{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2.2.0`: `uses: oven-sh/setup-bun@v2.2.0` resolves at work", "shortDescription": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2.2.0`: `uses: oven-sh/setup-bun@v2.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: oven-sh/setup-bun@<40-char-sha>  # v2.2.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `smithers-orchestrator` pulled from URL/Git: `dependencies.smithers-orchestrator` = `file:..", "shortDescription": {"text": "[MINED122] package.json dep `smithers-orchestrator` pulled from URL/Git: `dependencies.smithers-orchestrator` = `file:../../packages/smithers` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If t"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1399"}, "properties": {"repository": "smithersai/smithers", "repoUrl": "https://github.com/smithersai/smithers", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 143596, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 143595, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 143592, "scanner": "repobility-agent-runtime", "fingerprint": "584b19d65eec0505a2f78322b71970c0cffc81c681e3272117d2f879e3b078f7", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|584b19d65eec0505a2f78322b71970c0cffc81c681e3272117d2f879e3b078f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/index.js"}, "region": {"startLine": 503}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 143591, "scanner": "repobility-agent-runtime", "fingerprint": "8b78087ee0b5ae3fbd02cc2d8d1673e42e3e2b7470929f18b218717a6540631e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8b78087ee0b5ae3fbd02cc2d8d1673e42e3e2b7470929f18b218717a6540631e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/agent-detection.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 143560, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 143555, "scanner": "repobility-threat-engine", "fingerprint": "57b4f32465d601a63ae0c88e4d72065a8652992f555cf3ec6a1a9e5d7bc7483f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|63|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/workflows/sync-features.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 143554, "scanner": "repobility-threat-engine", "fingerprint": "9b63f57c5958af3aec9826729b63a61334045662941d6946e7bff2045e563c4c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|137|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/workflows/sweep.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 143597, "scanner": "repobility-web-presence", "fingerprint": "06a4de43d2ad88f4beb7ceb5a61272f5f10f5891338a0f2173b54d8eb362e5bc", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|06a4de43d2ad88f4beb7ceb5a61272f5f10f5891338a0f2173b54d8eb362e5bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/usage/README.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 143594, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 143593, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143590, "scanner": "repobility-ai-code-hygiene", "fingerprint": "697a8086b63b7d455576bad9127144ae445516d3be6a0fde157308bee93f8160", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/ralph.tsx", "duplicate_line": 10, "correlation_key": "fp|697a8086b63b7d455576bad9127144ae445516d3be6a0fde157308bee93f8160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/tickets-create.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143589, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ad589ed1dc03fae21e97e681aa358a1d00032fab1b2bc0beed3c444a565203e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|9ad589ed1dc03fae21e97e681aa358a1d00032fab1b2bc0beed3c444a565203e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ticket-create.tsx"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143588, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1117941ca7bbb0afed0114846c96b3cf4d864568cd3caad7fcde1545adbe52df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/ralph.tsx", "duplicate_line": 11, "correlation_key": "fp|1117941ca7bbb0afed0114846c96b3cf4d864568cd3caad7fcde1545adbe52df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ticket-create.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143587, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e463acd7535c70ef3c473936677d84b733511c765a17a8b72683451b4b6a8157", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/open-code-review.tsx", "duplicate_line": 313, "correlation_key": "fp|e463acd7535c70ef3c473936677d84b733511c765a17a8b72683451b4b6a8157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ship-pipeline.tsx"}, "region": {"startLine": 463}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143586, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb4e43d7c770d9afee2b92a30dd7eb0aa7cca6db80ae807c0afc5516db3ead68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|fb4e43d7c770d9afee2b92a30dd7eb0aa7cca6db80ae807c0afc5516db3ead68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ship-pipeline.tsx"}, "region": {"startLine": 459}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143585, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ab44389554e15d9b4e10f1a276a2c7734618a82090414e79a59aeb24cb83506", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/research-plan-implement.tsx", "duplicate_line": 35, "correlation_key": "fp|4ab44389554e15d9b4e10f1a276a2c7734618a82090414e79a59aeb24cb83506"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ship-pipeline.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143584, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0678cfe303931a20b2dd1d2bed055062fa6c3c18ff0d14b7cd154c73ed0a404", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/mission.tsx", "duplicate_line": 26, "correlation_key": "fp|b0678cfe303931a20b2dd1d2bed055062fa6c3c18ff0d14b7cd154c73ed0a404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ship-pipeline.