8939fc12da2afc9dc7c8c19c1ee5972cd4a0a24a130943e4bc55", "auth_visible_percent": 44.5}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 87501, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `ntfy` image has no explicit tag"}, "properties": {"repobilityId": 87498, "scanner": "repobility-docker", "fingerprint": "c623f9f3a8c005cb11d4677063d9f7cf657ef77437cb787b42f8b844865721e2", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "docker.io/binwiederhier/ntfy", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c623f9f3a8c005cb11d4677063d9f7cf657ef77437cb787b42f8b844865721e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "DKC005", "level": "warning", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 87495, "scanner": "repobility-docker", "fingerprint": "0fd54a3f9952dd341783353d1bfd83ce8c88f7d03bf051ec458f1d7d167d7ca9", "category": "docker", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "searxng", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["DAC_OVERRIDE"], "correlation_key": "fp|0fd54a3f9952dd341783353d1bfd83ce8c88f7d03bf051ec458f1d7d167d7ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `chromadb` image uses the latest tag"}, "properties": {"repobilityId": 87492, "scanner": "repobility-docker", "fingerprint": "82b65731f20f016117100f53f30ebab20abd429f24f57d4b1179e8ab7a033616", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "docker.io/chromadb/chroma:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|82b65731f20f016117100f53f30ebab20abd429f24f57d4b1179e8ab7a033616"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87488, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87487, "scanner": "repobility-docker", "fingerprint": "4a8cc253d8f771cea683754c1216b9a6c93ee0754de2a51fc9505cf223d3a3c6", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4a8cc253d8f771cea683754c1216b9a6c93ee0754de2a51fc9505cf223d3a3c6", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87486, "scanner": "repobility-agent-runtime", "fingerprint": "9c8154fb305abee72e0c1bfd243bd1f79fbfdb6d50103a89ebde0d37d1ac4ee0", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9c8154fb305abee72e0c1bfd243bd1f79fbfdb6d50103a89ebde0d37d1ac4ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-models.js"}, "region": {"startLine": 217}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87485, "scanner": "repobility-agent-runtime", "fingerprint": "99d861959c6415184591fbf67e6cba1cf3d48d82ecc0fa656ffea738a9a9c945", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|99d861959c6415184591fbf67e6cba1cf3d48d82ecc0fa656ffea738a9a9c945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/documentLibrary.js"}, "region": {"startLine": 1777}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87484, "scanner": "repobility-agent-runtime", "fingerprint": "35c31031123f2841f059328f8f862301992b35e7efd7de0d716df518b833922c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|35c31031123f2841f059328f8f862301992b35e7efd7de0d716df518b833922c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/document.js"}, "region": {"startLine": 122}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87483, "scanner": "repobility-agent-runtime", "fingerprint": "621229ccc8b444415a27669b147e768c3609ad525eb4b4da7e000985d0a899b9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|621229ccc8b444415a27669b147e768c3609ad525eb4b4da7e000985d0a899b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/cookbookServe.js"}, "region": {"startLine": 1832}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87482, "scanner": "repobility-agent-runtime", "fingerprint": "7b60e562a99575b5ee5600442673b9a73c03d11a7968033a965d54650c1afdc6", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7b60e562a99575b5ee5600442673b9a73c03d11a7968033a965d54650c1afdc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/cookbookRunning.js"}, "region": {"startLine": 646}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87481, "scanner": "repobility-agent-runtime", "fingerprint": "37e351cf5200f28c7b20254d25199ad40a1200c3d72a1a54242048c07978e9ba", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|37e351cf5200f28c7b20254d25199ad40a1200c3d72a1a54242048c07978e9ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/cookbook.js"}, "region": {"startLine": 573}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87480, "scanner": "repobility-agent-runtime", "fingerprint": "169e81c69786d74338683dee9e4bacca1604c4895ad9c250d9aa8ba2ae73f6d0", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|169e81c69786d74338683dee9e4bacca1604c4895ad9c250d9aa8ba2ae73f6d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/cookbook-hwfit.js"}, "region": {"startLine": 277}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 87479, "scanner": "repobility-agent-runtime", "fingerprint": "29089782f5ac785f2ff7cc8db796c5e7d4566814c8ecd116b0434e44f2d7ead4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|29089782f5ac785f2ff7cc8db796c5e7d4566814c8ecd116b0434e44f2d7ead4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/cookbook-diagnosis.js"}, "region": {"startLine": 404}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87478, "scanner": "repobility-agent-runtime", "fingerprint": "3dd6ba91317cc1aee8e20d79cf8e18e9dd00bc8a7e73b36ee9b0b4a253edaf37", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3dd6ba91317cc1aee8e20d79cf8e18e9dd00bc8a7e73b36ee9b0b4a253edaf37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/colorPicker.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87477, "scanner": "repobility-agent-runtime", "fingerprint": "6c8b4dde091df9b8cc50530bbf15548bd40f6df75b3dc15f7a144f06d712d346", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6c8b4dde091df9b8cc50530bbf15548bd40f6df75b3dc15f7a144f06d712d346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/chatRenderer.js"}, "region": {"startLine": 741}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87476, "scanner": "repobility-agent-runtime", "fingerprint": "dfb95cd5cf8953816b1a58ddaff3b2489fade2582124011edea6f80d9858967b", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|dfb95cd5cf8953816b1a58ddaff3b2489fade2582124011edea6f80d9858967b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/calendar.js"}, "region": {"startLine": 585}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87475, "scanner": "repobility-agent-runtime", "fingerprint": "dae9209dfee92a13df1eacc56ac418350c6704076709af40628ac760a7974be5", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|dae9209dfee92a13df1eacc56ac418350c6704076709af40628ac760a7974be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/calendar/reminders.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 87474, "scanner": "repobility-agent-runtime", "fingerprint": "55004be6eaff37c9149311f7e61382d55e8470e2957ab57d7693bcd9e22aee76", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|55004be6eaff37c9149311f7e61382d55e8470e2957ab57d7693bcd9e22aee76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/admin.js"}, "region": {"startLine": 1160}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 87473, "scanner": "repobility-agent-runtime", "fingerprint": "0c21759b42a841e2596d67888b2dd1b6b2ad676d397c0a7f26c3cc9f62f64738", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0c21759b42a841e2596d67888b2dd1b6b2ad676d397c0a7f26c3cc9f62f64738"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/webhook_manager.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 87471, "scanner": "repobility-agent-runtime", "fingerprint": "ae82bdb38368f3b3a89397028cd6dbf148eb9be0a87ddf0bf161f1784c9f729a", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ae82bdb38368f3b3a89397028cd6dbf148eb9be0a87ddf0bf161f1784c9f729a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cookbook_serve_lifecycle.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 87469, "scanner": "repobility-agent-runtime", "fingerprint": "1d3416e4813b2953c20913060ed0b89a797b8a4aafacf469a0a15a646698645f", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1d3416e4813b2953c20913060ed0b89a797b8a4aafacf469a0a15a646698645f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/search/content.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 87468, "scanner": "repobility-agent-runtime", "fingerprint": "7815290af97d68760d0177e2d079736dd52e4a6b13b87eaf56232fc659e7d97b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7815290af97d68760d0177e2d079736dd52e4a6b13b87eaf56232fc659e7d97b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 1187}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 87467, "scanner": "repobility-agent-runtime", "fingerprint": "5aab5e23f47ef4e23bb9878510201fa44f49b080abc6876e86b1bd4cd180cf73", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5aab5e23f47ef4e23bb9878510201fa44f49b080abc6876e86b1bd4cd180cf73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/cookbook_routes.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 87466, "scanner": "repobility-agent-runtime", "fingerprint": "19d52c8fc52f21f3ca7c12d2fc3e6bf47c24684fc682eb857089df22f532610c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|19d52c8fc52f21f3ca7c12d2fc3e6bf47c24684fc682eb857089df22f532610c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app.py"}, "region": {"startLine": 710}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 87451, "scanner": "repobility-threat-engine", "fingerprint": "f76156d9b001162cbd0275a13035430a3a2a152bcee143a174f8077fb44cb18e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iv');\n    el.className = 'confetti-piece';\n    const color = colors[Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f76156d9b001162cbd0275a13035430a3a2a152bcee143a174f8077fb44cb18e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/compare/vote.js"}, "region": {"startLine": 229}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87435, "scanner": "repobility-threat-engine", "fingerprint": "ce30d0ae61a013ae9f6800e1d52794205bae3a1282a236c23304d920550d93a0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce30d0ae61a013ae9f6800e1d52794205bae3a1282a236c23304d920550d93a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/compare/vote.js"}, "region": {"startLine": 140}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87434, "scanner": "repobility-threat-engine", "fingerprint": "179a722b3e6ec3ade2e6cf07d45c1db21f2482e47157b46d17ce00416549835d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function(){}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|179a722b3e6ec3ade2e6cf07d45c1db21f2482e47157b46d17ce00416549835d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/chatStream.js"}, "region": {"startLine": 137}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87433, "scanner": "repobility-threat-engine", "fingerprint": "e94bc35f3d777c70b9ae075b0db09f3d1225a1e861bde940529fd5c6f2a84fae", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e94bc35f3d777c70b9ae075b0db09f3d1225a1e861bde940529fd5c6f2a84fae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/calendar/reminders.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC042", "level": "warning", "message": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend the f-string to user input without noticing. CWE-89. Identifiers (table/column names) need a separate escaping path from values."}, "properties": {"repobilityId": 87430, "scanner": "repobility-threat-engine", "fingerprint": "cb7abd121e0c545f74ed0847f9f21f05ebc51fcd3db4ba4be3cd96f14eafae34", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cursor.execute(f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC042", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/update_database.py|38|sec042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_database.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 87426, "scanner": "repobility-threat-engine", "fingerprint": "1c4a7ae59515a80960211ba302635218d88224e7451dab1990068b15c840803d", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.0 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (2.0 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/demo_email/demo_account.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 87417, "scanner": "repobility-threat-engine", "fingerprint": "a2cc25bf669cf9d80a7cfc31a5cd2c64dd54b0bf5ff0e85314cd2a5d2575d061", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_cache_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|services/search/cache.py|29|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/search/cache.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 87416, "scanner": "repobility-threat-engine", "fingerprint": "8b0df61f4e04469e35d7f7bbce9091b74499c973c5adb5891d67712fdb52d252", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|routes/api_token_routes.py|112|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api_token_routes.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 87402, "scanner": "repobility-threat-engine", "fingerprint": "74455dd1cfa03ce202fef6d97bd611168a50f743b497e3c4239a16aac0344741", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|74455dd1cfa03ce202fef6d97bd611168a50f743b497e3c4239a16aac0344741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/image_gen_server.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 87401, "scanner": "repobility-threat-engine", "fingerprint": "9e4fd4ffcb0e29e6775a1999b7638d502374d912711d4633aeee97f1904af6bb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e4fd4ffcb0e29e6775a1999b7638d502374d912711d4633aeee97f1904af6bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/platform_compat.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 87400, "scanner": "repobility-threat-engine", "fingerprint": "1768f43afc2763e08c51b0792af1865a3a251ca3b2c1316e3ba9512bcd734e7d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1768f43afc2763e08c51b0792af1865a3a251ca3b2c1316e3ba9512bcd734e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/middleware.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `models` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=3, for=1, if=2, nested_bonus=6, ternary=2."}, "properties": {"repobilityId": 87396, "scanner": "repobility-threat-engine", "fingerprint": "4ef459540bbeff6a13e14b618e84d207b0eb8a7d7c6e9ed3766424b952bbf03b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "models", "breakdown": {"if": 2, "for": 1, "except": 3, "ternary": 2, "continue": 1, "nested_bonus": 6}, "complexity": 15, "correlation_key": "fp|4ef459540bbeff6a13e14b618e84d207b0eb8a7d7c6e9ed3766424b952bbf03b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/routes.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 87382, "scanner": "repobility-threat-engine", "fingerprint": "e91fb789fe0245992a0a37fe0a35c13c38fbb327a20ebfdf83cdf6642d147c1f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        r = httpx.get(probe_url, timeout=1.0)\n    except Exception:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e91fb789fe0245992a0a37fe0a35c13c38fbb327a20ebfdf83cdf6642d147c1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/chat_helpers.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 87381, "scanner": "repobility-threat-engine", "fingerprint": "e3704cab3ed40cad15ad730d2d6b1eddc2ba93af1bffd6aab8b569bd739f9ea4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        return client.principal().calendars()\n    except (AuthorizationError, NotFoundError):", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3704cab3ed40cad15ad730d2d6b1eddc2ba93af1bffd6aab8b569bd739f9ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/caldav_writeback.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 87380, "scanner": "repobility-threat-engine", "fingerprint": "8829eefb92a1065a18cdd3f76c44459100811fe4186d0672395a070f5ac898ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        import base64\n        import io\n\n        import qrcode\n\n        img = qrcode.make(json.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8829eefb92a1065a18cdd3f76c44459100811fe4186d0672395a070f5ac898ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/pairing.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 87369, "scanner": "repobility-threat-engine", "fingerprint": "adbc176194208fc092c0f10bac21b94fe6ad8d90f4c778e4b104aba093866596", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|71|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-tool-runner.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 87368, "scanner": "repobility-threat-engine", "fingerprint": "a3475cc5e735dc460ff6088f42924d9b05055ca171fcdfb594bba7ceb0c4814a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|104|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-issue-description.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 87553, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 87552, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 87551, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 87550, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87500, "scanner": "repobility-docker", "fingerprint": "7d2fda57216780f88f96c19118d58ad0d9cae1d69224b8b86a95fbe23960a96a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ntfy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7d2fda57216780f88f96c19118d58ad0d9cae1d69224b8b86a95fbe23960a96a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87499, "scanner": "repobility-docker", "fingerprint": "eb86b25e7286c209f1d01ebf4f1867edccfb62ec3eb9fc266617df58c96ec19e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ntfy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eb86b25e7286c209f1d01ebf4f1867edccfb62ec3eb9fc266617df58c96ec19e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87497, "scanner": "repobility-docker", "fingerprint": "c6cfdbb0f16fa8ebaf4a2a7b2d997f4b60fad82c50de0a69c9e600de294c73f2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "searxng", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c6cfdbb0f16fa8ebaf4a2a7b2d997f4b60fad82c50de0a69c9e600de294c73f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87496, "scanner": "repobility-docker", "fingerprint": "c0e584d52b1e8b522000fdd63de58e69029742a9d458a982b63c0a765b4ea435", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "searxng", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0e584d52b1e8b522000fdd63de58e69029742a9d458a982b63c0a765b4ea435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87494, "scanner": "repobility-docker", "fingerprint": "a96da1bcb1ba4583c1129a43a3ccc2c7a1160737607db044855bbfe08bd150b8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "chromadb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a96da1bcb1ba4583c1129a43a3ccc2c7a1160737607db044855bbfe08bd150b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87493, "scanner": "repobility-docker", "fingerprint": "4da10888511093f8263964e0683802c19f1de3bb56dd0482e7aee7e67c88e378", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "chromadb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4da10888511093f8263964e0683802c19f1de3bb56dd0482e7aee7e67c88e378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87491, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "odysseus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87490, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "odysseus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 87489, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee1bbd33d7e8a9400f6c3499829e97bfc9af3afc321916c1490e7d37be5036ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "static/js/modalSnap.js", "duplicate_line": 5, "correlation_key": "fp|ee1bbd33d7e8a9400f6c3499829e97bfc9af3afc321916c1490e7d37be5036ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/tileManager.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84008846475ae7bd0d2852ec93ac1ba323f42c0587000c1604559f86563f1094", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/youtube/youtube_handler.py", "duplicate_line": 8, "correlation_key": "fp|84008846475ae7bd0d2852ec93ac1ba323f42c0587000c1604559f86563f1094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/youtube_handler.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cb85ba174ceef4006274a9163fe81d1b6a4db60de578c50a5bd24fbed2178e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/search/__init__.py", "duplicate_line": 17, "correlation_key": "fp|9cb85ba174ceef4006274a9163fe81d1b6a4db60de578c50a5bd24fbed2178e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/search/__init__.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42e8b56801c013a93885387f4a75706ef751e544cf4513de60727c9f777d6db8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/research/research_handler.py", "duplicate_line": 16, "correlation_key": "fp|42e8b56801c013a93885387f4a75706ef751e544cf4513de60727c9f777d6db8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/research_handler.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8ba9617699b1196936e93d5d50e4d907429f0c458d97f9b701c7e6895744f53", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/exceptions.py", "duplicate_line": 1, "correlation_key": "fp|d8ba9617699b1196936e93d5d50e4d907429f0c458d97f9b701c7e6895744f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/exceptions.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b02d1b7024ef4e7b257b6bd70e982b7ba73f279f74bb70184ae32f700857166e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/constants.py", "duplicate_line": 4, "correlation_key": "fp|b02d1b7024ef4e7b257b6bd70e982b7ba73f279f74bb70184ae32f700857166e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/constants.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c2422442463cafaeb957182444cc06e1a7009232acc0b85eb6cc22d49cc9478", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/add_hwfit_models.py", "duplicate_line": 154, "correlation_key": "fp|6c2422442463cafaeb957182444cc06e1a7009232acc0b85eb6cc22d49cc9478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/hwfit/models.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 87446, "scanner": "repobility-threat-engine", "fingerprint": "6c20fb7ad8c940c222355b73dda7e127848f62cd619ee688492397fbeffabed9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' failed: ' + depMatch + ' is not installed on the server.'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c20fb7ad8c940c222355b73dda7e127848f62cd619ee688492397fbeffabed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-tool-runner.js"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 87445, "scanner": "repobility-threat-engine", "fingerprint": "7bf8be46c5705e3ce0a57742231785f2685d546cf345086f008399e693dd939c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"><strong>' + pct + '%</strong></td>'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bf8be46c5705e3ce0a57742231785f2685d546cf345086f008399e693dd939c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/compare/scoreboard.js"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 87443, "scanner": "repobility-threat-engine", "fingerprint": "6b1c9975ebe3427e46d325d7cceb10994efd15f54d3b5492b8cd39097a18cb94", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = _", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|static/js/compare/probe.js|72|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/compare/probe.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 87415, "scanner": "repobility-threat-engine", "fingerprint": "58b7418fbb4111b59c51273eeb42a7934de1302c03507ecfc131efb4ad82a219", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(self.key_file):\n            with open(self.key_file, 'rb') as f:\n                retu", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58b7418fbb4111b59c51273eeb42a7934de1302c03507ecfc131efb4ad82a219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api_key_manager.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 87414, "scanner": "repobility-threat-engine", "fingerprint": "732518f166c67a6cfccd89d23374738c006342de7e021f36b4b6ac170072e66a", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(p):\n            continue\n        try:\n            if name == \"memory.json\":", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|732518f166c67a6cfccd89d23374738c006342de7e021f36b4b6ac170072e66a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/admin_wipe_routes.