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143583, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80da9c143a95aa17790de9604cfc2be9c2ba78b1fdd9e179d633f7f029f73100", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/open-code-review.tsx", "duplicate_line": 313, "correlation_key": "fp|80da9c143a95aa17790de9604cfc2be9c2ba78b1fdd9e179d633f7f029f73100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/review.tsx"}, "region": {"startLine": 186}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb82273ac4e3d71d952d74cf6dc7cf37a577414b33ec23e1b7de266dd6ca58d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|fb82273ac4e3d71d952d74cf6dc7cf37a577414b33ec23e1b7de266dd6ca58d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/review.tsx"}, "region": {"startLine": 182}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143581, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afa6fcce265e59a3e54b0963cf45229cf021851afa11cb9ee4948e8251546731", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 175, "correlation_key": "fp|afa6fcce265e59a3e54b0963cf45229cf021851afa11cb9ee4948e8251546731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/review.tsx"}, "region": {"startLine": 176}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143580, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea016225d525a5433c70552a39a163e8dc4d66a6c779750b1d9f6de483db7ec1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/implement.tsx", "duplicate_line": 98, "correlation_key": "fp|ea016225d525a5433c70552a39a163e8dc4d66a6c779750b1d9f6de483db7ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/review.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143579, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4646a9b1d462c4c527caa76a469ed1f62a7a83ab40e973329eef0f315a60ceac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/ralph.tsx", "duplicate_line": 11, "correlation_key": "fp|4646a9b1d462c4c527caa76a469ed1f62a7a83ab40e973329eef0f315a60ceac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/review.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143578, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd8dfdc6d231d2fa6606c57d6347d9c499bf71bddea6ecfee2a3efb42738dde2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/research-plan-implement.tsx", "duplicate_line": 249, "correlation_key": "fp|fd8dfdc6d231d2fa6606c57d6347d9c499bf71bddea6ecfee2a3efb42738dde2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143577, "scanner": "repobility-ai-code-hygiene", "fingerprint": "506d99a385863a1e1a0a094a56a0d960c061f3db61726c19c716fbb7b3feb6f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|506d99a385863a1e1a0a094a56a0d960c061f3db61726c19c716fbb7b3feb6f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143576, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceb5487d3ab4d0c20f927a6a08660eb3dc79a9f35188acf55180f166f3e5eb9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 175, "correlation_key": "fp|ceb5487d3ab4d0c20f927a6a08660eb3dc79a9f35188acf55180f166f3e5eb9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research.tsx"}, "region": {"startLine": 185}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143575, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb83d738c6c6c1f2c462641b485ad1dd6b0dc23511dd924dca170bc70acf74c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/improve-test-coverage.tsx", "duplicate_line": 384, "correlation_key": "fp|cb83d738c6c6c1f2c462641b485ad1dd6b0dc23511dd924dca170bc70acf74c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research-plan-implement.tsx"}, "region": {"startLine": 537}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143574, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40eef7ceb4591b97e670bf91f9a664e9ab07dcdaf2ddebaea83757ab9fe96286", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|40eef7ceb4591b97e670bf91f9a664e9ab07dcdaf2ddebaea83757ab9fe96286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research-plan-implement.tsx"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22242c601645f4c32c86f6a431bb1fd7215f209e1ce10050dc1a2c8d0858477f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 180, "correlation_key": "fp|22242c601645f4c32c86f6a431bb1fd7215f209e1ce10050dc1a2c8d0858477f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/research-plan-implement.tsx"}, "region": {"startLine": 244}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad0f8032dfbc35f84ff548a2cc3da3a39eeca9c96e7c414c90856450a0e6803b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|ad0f8032dfbc35f84ff548a2cc3da3a39eeca9c96e7c414c90856450a0e6803b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ralph.tsx"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84745a4d8fb4386d6516dda060ffcdd4a8f9e4da645a467e39f4ebdb2fcd8094", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 175, "correlation_key": "fp|84745a4d8fb4386d6516dda060ffcdd4a8f9e4da645a467e39f4ebdb2fcd8094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/ralph.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c5bbc8547c10dd2f5e9470bcb5d85eef886add72e1d91049e43c3b27a50335c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|7c5bbc8547c10dd2f5e9470bcb5d85eef886add72e1d91049e43c3b27a50335c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/open-code-review.tsx"}, "region": {"startLine": 309}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c229613ffafea6e7c92b6c83322794027d86436d8fea9ddefd7f5610f6a56112", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 180, "correlation_key": "fp|c229613ffafea6e7c92b6c83322794027d86436d8fea9ddefd7f5610f6a56112"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/open-code-review.tsx"}, "region": {"startLine": 308}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f5b73fc2884643163dd10acbc767d870458702780d6e2d3b43b11be23d2bef6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/implement.tsx", "duplicate_line": 16, "correlation_key": "fp|5f5b73fc2884643163dd10acbc767d870458702780d6e2d3b43b11be23d2bef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/open-code-review.