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `find_bash` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, for=1, if=4, nested_bonus=3."}, "properties": {"repobilityId": 87398, "scanner": "repobility-threat-engine", "fingerprint": "a575fa919cf2e7156a29881cb2d2b7c2106beb0654c7c5489ee8687f7f55a069", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_bash", "breakdown": {"if": 4, "for": 1, "break": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|a575fa919cf2e7156a29881cb2d2b7c2106beb0654c7c5489ee8687f7f55a069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/platform_compat.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_windows_bash_fallbacks` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=3, if=2, nested_bonus=4."}, "properties": {"repobilityId": 87397, "scanner": "repobility-threat-engine", "fingerprint": "7136c15e338a111a8e97474942c2876111c970d2d9097d4a77d57fda574c0522", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_windows_bash_fallbacks", "breakdown": {"if": 2, "for": 3, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|7136c15e338a111a8e97474942c2876111c970d2d9097d4a77d57fda574c0522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/platform_compat.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED027", "level": "none", "message": {"text": "[MINED027] React State Array Mutation (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 87456, "scanner": "repobility-threat-engine", "fingerprint": "dc569a5b42cfb851909451172178e97159cd4fdffbd0750c67e7932716cef50c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dc569a5b42cfb851909451172178e97159cd4fdffbd0750c67e7932716cef50c", "aggregated_count": 4}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 87452, "scanner": "repobility-threat-engine", "fingerprint": "18bd26cefd297a8ad1a8f352164c44b3dd3af97f6ecdf98b5323d6e0c3d96ce4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18bd26cefd297a8ad1a8f352164c44b3dd3af97f6ecdf98b5323d6e0c3d96ce4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/dragSort.js"}, "region": {"startLine": 265}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 87450, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 87444, "scanner": "repobility-threat-engine", "fingerprint": "d49cb29c2edb66be25184360cd7f8b7d75d135cdfff812deda99c5b79c348e8e", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d49cb29c2edb66be25184360cd7f8b7d75d135cdfff812deda99c5b79c348e8e"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 87440, "scanner": "repobility-threat-engine", "fingerprint": "67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "aggregated_count": 4}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87439, "scanner": "repobility-threat-engine", "fingerprint": "a31354a599c05b4a2cd316b978cb0ba1cdf7076a71c69a940bf2f0db930992e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a31354a599c05b4a2cd316b978cb0ba1cdf7076a71c69a940bf2f0db930992e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/rag.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87438, "scanner": "repobility-threat-engine", "fingerprint": "d6c41e0804c10e87fca432c6a8ff3ed52bc47de5915850dbdc824ef18d521ee7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6c41e0804c10e87fca432c6a8ff3ed52bc47de5915850dbdc824ef18d521ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/dragSort.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87437, "scanner": "repobility-threat-engine", "fingerprint": "949eab5d74403f96de04ba6af30e05f95b585841d26d11307faa1bd9b803533d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|949eab5d74403f96de04ba6af30e05f95b585841d26d11307faa1bd9b803533d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/chatStream.js"}, "region": {"startLine": 190}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 87436, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 87428, "scanner": "repobility-threat-engine", "fingerprint": "4d8b12cc9c1a36e29198713f8b2a80371d130e31645d909b86a60cea56802bdd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d8b12cc9c1a36e29198713f8b2a80371d130e31645d909b86a60cea56802bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 87427, "scanner": "repobility-threat-engine", "fingerprint": "914b34b24d192470f8de04448e3a078eb272dcb8473f00eb08544bf172e9dd53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|914b34b24d192470f8de04448e3a078eb272dcb8473f00eb08544bf172e9dd53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fix_paths.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 87423, "scanner": "repobility-threat-engine", "fingerprint": "6b59bb8dad19700edb95b4e4ecfe6a51fb41b23bcae9675b25ee4b76602b5e76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b59bb8dad19700edb95b4e4ecfe6a51fb41b23bcae9675b25ee4b76602b5e76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api_key_manager.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 87422, "scanner": "repobility-threat-engine", "fingerprint": "51ad8ae143fc1b14c88cb735fb2fdb164780ca8b3a31177059e46148bbf29195", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51ad8ae143fc1b14c88cb735fb2fdb164780ca8b3a31177059e46148bbf29195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/upload_routes.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 87413, "scanner": "repobility-threat-engine", "fingerprint": "0c449a8b92346c4cfcc0bd5d8a6af8a54fd88dc57b72998ef5386f3298b96cc6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c449a8b92346c4cfcc0bd5d8a6af8a54fd88dc57b72998ef5386f3298b96cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 87412, "scanner": "repobility-threat-engine", "fingerprint": "f3997eff3dd16f34873d8bbb480dbc14f05e2bd19e8d62320370a5a3f7f732e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3997eff3dd16f34873d8bbb480dbc14f05e2bd19e8d62320370a5a3f7f732e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 87411, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 87410, "scanner": "repobility-threat-engine", "fingerprint": "ad563df2019ebc0ba20e3b0b1b5f81945d2dba1cf5df71631420f95663524f04", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info(f\"MCP OAuth: server {server_id} awaiting authorization (state={state})", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/mcp_oauth.py|17|logger.info f mcp oauth: server server_id awaiting authorization state state"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mcp_oauth.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 87409, "scanner": "repobility-threat-engine", "fingerprint": "6d8bdefab29c499f30984eff992538bd493703a9a87f5506e98dcf86ba938a13", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"  Password cannot be empty.\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|setup.py|6|print password cannot be empty."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 87408, "scanner": "repobility-threat-engine", "fingerprint": "caf0885d2c9e1464b029bef83f0aa0e4c42b04ad017e481c60845af4cd105848", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(secrets.token_urlsafe(48)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|docker-compose.yml|9|print secrets.token_urlsafe 48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 87407, "scanner": "repobility-threat-engine", "fingerprint": "f21a509cb42d5a10654d67728dd01be5ca388dbc41df3dd3b607b559fba18ef1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f21a509cb42d5a10654d67728dd01be5ca388dbc41df3dd3b607b559fba18ef1", "aggregated_count": 5}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 87406, "scanner": "repobility-threat-engine", "fingerprint": "48e94226b199d17b3bd9fd6df0586de0cbc4e4da80e6d016bd6ccb791f463352", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48e94226b199d17b3bd9fd6df0586de0cbc4e4da80e6d016bd6ccb791f463352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/memory/service.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 87405, "scanner": "repobility-threat-engine", "fingerprint": "98065f655c4f4f04918f9f8524ac85b8080d9cc7f99d97bb8f3bf26cc516edf8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98065f655c4f4f04918f9f8524ac85b8080d9cc7f99d97bb8f3bf26cc516edf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/docs/service.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 87404, "scanner": "repobility-threat-engine", "fingerprint": "66b8c7668fe3578091fdcc45da82dc9c7ebc4bdccb89a835d05feb7d0efea32b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66b8c7668fe3578091fdcc45da82dc9c7ebc4bdccb89a835d05feb7d0efea32b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/models.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 87403, "scanner": "repobility-threat-engine", "fingerprint": "4c2403295fed61d119c68d89e8d41b5aed28337fce9594c7f1238e369f8da46b", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4c2403295fed61d119c68d89e8d41b5aed28337fce9594c7f1238e369f8da46b"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 97 more): Same pattern found in 97 additional files. Review if needed."}, "properties": {"repobilityId": 87399, "scanner": "repobility-threat-engine", "fingerprint": "3e478f4fa26005a22341a2002add6c83e7fac3ba881906d195ee9b965705ba30", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 97 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "models", "breakdown": {"if": 2, "for": 1, "except": 3, "ternary": 2, "continue": 1, "nested_bonus": 6}, "aggregated": true, "complexity": 15, "correlation_key": "fp|3e478f4fa26005a22341a2002add6c83e7fac3ba881906d195ee9b965705ba30", "aggregated_count": 97}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 87395, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 87391, "scanner": "repobility-threat-engine", "fingerprint": "5e9e26765df868b5b1e5bb9fcd3337b50e4922c8d4ad49df715efbe339c30536", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5e9e26765df868b5b1e5bb9fcd3337b50e4922c8d4ad49df715efbe339c30536", "aggregated_count": 28}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 87390, "scanner": "repobility-threat-engine", "fingerprint": "fa9f1810b9bfbfa785a6596995fdae46c97809906c128b29236aeb98a3b1b3b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa9f1810b9bfbfa785a6596995fdae46c97809906c128b29236aeb98a3b1b3b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/platform_compat.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 87389, "scanner": "repobility-threat-engine", "fingerprint": "1bed27d13facbb39ccc759634c95f3c1de238ec18d7e7fae1efd97eb6d660c3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bed27d13facbb39ccc759634c95f3c1de238ec18d7e7fae1efd97eb6d660c3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/middleware.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 87388, "scanner": "repobility-threat-engine", "fingerprint": "51f58cea9046dca30b6c68f1da86bb1772022ea1d5c4e4aaa60a683e2e3315c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51f58cea9046dca30b6c68f1da86bb1772022ea1d5c4e4aaa60a683e2e3315c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/pairing.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 87387, "scanner": "repobility-threat-engine", "fingerprint": "9d6944bfccee04abb7323e7f3372d159cd21f75a7bb50c15171b8040103fa753", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9d6944bfccee04abb7323e7f3372d159cd21f75a7bb50c15171b8040103fa753", "aggregated_count": 26}}}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 87383, "scanner": "repobility-threat-engine", "fingerprint": "177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 87379, "scanner": "repobility-threat-engine", "fingerprint": "048dcb74a20c7061a601929c6553e52b7ff4a6c1dd58164cda23c3c557961dc8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|048dcb74a20c7061a601929c6553e52b7ff4a6c1dd58164cda23c3c557961dc8"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 87375, "scanner": "repobility-threat-engine", "fingerprint": "e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "aggregated_count": 6}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87374, "scanner": "repobility-threat-engine", "fingerprint": "4f2ea54af7e481b4b2d0256049b410ec9471b29baa4a5b97f693f660404a324d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f2ea54af7e481b4b2d0256049b410ec9471b29baa4a5b97f693f660404a324d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/diagnostics_routes.