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31eb0da2b7965ba5790486803b53d11fafdf4b9fa32a5d5e415d75f18c666753", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|31eb0da2b7965ba5790486803b53d11fafdf4b9fa32a5d5e415d75f18c666753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/mission.tsx"}, "region": {"startLine": 417}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a2bb3e80b2317158eb68a288e54fc2738916a8090448c61e3365d3f07328fc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|2a2bb3e80b2317158eb68a288e54fc2738916a8090448c61e3365d3f07328fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/improve-test-coverage.tsx"}, "region": {"startLine": 201}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e25438800ed8fb9a82676e24c3fe1f864db74be34293ab87965a5c940b6f323", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 174, "correlation_key": "fp|5e25438800ed8fb9a82676e24c3fe1f864db74be34293ab87965a5c940b6f323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/improve-test-coverage.tsx"}, "region": {"startLine": 194}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "068e7d32497d0b5e4cdd1fc1e918a979124b7369ba8671d57ac8cc93af29562c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/implement.tsx", "duplicate_line": 11, "correlation_key": "fp|068e7d32497d0b5e4cdd1fc1e918a979124b7369ba8671d57ac8cc93af29562c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/improve-test-coverage.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d006a9ff7954a1133d3b10048ff58a2ae8fba83b56b4bb8068a597a275a2fc43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|d006a9ff7954a1133d3b10048ff58a2ae8fba83b56b4bb8068a597a275a2fc43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/implement.tsx"}, "region": {"startLine": 267}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "436d69313881a4e08a862c02f57d55326b40f50bb0b099c0ce127181c2b6eac7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/grill-me.tsx", "duplicate_line": 174, "correlation_key": "fp|436d69313881a4e08a862c02f57d55326b40f50bb0b099c0ce127181c2b6eac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/implement.tsx"}, "region": {"startLine": 260}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a87307237df50e56205f55d00ec1821d21014fc1a5b427e521336eabdce89f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".smithers/ui/audit.tsx", "duplicate_line": 212, "correlation_key": "fp|6a87307237df50e56205f55d00ec1821d21014fc1a5b427e521336eabdce89f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/ui/grill-me.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143553, "scanner": "repobility-threat-engine", "fingerprint": "1077714c34164a236706b005ef1f7b379facbe87b3055848662bf6f16a18d4db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1077714c34164a236706b005ef1f7b379facbe87b3055848662bf6f16a18d4db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/scripts/ultragrill.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143552, "scanner": "repobility-threat-engine", "fingerprint": "17fb3e457e0c5e5e213574f82ce320f00120fd4fbbbd52dac006c184226e6264", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17fb3e457e0c5e5e213574f82ce320f00120fd4fbbbd52dac006c184226e6264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/scripts/ask-user.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143551, "scanner": "repobility-threat-engine", "fingerprint": "5d7cf62ddce63288d2540d472c992759c2b4cd1211acc42d82bc8f8d5d7fb20a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d7cf62ddce63288d2540d472c992759c2b4cd1211acc42d82bc8f8d5d7fb20a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/gateway.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 143550, "scanner": "repobility-threat-engine", "fingerprint": "3332538082e89c3de3d454a26410a2eb7c70537d9564669fad8152edc141829a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3332538082e89c3de3d454a26410a2eb7c70537d9564669fad8152edc141829a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/scripts/ultragrill.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 143549, "scanner": "repobility-threat-engine", "fingerprint": "cba4a6471044365ce731a7b4a16153e8e1009934cdff3f41a60a260d8ec282c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cba4a6471044365ce731a7b4a16153e8e1009934cdff3f41a60a260d8ec282c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/gateway.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 143547, "scanner": "repobility-threat-engine", "fingerprint": "5604b0415ef1c219adfd5f12877e5f4c0affdedeba09d684a49e22087970a270", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5604b0415ef1c219adfd5f12877e5f4c0affdedeba09d684a49e22087970a270"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 143543, "scanner": "repobility-threat-engine", "fingerprint": "dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "aggregated_count": 4}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143542, "scanner": "repobility-threat-engine", "fingerprint": "c91471a1bc415b149f182a62ea8981bb7cc18932c77b947ebeb1f609eb4423d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c91471a1bc415b149f182a62ea8981bb7cc18932c77b947ebeb1f609eb4423d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/VerifiableGoals.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143541, "scanner": "repobility-threat-engine", "fingerprint": "300cedbca33f2135423de8cf1b299ebf38c61e71d6db6967c667ee377d6fedd2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|300cedbca33f2135423de8cf1b299ebf38c61e71d6db6967c667ee377d6fedd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/ShipTickets.