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87373, "scanner": "repobility-threat-engine", "fingerprint": "18a71eae3c01a2491b2dff2b7b26c24d7ca3d2ef99015621974fa8b974c1fbf0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18a71eae3c01a2491b2dff2b7b26c24d7ca3d2ef99015621974fa8b974c1fbf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87372, "scanner": "repobility-threat-engine", "fingerprint": "6d3b63005cc668f4e0f3ba173d3ac8735c9e1d62fcb8fe4f05811bab45974a02", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d3b63005cc668f4e0f3ba173d3ac8735c9e1d62fcb8fe4f05811bab45974a02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-macos-app.sh"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87692, "scanner": "repobility-supply-chain", "fingerprint": "652ed2943c8bcb143a29533c06b23779031eba422d36674439adc60e9c1a6507", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|652ed2943c8bcb143a29533c06b23779031eba422d36674439adc60e9c1a6507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-description-check.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87691, "scanner": "repobility-supply-chain", "fingerprint": "a22fc4adb9923e1bde00267d966c211074b4f00ded813d80cf4b747d527b4fdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a22fc4adb9923e1bde00267d966c211074b4f00ded813d80cf4b747d527b4fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-description-check.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87690, "scanner": "repobility-supply-chain", "fingerprint": "c13ff0e4e9d5a25cf023891dd11d93d2008e23fe0a05a19319122a27177d6d00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c13ff0e4e9d5a25cf023891dd11d93d2008e23fe0a05a19319122a27177d6d00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-description-check.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87689, "scanner": "repobility-supply-chain", "fingerprint": "76a1fe0368de61e23824688ef874f68a33aef2d1042ce3baffb8a20f6b0a5e3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76a1fe0368de61e23824688ef874f68a33aef2d1042ce3baffb8a20f6b0a5e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-description-check.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 87663, "scanner": "repobility-supply-chain", "fingerprint": "29cbc1eff948d3b668ea1dffaf866f21ec8f1c413742768711c3d3f9609c5428", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29cbc1eff948d3b668ea1dffaf866f21ec8f1c413742768711c3d3f9609c5428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/albums/{album_id}/remove has no auth: Handler `remove_from_album` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87662, "scanner": "repobility-route-auth", "fingerprint": "c5a69901200e3f6efdc9276d3e7fc02afe6d39b86cadb8ca7c1d71d389fac735", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c5a69901200e3f6efdc9276d3e7fc02afe6d39b86cadb8ca7c1d71d389fac735"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1666}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/albums/{album_id}/add has no auth: Handler `add_to_album` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87661, "scanner": "repobility-route-auth", "fingerprint": "b8197d1cdb906c715aee4719300ebe1cd3ba573eecb56d03c2d0cf5044ae91ec", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b8197d1cdb906c715aee4719300ebe1cd3ba573eecb56d03c2d0cf5044ae91ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1648}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/gallery/albums/{album_id} has no auth: Handler `delete_album` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87660, "scanner": "repobility-route-auth", "fingerprint": "301640864926ca331ff2b68158f56fad730d3a7da51c7479d393001991a5d1ee", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|301640864926ca331ff2b68158f56fad730d3a7da51c7479d393001991a5d1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1633}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PUT /api/gallery/albums/{album_id} has no auth: Handler `update_album` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87659, "scanner": "repobility-route-auth", "fingerprint": "925684829905e70d41060977203b5521ae7246b23883210ce77f07e9387b1e74", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|925684829905e70d41060977203b5521ae7246b23883210ce77f07e9387b1e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1612}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/enhance-face has no auth: Handler `enhance_face` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87658, "scanner": "repobility-route-auth", "fingerprint": "91ec8805091000464b63d989d3b714e572cc2cb657adda28f51d58240dcfe2cb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|91ec8805091000464b63d989d3b714e572cc2cb657adda28f51d58240dcfe2cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1529}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/remove-bg has no auth: Handler `remove_background` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87657, "scanner": "repobility-route-auth", "fingerprint": "1a2baab80f6f4a2143e4c37df330c82a21ec7b27c89484afc6a9be1d509dd244", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1a2baab80f6f4a2143e4c37df330c82a21ec7b27c89484afc6a9be1d509dd244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1436}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/upscale-local has no auth: Handler `upscale_image_local` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87656, "scanner": "repobility-route-auth", "fingerprint": "dc27e62e415fc34c4d79f43c7af2b9d5e950ef3ce8eec0edb841a70f7154ddde", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dc27e62e415fc34c4d79f43c7af2b9d5e950ef3ce8eec0edb841a70f7154ddde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1391}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/denoise has no auth: Handler `denoise_image` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87655, "scanner": "repobility-route-auth", "fingerprint": "3b0e6de461d7bc134a7cfcb27425bb678cf54df7cdd5cb587b20a784a173ff6e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3b0e6de461d7bc134a7cfcb27425bb678cf54df7cdd5cb587b20a784a173ff6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1341}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/sharpen has no auth: Handler `sharpen_image` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87654, "scanner": "repobility-route-auth", "fingerprint": "502f07af45bb1e58c153450ad0fc1816df8d4e641ce9e46a2c5bf98b72a3d533", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|502f07af45bb1e58c153450ad0fc1816df8d4e641ce9e46a2c5bf98b72a3d533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1317}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/harmonize has no auth: Handler `harmonize_image` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87653, "scanner": "repobility-route-auth", "fingerprint": "0c5a06ecb12b87963a924acad161f7e45746f4c59375910e777069d0e30f103b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0c5a06ecb12b87963a924acad161f7e45746f4c59375910e777069d0e30f103b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1118}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/image/inpaint has no auth: Handler `inpaint_proxy` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87652, "scanner": "repobility-route-auth", "fingerprint": "205a226a7d3b2b5036002f8192c22540a5b686454610bef8da27cc195d38c810", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|205a226a7d3b2b5036002f8192c22540a5b686454610bef8da27cc195d38c810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 921}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /api/gallery/{image_id} has no auth: Handler `delete_gallery_image` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87651, "scanner": "repobility-route-auth", "fingerprint": "55588ca29dab25f52c1cafbee1f655127c7b2249134ed6afde2525664e9b7a6a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|55588ca29dab25f52c1cafbee1f655127c7b2249134ed6afde2525664e9b7a6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 809}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/dedupe-tags has no auth: Handler `dedupe_gallery_tags` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87650, "scanner": "repobility-route-auth", "fingerprint": "38c23efbb1f22a744d17bd59865056f0027338f8e8e9c2b8b239ef5e8be70598", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|38c23efbb1f22a744d17bd59865056f0027338f8e8e9c2b8b239ef5e8be70598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 774}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/clear-ai-tags has no auth: Handler `clear_gallery_ai_tags` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87649, "scanner": "repobility-route-auth", "fingerprint": "2fd27014753c16b3cf510cb1caf16691b6befa4cc04612e6964b15840e90a279", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2fd27014753c16b3cf510cb1caf16691b6befa4cc04612e6964b15840e90a279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 748}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/clear-user-tags has no auth: Handler `clear_gallery_user_tags` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87648, "scanner": "repobility-route-auth", "fingerprint": "f6863316af2424f6a754361bf6af88a6b294da35595585092cd4454fa8f7fae2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|f6863316af2424f6a754361bf6af88a6b294da35595585092cd4454fa8f7fae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 724}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/download-zip has no auth: Handler `gallery_download_zip` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87647, "scanner": "repobility-route-auth", "fingerprint": "11a5a5204c3b2fa3bcb7a8ec55f03e3cbef661a16d34a0c390d97324d72d9705", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|11a5a5204c3b2fa3bcb7a8ec55f03e3cbef661a16d34a0c390d97324d72d9705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 669}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH /api/gallery/{image_id} has no auth: Handler `patch_gallery_image` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87646, "scanner": "repobility-route-auth", "fingerprint": "6c8eb364e937e07f3c8ba4cdfeb35b3cbe268b80c609aa86da9dfdc0f2217826", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6c8eb364e937e07f3c8ba4cdfeb35b3cbe268b80c609aa86da9dfdc0f2217826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 625}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/ai-tag-batch has no auth: Handler `ai_tag_batch` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87645, "scanner": "repobility-route-auth", "fingerprint": "c06919d1ca5d794180e4d5e2b8c4cd1387d40fdfd1323773ed163110f37dbbd6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c06919d1ca5d794180e4d5e2b8c4cd1387d40fdfd1323773ed163110f37dbbd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 580}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/albums has no auth: Handler `create_album` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87644, "scanner": "repobility-route-auth", "fingerprint": "0efda72081305e5de6021d84386f0038621006afa3c98af3f0c9155dd1dfea98", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0efda72081305e5de6021d84386f0038621006afa3c98af3f0c9155dd1dfea98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 532}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/style-transfer has no auth: Handler `gallery_style_transfer` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87643, "scanner": "repobility-route-auth", "fingerprint": "bffb4e2a0e0244f5e0a0b14cab2eb09278c3e1f2e7005be374003b82b822bfef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bffb4e2a0e0244f5e0a0b14cab2eb09278c3e1f2e7005be374003b82b822bfef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 290}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/ai-upscale has no auth: Handler `gallery_ai_upscale` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87642, "scanner": "repobility-route-auth", "fingerprint": "3128ccd8ecb0a52f1a2c8f5170a5b9ddd61b1a9a64aa7956a104f22901c78751", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3128ccd8ecb0a52f1a2c8f5170a5b9ddd61b1a9a64aa7956a104f22901c78751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/{image_id}/rotate has no auth: Handler `gallery_rotate` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87641, "scanner": "repobility-route-auth", "fingerprint": "4fb7ecb09332e3fcfa5cf8a4e7d301d63628eef5fc73f6f38233ab1631fef1e3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4fb7ecb09332e3fcfa5cf8a4e7d301d63628eef5fc73f6f38233ab1631fef1e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/{image_id}/rename has no auth: Handler `gallery_rename` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87640, "scanner": "repobility-route-auth", "fingerprint": "850e0a0e14f2059f99b42bb48b8de551fd4e7d8aee43c4234598a3aed17389e0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|850e0a0e14f2059f99b42bb48b8de551fd4e7d8aee43c4234598a3aed17389e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/{image_id}/replace has no auth: Handler `gallery_replace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87639, "scanner": "repobility-route-auth", "fingerprint": "bf6763e45621fd948a92e3c4337cc862fc0bc1d41cb309aa6b0720c2ba68d2c0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bf6763e45621fd948a92e3c4337cc862fc0bc1d41cb309aa6b0720c2ba68d2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/gallery/upload has no auth: Handler `gallery_upload` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 87638, "scanner": "repobility-route-auth", "fingerprint": "64902ff23bdaf33847eebc6f4339c280efd4f942f3ba4459631d9ed279f68e61", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|64902ff23bdaf33847eebc6f4339c280efd4f942f3ba4459631d9ed279f68e61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocks_ssh_authorized_keys: Test function `test_blocks_ssh_authorized_keys` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87636, "scanner": "repobility-ast-engine", "fingerprint": "62e228507d39e1100ceaff7bbd082332412820e92bf85fd1726d131b191b366c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62e228507d39e1100ceaff7bbd082332412820e92bf85fd1726d131b191b366c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tool_path_confinement.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocks_var_log: Test function `test_blocks_var_log` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87635, "scanner": "repobility-ast-engine", "fingerprint": "a34ec6e381811b811f6eb221ea0e88f7d42890d3a12499b9cd09ddfa65ddcab8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a34ec6e381811b811f6eb221ea0e88f7d42890d3a12499b9cd09ddfa65ddcab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tool_path_confinement.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocks_etc_passwd: Test function `test_blocks_etc_passwd` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87634, "scanner": "repobility-ast-engine", "fingerprint": "946b0a39f49282681ea2a3bedd516d6dde4d5b2e83ad588b8a736eac93741819", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|946b0a39f49282681ea2a3bedd516d6dde4d5b2e83ad588b8a736eac93741819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tool_path_confinement.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_blocks_etc_shadow: Test function `test_blocks_etc_shadow` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87633, "scanner": "repobility-ast-engine", "fingerprint": "3010be4f65e45bf69da9b5e5acd2be98ed4eb8ceea1be17b9a758c9cc1eaff3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3010be4f65e45bf69da9b5e5acd2be98ed4eb8ceea1be17b9a758c9cc1eaff3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tool_path_confinement.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_restore_rejects_hardlink_entries: Test function `test_restore_rejects_hardlink_entries` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87632, "scanner": "repobility-ast-engine", "fingerprint": "8eb5180623c99178efffe023f278c1402fca8991311edc12e76fea58906c62ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8eb5180623c99178efffe023f278c1402fca8991311edc12e76fea58906c62ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_backup_cli_security.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_verify_rejects_symlink_escape: Test function `test_verify_rejects_symlink_escape` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87631, "scanner": "repobility-ast-engine", "fingerprint": "04cd49affc6e454a4a4c20f347636bb7a665f7e806e19597ef2c5e68c225cc2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04cd49affc6e454a4a4c20f347636bb7a665f7e806e19597ef2c5e68c225cc2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_backup_cli_security.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_snapshot_rejects_output_inside_data_dir: Test function `test_snapshot_rejects_output_inside_data_dir` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87630, "scanner": "repobility-ast-engine", "fingerprint": "be0608e244b52ee20096ad8723c040c67ef33adcc969548297cd2499d2520ebe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be0608e244b52ee20096ad8723c040c67ef33adcc969548297cd2499d2520ebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_backup_cli_security.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cmd_read_handles_empty_fetch_payload: Test function `test_cmd_read_handles_empty_fetch_payload` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87628, "scanner": "repobility-ast-engine", "fingerprint": "78fe5691d98930c1fafe578824241ba2addbc2dbfd9e5871cb91119c90627f74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78fe5691d98930c1fafe578824241ba2addbc2dbfd9e5871cb91119c90627f74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_mail_cli_read_empty_fetch.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_injection_payloads_rejected: Test function `test_injection_payloads_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87627, "scanner": "repobility-ast-engine", "fingerprint": "6f59964bc015425d9788579dc6fefc980e924b6b53b8059c9ad24689072dcaba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f59964bc015425d9788579dc6fefc980e924b6b53b8059c9ad24689072dcaba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_shell_routes.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_empty_host_rejected: Test function `test_empty_host_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87626, "scanner": "repobility-ast-engine", "fingerprint": "0926f8dbafe45636819851baf1573bafbbb4d07f62d45be9f80afaa8e24566c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0926f8dbafe45636819851baf1573bafbbb4d07f62d45be9f80afaa8e24566c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_shell_routes.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_option_injecting_host_rejected: Test function `test_option_injecting_host_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87625, "scanner": "repobility-ast-engine", "fingerprint": "c6550de7be4a72664a431e2283d9b9fc417ac34654f19b6629a1b8f60d267ed3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6550de7be4a72664a431e2283d9b9fc417ac34654f19b6629a1b8f60d267ed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_shell_routes.py"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_bad_port_rejected: Test function `test_bad_port_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87624, "scanner": "repobility-ast-engine", "fingerprint": "1571dbca68b3cb23418771a671abb74de95610ae8458f27b9f62ad2ab78993c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1571dbca68b3cb23418771a671abb74de95610ae8458f27b9f62ad2ab78993c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_shell_routes.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_admin_and_registered_endpoint_can_use_endpoint_url: Test function `test_admin_and_registered_endpoint_can_use_endpoint_url` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87623, "scanner": "repobility-ast-engine", "fingerprint": "e28a646b5d486ab4801e2b456757aaff1611d73a8db355cc4d202852b2e52adb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e28a646b5d486ab4801e2b456757aaff1611d73a8db355cc4d202852b2e52adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_session_endpoint_owner_scope.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_safe_env_prefix_rejects_freeform_shell: Test function `test_safe_env_prefix_rejects_freeform_shell` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87622, "scanner": "repobility-ast-engine", "fingerprint": "af81b0382c2c7253688470e824fa738cd6f4e20f48a6e100c8e7055ac986f2ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af81b0382c2c7253688470e824fa738cd6f4e20f48a6e100c8e7055ac986f2ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cookbook_helpers.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_mcp_oauth_filename_join_cannot_escape_base: Test function `test_mcp_oauth_filename_join_cannot_escape_base` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87621, "scanner": "repobility-ast-engine", "fingerprint": "0339cec3544133ccc24ba4b871df4e1cefb20767d8a7723ccb16536d02a4100a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0339cec3544133ccc24ba4b871df4e1cefb20767d8a7723ccb16536d02a4100a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_security_regressions.py"}, "region": {"startLine": 973}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_amd_gpu_check_shell_syntax: Test function `test_amd_gpu_check_shell_syntax` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87620, "scanner": "repobility-ast-engine", "fingerprint": "eb2392b032e22da034e8e36b0ef0df93adc63bd7646c018c26a6f45f23c232c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb2392b032e22da034e8e36b0ef0df93adc63bd7646c018c26a6f45f23c232c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_amd_gpu_check_args.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_connection: Test function `test_connection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87617, "scanner": "repobility-ast-engine", "fingerprint": "c678fb8579361fff2f4c6251a57912b3ae90ed55a9e45ed0e207089f0eda2404", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c678fb8579361fff2f4c6251a57912b3ae90ed55a9e45ed0e207089f0eda2404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/calendar_routes.py"}, "region": {"startLine": 607}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_research: Test function `test_research` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87616, "scanner": "repobility-ast-engine", "fingerprint": "2808162a260c5b297c61e1951d9f8a524fd4794a55fe513f98be294e6b364193", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2808162a260c5b297c61e1951d9f8a524fd4794a55fe513f98be294e6b364193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/diagnostics_routes.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_youtube: Test function `test_youtube` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87615, "scanner": "repobility-ast-engine", "fingerprint": "a8283bafb1b1113c44bbaba1fec5e0a560cbb38b7e4ba0f4a5c8499cd1b2f2da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a8283bafb1b1113c44bbaba1fec5e0a560cbb38b7e4ba0f4a5c8499cd1b2f2da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/diagnostics_routes.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_integration_route: Test function `test_integration_route` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87614, "scanner": "repobility-ast-engine", "fingerprint": "3b9ff0ba7deaf777bec37bdeb6de3565fb3e449fc710d104a7878a8ad8f76cf3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b9ff0ba7deaf777bec37bdeb6de3565fb3e449fc710d104a7878a8ad8f76cf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/auth_routes.py"}, "region": {"startLine": 517}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_skill_status: Test function `test_skill_status` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87613, "scanner": "repobility-ast-engine", "fingerprint": "892beca7338e98e4b004e523dd8d341898a73374c30feaab2b51bc0ace87d54b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|892beca7338e98e4b004e523dd8d341898a73374c30feaab2b51bc0ace87d54b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/skills_routes.py"}, "region": {"startLine": 1327}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_skill: Test function `test_skill` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87612, "scanner": "repobility-ast-engine", "fingerprint": "a9c0d0717bf029b2b44d799f9979198211df48efff675635f538b5d63cf1199f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9c0d0717bf029b2b44d799f9979198211df48efff675635f538b5d63cf1199f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/skills_routes.py"}, "region": {"startLine": 1264}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_model_endpoint: Test function `test_model_endpoint` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87611, "scanner": "repobility-ast-engine", "fingerprint": "f1790ce84f83f66df334235070a94120db137e8fff4b118cbf01dc600f210cb4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1790ce84f83f66df334235070a94120db137e8fff4b118cbf01dc600f210cb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/model_routes.py"}, "region": {"startLine": 1612}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_account_config: Test function `test_account_config` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87610, "scanner": "repobility-ast-engine", "fingerprint": "218d91bd4e3b42efc496536f33cede2236c0949830fb60add56b967655ec445c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|218d91bd4e3b42efc496536f33cede2236c0949830fb60add56b967655ec445c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/email_routes.py"}, "region": {"startLine": 3079}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_webhook: Test function `test_webhook` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 87608, "scanner": "repobility-ast-engine", "fingerprint": "32fc78550cc070e196ab39fd990902e758a6e22b5694edb70c89f6eabfe94598", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32fc78550cc070e196ab39fd990902e758a6e22b5694edb70c89f6eabfe94598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/webhook_routes.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._execute_research_task` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._execute_research_task`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87586, "scanner": "repobility-ast-engine", "fingerprint": "440784bee13ff270ad732cfe80d52023dfa1888fb5c7da089e6eb669baec055e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|440784bee13ff270ad732cfe80d52023dfa1888fb5c7da089e6eb669baec055e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 721}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_chained` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._run_chained`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87585, "scanner": "repobility-ast-engine", "fingerprint": "1588bd38d3187fca991b57986e0ea6b5be1137fe5222831e0bb52b37d529db81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1588bd38d3187fca991b57986e0ea6b5be1137fe5222831e0bb52b37d529db81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 849}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._deliver_task_result` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._deliver_task_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87584, "scanner": "repobility-ast-engine", "fingerprint": "a4f85e63c32c7be91e0477c834bf8492bc2886edcd8771bc770fc98550e4c985", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4f85e63c32c7be91e0477c834bf8492bc2886edcd8771bc770fc98550e4c985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 733}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._execute_action` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._execute_action`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87583, "scanner": "repobility-ast-engine", "fingerprint": "1e2a3dcf0889f58d2257059f019743d071c57f85065f9be8636ccaefa46f4d3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e2a3dcf0889f58d2257059f019743d071c57f85065f9be8636ccaefa46f4d3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 715}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.add_notification` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self.add_notification`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87582, "scanner": "repobility-ast-engine", "fingerprint": "0380fbb1373262af34639d8524baad05eddfd5bc636b2bef79a25995b165f6a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0380fbb1373262af34639d8524baad05eddfd5bc636b2bef79a25995b165f6a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 874}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._has_chain_cycle` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._has_chain_cycle`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87581, "scanner": "repobility-ast-engine", "fingerprint": "39205608c4721b634c85607de7025083f89a564710b482859b8856c75b6e9b6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|39205608c4721b634c85607de7025083f89a564710b482859b8856c75b6e9b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 847}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._log_to_assistant` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._log_to_assistant`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87580, "scanner": "repobility-ast-engine", "fingerprint": "3528169a41bee40d8ddbacb1e3f6a453fef0489599ba91804d1d1b381d581ba9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3528169a41bee40d8ddbacb1e3f6a453fef0489599ba91804d1d1b381d581ba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 842}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.add_notification` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self.add_notification`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87579, "scanner": "repobility-ast-engine", "fingerprint": "8aff6caf61274a55c587d9918c5af6bf65941acb9e8f9664bafa8101d5133373", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aff6caf61274a55c587d9918c5af6bf65941acb9e8f9664bafa8101d5133373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 829}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._last_run_model` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._last_run_model`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87578, "scanner": "repobility-ast-engine", "fingerprint": "6724dc5b9e3b273b10e05b68b4b4df7acffcffb9f27b8760848938ca93114c27", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6724dc5b9e3b273b10e05b68b4b4df7acffcffb9f27b8760848938ca93114c27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 731}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._last_run_model` used but never assigned in __init__: Method `_execute_task_locked` of class `TaskScheduler` reads `self._last_run_model`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87577, "scanner": "repobility-ast-engine", "fingerprint": "707c19f983738bb497b9e39aba1922148d75f1bf2ad30b0c8df46fc4e49331ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|707c19f983738bb497b9e39aba1922148d75f1bf2ad30b0c8df46fc4e49331ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 712}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._execute_task_locked` used but never assigned in __init__: Method `_execute_task` of class `TaskScheduler` reads `self._execute_task_locked`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87576, "scanner": "repobility-ast-engine", "fingerprint": "918d208c0f3fa7b77fedaa92d2042e9eb1fc40350a336670533833596b5bb0a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|918d208c0f3fa7b77fedaa92d2042e9eb1fc40350a336670533833596b5bb0a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 652}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._execute_task_locked` used but never assigned in __init__: Method `_execute_task` of class `TaskScheduler` reads `self._execute_task_locked`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87575, "scanner": "repobility-ast-engine", "fingerprint": "ded85d0c4d3a03cfc2503512d2868e8a647b1a8fa95369a06d99e06994c5b474", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ded85d0c4d3a03cfc2503512d2868e8a647b1a8fa95369a06d99e06994c5b474"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 648}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._task_needs_model_slot` used but never assigned in __init__: Method `_execute_task` of class `TaskScheduler` reads `self._task_needs_model_slot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87574, "scanner": "repobility-ast-engine", "fingerprint": "61d9b40efd154059c29682a68c7b596816361b3da850b5f15ab4105620c3b4d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|61d9b40efd154059c29682a68c7b596816361b3da850b5f15ab4105620c3b4d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 647}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._mark_run_aborted` used but never assigned in __init__: Method `_execute_task` of class `TaskScheduler` reads `self._mark_run_aborted`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87573, "scanner": "repobility-ast-engine", "fingerprint": "696be013c9025c8900a033f838b6f0a92d9fa4b200024cf650d1414f8fa2ba0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|696be013c9025c8900a033f838b6f0a92d9fa4b200024cf650d1414f8fa2ba0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 656}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._execute_task` used but never assigned in __init__: Method `_check_due_tasks` of class `TaskScheduler` reads `self._execute_task`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87572, "scanner": "repobility-ast-engine", "fingerprint": "01da2ea7b8d579f5a213952e1dc4a255a3a17121e2f56bf1ec13dd0621088d2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01da2ea7b8d579f5a213952e1dc4a255a3a17121e2f56bf1ec13dd0621088d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 616}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_due_tasks` used but never assigned in __init__: Method `_loop` of class `TaskScheduler` reads `self._check_due_tasks`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87571, "scanner": "repobility-ast-engine", "fingerprint": "04db1cd9a0427fc9e352b6dd0f8681ee04ff7c0854d8a216a435f41e49b57c09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04db1cd9a0427fc9e352b6dd0f8681ee04ff7c0854d8a216a435f41e49b57c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 571}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._known_task_owners` used but never assigned in __init__: Method `_event_pings_loop` of class `TaskScheduler` reads `self._known_task_owners`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87570, "scanner": "repobility-ast-engine", "fingerprint": "dc56cc70f994b970a4e0f9ff3600f4da618b6961fb68608ae1dc05cb6595c891", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc56cc70f994b970a4e0f9ff3600f4da618b6961fb68608ae1dc05cb6595c891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 528}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._known_task_owners` used but never assigned in __init__: Method `_note_pings_loop` of class `TaskScheduler` reads `self._known_task_owners`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87569, "scanner": "repobility-ast-engine", "fingerprint": "225905a4c673e627d7748aadfb02298bebef8b00158cfbfc19a9ead4ea4ea13c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|225905a4c673e627d7748aadfb02298bebef8b00158cfbfc19a9ead4ea4ea13c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 508}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._note_pings_loop` used but never assigned in __init__: Method `start` of class `TaskScheduler` reads `self._note_pings_loop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87568, "scanner": "repobility-ast-engine", "fingerprint": "ca70606ac11c8c787188bb06fe0a5f3b92d0499622bf9476077556d21fa02716", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca70606ac11c8c787188bb06fe0a5f3b92d0499622bf9476077556d21fa02716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._loop` used but never assigned in __init__: Method `start` of class `TaskScheduler` reads `self._loop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87567, "scanner": "repobility-ast-engine", "fingerprint": "cfec1d7aef4a57247421b5941d51b111b115ea37444ec1cb43c1bdd3267d8f4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cfec1d7aef4a57247421b5941d51b111b115ea37444ec1cb43c1bdd3267d8f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._note_pings_task` used but never assigned in __init__: Method `start` of class `TaskScheduler` reads `self._note_pings_task`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87566, "scanner": "repobility-ast-engine", "fingerprint": "a90a409260c5f3b6aaaf3afcc2501ab9a7b394b78855f7cd74408ae795d1f34c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a90a409260c5f3b6aaaf3afcc2501ab9a7b394b78855f7cd74408ae795d1f34c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/task_scheduler.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._last_used_memories` used but never assigned in __init__: Method `build_context_preface` of class `ChatProcessor` reads `self._last_used_memories`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87563, "scanner": "repobility-ast-engine", "fingerprint": "6939c3be909a5a75a49673d1f5edf8a1735e0b700300f188272df1793508c727", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6939c3be909a5a75a49673d1f5edf8a1735e0b700300f188272df1793508c727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/chat_processor.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._last_used_memories` used but never assigned in __init__: Method `build_context_preface` of class `ChatProcessor` reads `self._last_used_memories`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87562, "scanner": "repobility-ast-engine", "fingerprint": "5308557d3ca77d8e7ee2070b4bcc63709b28e057659eba8cffab6c64c9fae64a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5308557d3ca77d8e7ee2070b4bcc63709b28e057659eba8cffab6c64c9fae64a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/chat_processor.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._hybrid_retrieve` used but never assigned in __init__: Method `build_context_preface` of class `ChatProcessor` reads `self._hybrid_retrieve`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87561, "scanner": "repobility-ast-engine", "fingerprint": "06df99a6c90c8034e4929c85921fb54c153d3d26348603a2240f0866f8315425", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06df99a6c90c8034e4929c85921fb54c153d3d26348603a2240f0866f8315425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/chat_processor.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._last_used_memories` used but never assigned in __init__: Method `build_context_preface` of class `ChatProcessor` reads `self._last_used_memories`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 87560, "scanner": "repobility-ast-engine", "fingerprint": "6344bb53ca57a21f82504a0999e8cfe9b78239b43c0976eff36c160c71f1e178", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6344bb53ca57a21f82504a0999e8cfe9b78239b43c0976eff36c160c71f1e178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/chat_processor.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{memory_id}."}, "properties": {"repobilityId": 87512, "scanner": "repobility-access-control", "fingerprint": "6df340b2e7804b218139a5e6c1b3149c22536892643b7c482e0b5019cc322198", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{memory_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/memory_routes.py|507|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/memory_routes.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{memory_id}."}, "properties": {"repobilityId": 87511, "scanner": "repobility-access-control", "fingerprint": "db45480ea829f72723f3a3a5b961176981049a34cf9fa2bef242ea2e6ca1940b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{memory_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/memory_routes.py|496|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/memory_routes.py"}, "region": {"startLine": 496}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{memory_id}/pin."}, "properties": {"repobilityId": 87510, "scanner": "repobility-access-control", "fingerprint": "5580dc06ab305a25b998a06af2ca0362b2fdd3052e2b1be62265423148f63e64", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{memory_id}/pin", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/memory_routes.py|482|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/memory_routes.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{comp_id}/vote."}, "properties": {"repobilityId": 87509, "scanner": "repobility-access-control", "fingerprint": "fa662e0c03d6e47008033da4c449822ed20696c1feefdd89f9a54297264a350f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{comp_id}/vote", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/compare_routes.py|149|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/compare_routes.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{uid}."}, "properties": {"repobilityId": 87508, "scanner": "repobility-access-control", "fingerprint": "b025bb289d37bd4b96dfce7e9cb80d55c3601bb448d5de0ddba54fcb78fae6af", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uid}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/contacts_routes.py|782|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/contacts_routes.py"}, "region": {"startLine": 782}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{uid}."}, "properties": {"repobilityId": 87507, "scanner": "repobility-access-control", "fingerprint": "37228a830d6076cf5a42cb12fb5802e2bc7af5c8cebe0a95c643400605f84177", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uid}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/contacts_routes.py|765|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/contacts_routes.py"}, "region": {"startLine": 765}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/presets/templates/{template_id}."}, "properties": {"repobilityId": 87506, "scanner": "repobility-access-control", "fingerprint": "4162237813de7b6fb9e4f4019db78a8d9109fa42d90d47741f09cf26c9390942", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/presets/templates/{template_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/preset_routes.py|64|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/preset_routes.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/gallery/{image_id}/ai-tag."}, "properties": {"repobilityId": 87505, "scanner": "repobility-access-control", "fingerprint": "3df38fdd642c0afa912a6481d06fe12325375a480b09084407510da27cba6ca5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/{image_id}/ai-tag", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|1700|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 1700}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/gallery/{image_id}/rotate."}, "properties": {"repobilityId": 87504, "scanner": "repobility-access-control", "fingerprint": "3c2bfe2bc6936c6019a8929f3a9d671eb45d1df1dafb7993ce0623c0f878d85f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/{image_id}/rotate", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|189|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/gallery/{image_id}/rename."}, "properties": {"repobilityId": 87503, "scanner": "repobility-access-control", "fingerprint": "ce1b15186277c8d4f9b54ffad750717069d2a050232569422afc7559cc96e95c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/gallery/{image_id}/rename", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|routes/gallery_routes.py|163|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/gallery_routes.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 87472, "scanner": "repobility-agent-runtime", "fingerprint": "bd465f287779f72f897a90314149370e9664844e42e8708fad5b0d66c0d85099", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|bd465f287779f72f897a90314149370e9664844e42e8708fad5b0d66c0d85099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/research_handler.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 87470, "scanner": "repobility-agent-runtime", "fingerprint": "1da78b88d7780f62b65a66bcdd571d7154af02e683a8365a2bde5e83e63a8a4c", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|1da78b88d7780f62b65a66bcdd571d7154af02e683a8365a2bde5e83e63a8a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agent_loop.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 87458, "scanner": "repobility-threat-engine", "fingerprint": "d2f117c4b7f4e67d5098a49abbdda9353eda8a4cd3507e00a9d1d415c6582f13", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(CACHE_NAME).then(cache => cache.put(e.request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|static/sw.js|122|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/sw.js"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 87457, "scanner": "repobility-threat-engine", "fingerprint": "8174756bd8abf0495cac868d8667f74a84f2469ea2d6f3af7d35bb851c7209f0", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8174756bd8abf0495cac868d8667f74a84f2469ea2d6f3af7d35bb851c7209f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/emailLibrary/utils.js"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 87455, "scanner": "repobility-threat-engine", "fingerprint": "42c2a9f5ec75373f5ecde96f4d6eec68b48692501050837e0c7a6bf0673c2736", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42c2a9f5ec75373f5ecde96f4d6eec68b48692501050837e0c7a6bf0673c2736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/clipboard-and-drop.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 87454, "scanner": "repobility-threat-engine", "fingerprint": "28d54a2655955a7a73800705360901756ea104df056bde3963456c8dd7206c44", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28d54a2655955a7a73800705360901756ea104df056bde3963456c8dd7206c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-tools-misc.js"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 87453, "scanner": "repobility-threat-engine", "fingerprint": "5663d3bdd6e137ae80b9ad22a7cbba91b8fc8a02649018f863dae7a253db0cd9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5663d3bdd6e137ae80b9ad22a7cbba91b8fc8a02649018f863dae7a253db0cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-tool-runner.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87449, "scanner": "repobility-threat-engine", "fingerprint": "9177732e1a6508367f26fcf7078e1a769908b2f68433a2790f0605dd605a124b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n    <div class=\"rs-stage\">\n      <svg viewBox=\"0 0 ${W} ${H}\" preserveAspectRatio=\"xM", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9177732e1a6508367f26fcf7078e1a769908b2f68433a2790f0605dd605a124b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/researchSynapse.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87448, "scanner": "repobility-threat-engine", "fingerprint": "93803c29ed03cd3297a6315b0faca373ed8c2f9c2e95c8f59ffb8835197d8071", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `${state.maskVisible ? EYE_OPEN_SM : EYE_OFF_SM}<span id=\"ge-mask-vis-label\">${state.ma", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|93803c29ed03cd3297a6315b0faca373ed8c2f9c2e95c8f59ffb8835197d8071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/wire-inpaint-controls.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87447, "scanner": "repobility-threat-engine", "fingerprint": "d113a47728471dded38d634f11884eb5d29ad1f1739cdf2c7151681b18437655", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = rows.map(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d113a47728471dded38d634f11884eb5d29ad1f1739cdf2c7151681b18437655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/history-panel.js"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 87442, "scanner": "repobility-threat-engine", "fingerprint": "c560e953bab1b4fa649c8809c4e560608721a57f06a526347b160bb6c8ade1a6", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|133|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/slashAutocomplete.js"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 87441, "scanner": "repobility-threat-engine", "fingerprint": "b5085f4d33dce2f50579924e3c4f7bcd17bceec2d4d9ac0fe40fd74f3a9f8910", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = q", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|static/js/search-chat.js|71|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/search-chat.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 87432, "scanner": "repobility-threat-engine", "fingerprint": "cf190c084ba106d5969692f0e706ef1583a4bc33072ee8be483ffa0005686fed", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|102|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cookbook_serve_lifecycle.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 87429, "scanner": "repobility-threat-engine", "fingerprint": "f07fa5966d50a12d9c6dcff6eb6f0e38c41d4cfaa05d9d939e025d05f15e919d", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "insert_sql = f\"INSERT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/update_database.py|63|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_database.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 87425, "scanner": "repobility-threat-engine", "fingerprint": "65acb22fdec68f9f0f710851b8c580ddb32e27a0a469506cb85b115a361e8928", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65acb22fdec68f9f0f710851b8c580ddb32e27a0a469506cb85b115a361e8928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/builtin_mcp.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 87424, "scanner": "repobility-threat-engine", "fingerprint": "899d062cd90a9362351b9ab27e1ec9fd48692470bd57ff6a2dbf35d965b3c7d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|899d062cd90a9362351b9ab27e1ec9fd48692470bd57ff6a2dbf35d965b3c7d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/_lib/cli.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 87420, "scanner": "repobility-threat-engine", "fingerprint": "c7d3625ff3d8e76d9b2e5e1a12dd9a44d8dd3ab4332fa43967c99b3f58b23042", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"--port\\s+(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cookbook_serve_lifecycle.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 87419, "scanner": "repobility-threat-engine", "fingerprint": "fc85d56f388f60c2ba29832000640f52d4feb77d39ac1f01f015c3a7434d1bf6", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"\\bsite:([^\\s]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|services/search/query.py|62|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/search/query.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 87418, "scanner": "repobility-threat-engine", "fingerprint": "47c1de228c2729123e2d0456b34406d250a156f6521699a744398d81ed22ae59", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'<h[1-3][^>]*>([^<]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|routes/document_helpers.py|221|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/document_helpers.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87394, "scanner": "repobility-threat-engine", "fingerprint": "cff8cb78c7f5bd261457df88d2974af059f81223bbb0b0008c69b23907504fa4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cff8cb78c7f5bd261457df88d2974af059f81223bbb0b0008c69b23907504fa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/codex/scripts/odysseus_api.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87393, "scanner": "repobility-threat-engine", "fingerprint": "58e06392673b60a7d8c6acac22845ec622f7992e10714257e597a127ddba0754", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58e06392673b60a7d8c6acac22845ec622f7992e10714257e597a127ddba0754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/claude/skills/odysseus/scripts/odysseus_api.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87392, "scanner": "repobility-threat-engine", "fingerprint": "71af38bffb45533923196d3322ce623f6d496c6a7e8e2a1533dacce2bf383e1a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71af38bffb45533923196d3322ce623f6d496c6a7e8e2a1533dacce2bf383e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/routes.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 87386, "scanner": "repobility-threat-engine", "fingerprint": "a01bb524b96c5419925af2ef3840cfcd289c90d0cbbef63bfc407b6d0c3b1e76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a01bb524b96c5419925af2ef3840cfcd289c90d0cbbef63bfc407b6d0c3b1e76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/platform_compat.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 87385, "scanner": "repobility-threat-engine", "fingerprint": "4ccdd01930d365d3609c47bb957d86a364f51851cb23a8529d0fc24ae7f567e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ccdd01930d365d3609c47bb957d86a364f51851cb23a8529d0fc24ae7f567e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/middleware.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 87384, "scanner": "repobility-threat-engine", "fingerprint": "eeabad52e2bb74ffc8bc0b244ea6d979ffd4d387b3bfd34d09f9312823e23ec6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eeabad52e2bb74ffc8bc0b244ea6d979ffd4d387b3bfd34d09f9312823e23ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/pairing.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87378, "scanner": "repobility-threat-engine", "fingerprint": "1d69ccdceacf3b6d9adc8448a2efc2a2d097ad9edd9db89d613feae88aecec28", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "memory_manager.save(existing)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d69ccdceacf3b6d9adc8448a2efc2a2d097ad9edd9db89d613feae88aecec28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/backup_routes.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87377, "scanner": "repobility-threat-engine", "fingerprint": "c009f93e290eb147fcf9edc512bd8f3f4b21701b90c7b03bb7223db2f6f9b222", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_memory_manager.save(memories)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c009f93e290eb147fcf9edc512bd8f3f4b21701b90c7b03bb7223db2f6f9b222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/memory_server.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87376, "scanner": "repobility-threat-engine", "fingerprint": "237018b14edfd68ba21c9490b83cfa68aacf2e3e2bd47881ce0684609a1006c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "img.save(buf, format=\"PNG\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|237018b14edfd68ba21c9490b83cfa68aacf2e3e2bd47881ce0684609a1006c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "companion/pairing.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 87371, "scanner": "repobility-threat-engine", "fingerprint": "bf64458b06cb62ade775ddf082394abf0ae4ffb0d250d73dbf12bd37e5e8a496", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(endpoint", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf64458b06cb62ade775ddf082394abf0ae4ffb0d250d73dbf12bd37e5e8a496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/js/editor/ai-tool-runner.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 87370, "scanner": "repobility-threat-engine", "fingerprint": "3cfca20d5367f28c86976a5faf676057be68a950e9df085b6c033a5af54c91b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3cfca20d5367f28c86976a5faf676057be68a950e9df085b6c033a5af54c91b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-issue-description.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 69 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 87694, "scanner": "repobility-supply-chain", "fingerprint": "2cdb1053195f20673cbab1c3f20d785f25c805af21f0a291b4e979eea1066c6e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|static/lib/xlsx.full.min.js", "duplicate_count": 1, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["2cdb1053195f20673cbab1c3f20d785f25c805af21f0a291b4e979eea1066c6e", "55a5ff23b98a44d48f9fd63262af9f63b3099b1e20a7e176817c87c219bec863"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/lib/xlsx.full.min.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 5 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 87693, "scanner": "repobility-supply-chain", "fingerprint": "e7e21b9e1f60814b69d0283e756df420eb594c78bf39ee8beef33c4c3fb76765", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/lib/mammoth.browser.min.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87637, "scanner": "repobility-ast-engine", "fingerprint": "e140bca6f99316cd89ee4ebaf2cb073419614d0a924262db65013eb2d365041b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e140bca6f99316cd89ee4ebaf2cb073419614d0a924262db65013eb2d365041b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_markdown_rendering_js.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87629, "scanner": "repobility-ast-engine", "fingerprint": "5d38af63303eb670565b39b278189f4dc70a5927cc017db2750c7e3cd9dbc631", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d38af63303eb670565b39b278189f4dc70a5927cc017db2750c7e3cd9dbc631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_local_endpoint_api_key_js.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87619, "scanner": "repobility-ast-engine", "fingerprint": "fd85b1221aa8ccac32b1a9d817f1016c1f925e5115b869f814d1839b7a4fb1c3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd85b1221aa8ccac32b1a9d817f1016c1f925e5115b869f814d1839b7a4fb1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/pr_blocker_audit.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87618, "scanner": "repobility-ast-engine", "fingerprint": "23055a430145e64d630ea2b6803dd18cce697fbace9d0a15f738b1b9de6e389b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23055a430145e64d630ea2b6803dd18cce697fbace9d0a15f738b1b9de6e389b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/document_helpers.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87609, "scanner": "repobility-ast-engine", "fingerprint": "7cb63bd44e6eac002dc9af35416a563f2dd66ed60e24834061d5b7871d62f610", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7cb63bd44e6eac002dc9af35416a563f2dd66ed60e24834061d5b7871d62f610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/contacts_routes.py"}, "region": {"startLine": 529}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87604, "scanner": "repobility-ast-engine", "fingerprint": "58dbd7629a457e9288ed8846dfbe3063c32bc39638ada2cfaf30a92274d611d7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58dbd7629a457e9288ed8846dfbe3063c32bc39638ada2cfaf30a92274d611d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tool_implementations.py"}, "region": {"startLine": 4243}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `copy` used but not imported: The file uses `copy.something(...)` but never imports `copy`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87564, "scanner": "repobility-ast-engine", "fingerprint": "58ea962a4dafb5b66eed8ba164c357be2870f682f00bd30b5085f490a8dce7b4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58ea962a4dafb5b66eed8ba164c357be2870f682f00bd30b5085f490a8dce7b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/integrations.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 87555, "scanner": "repobility-ast-engine", "fingerprint": "35641060977c4c94e491aee17bcb1cc4c28753273485ca4576584dd7c1793ba1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35641060977c4c94e491aee17bcb1cc4c28753273485ca4576584dd7c1793ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app.py"}, "region": {"startLine": 736}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 87431, "scanner": "repobility-threat-engine", "fingerprint": "dff38d2ce936efe3a7a032283f1639a7fb501f08bdd4a4d33361c03b4f327a2f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dff38d2ce936efe3a7a032283f1639a7fb501f08bdd4a4d33361c03b4f327a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_database.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 87421, "scanner": "repobility-threat-engine", "fingerprint": "de943a2b7ec7d63790d9ab49f328ab10e1745a2740acdc46b9a22adcf0c4ac88", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de943a2b7ec7d63790d9ab49f328ab10e1745a2740acdc46b9a22adcf0c4ac88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/preset_routes.py"}, "region": {"startLine": 55}}}]}]}]}