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143540, "scanner": "repobility-threat-engine", "fingerprint": "6ac011b9ec00bed6ba9979e98c2c6d090df68742c11b2fdd649deaeba0de7d31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ac011b9ec00bed6ba9979e98c2c6d090df68742c11b2fdd649deaeba0de7d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/GrillMe.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2.2.0`: `uses: oven-sh/setup-bun@v2.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143614, "scanner": "repobility-supply-chain", "fingerprint": "19416c8ac0e84a9faa4a87726517957c162f6828f0958fc5fae2badc06c4b5ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19416c8ac0e84a9faa4a87726517957c162f6828f0958fc5fae2badc06c4b5ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/setup-node@v6.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143613, "scanner": "repobility-supply-chain", "fingerprint": "acc0d2f6309c80ebd4ad431e2e476d9a5a95b51a6ec191fb4280ed4566b3dde6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acc0d2f6309c80ebd4ad431e2e476d9a5a95b51a6ec191fb4280ed4566b3dde6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6.0.8`: `uses: pnpm/action-setup@v6.0.8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143612, "scanner": "repobility-supply-chain", "fingerprint": "45fa0013092b887956a2dc032e351290f5875b1c236a1fa4ded99b1708683d7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45fa0013092b887956a2dc032e351290f5875b1c236a1fa4ded99b1708683d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143611, "scanner": "repobility-supply-chain", "fingerprint": "4dde7feba14fa3993d5acab74697b70132ba2f47a1890764c66f72bc6ab80857", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dde7feba14fa3993d5acab74697b70132ba2f47a1890764c66f72bc6ab80857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2.2.0`: `uses: oven-sh/setup-bun@v2.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143610, "scanner": "repobility-supply-chain", "fingerprint": "e721c70c9e6c8dc4985f24a2c62af8b9706fd4dc315b9647ac4f78e6bc0775c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e721c70c9e6c8dc4985f24a2c62af8b9706fd4dc315b9647ac4f78e6bc0775c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/setup-node@v6.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143609, "scanner": "repobility-supply-chain", "fingerprint": "817f3ba8a0dd55ee86f29a3baa363f23dcdad490e47b2c1788dd6f7974adf686", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|817f3ba8a0dd55ee86f29a3baa363f23dcdad490e47b2c1788dd6f7974adf686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6.0.8`: `uses: pnpm/action-setup@v6.0.8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143608, "scanner": "repobility-supply-chain", "fingerprint": "2cce3b2d6b8dd8d5b4f3fc1586d74e8df75fb30589c91392e5f605dc64d2e260", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cce3b2d6b8dd8d5b4f3fc1586d74e8df75fb30589c91392e5f605dc64d2e260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143607, "scanner": "repobility-supply-chain", "fingerprint": "51256c438302ee17e03715edf35f6434ba61202919f6ba6a945ee5685ffca299", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51256c438302ee17e03715edf35f6434ba61202919f6ba6a945ee5685ffca299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/setup-node@v6.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143606, "scanner": "repobility-supply-chain", "fingerprint": "b5cb6fbaa3a2e6a85976246a1a5f40210bb4c79b4c8112671547e7dcddd99f8b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5cb6fbaa3a2e6a85976246a1a5f40210bb4c79b4c8112671547e7dcddd99f8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6.0.8`: `uses: pnpm/action-setup@v6.0.8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143605, "scanner": "repobility-supply-chain", "fingerprint": "23ef6d7c9543e745b26e2d2934186df29305d5a64814f7ebd5944f98800bb314", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23ef6d7c9543e745b26e2d2934186df29305d5a64814f7ebd5944f98800bb314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143604, "scanner": "repobility-supply-chain", "fingerprint": "2d829900124f943493cae9799f563db6b1fcc911104c5357bed23fb59a25360b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d829900124f943493cae9799f563db6b1fcc911104c5357bed23fb59a25360b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2.2.0`: `uses: oven-sh/setup-bun@v2.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143603, "scanner": "repobility-supply-chain", "fingerprint": "1d11a3ce8ae8944f201357e43415000144fcce3710844751282f7a36b8d45a55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d11a3ce8ae8944f201357e43415000144fcce3710844751282f7a36b8d45a55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults-nightly.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/setup-node@v6.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143602, "scanner": "repobility-supply-chain", "fingerprint": "481aded42e6462853b1db50f21d3dc4c778ed4568de1d81e7500a43ef0bed429", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|481aded42e6462853b1db50f21d3dc4c778ed4568de1d81e7500a43ef0bed429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults-nightly.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6.0.8`: `uses: pnpm/action-setup@v6.0.8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143601, "scanner": "repobility-supply-chain", "fingerprint": "496ea38abf759b0ba4341ead7b66c182ac9adc627f829d147b7ea8521d214cc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|496ea38abf759b0ba4341ead7b66c182ac9adc627f829d147b7ea8521d214cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults-nightly.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143600, "scanner": "repobility-supply-chain", "fingerprint": "e9132cb3136c12559567edfc638c37ffe3eca7e2546041ea135a52dd2a22eff5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9132cb3136c12559567edfc638c37ffe3eca7e2546041ea135a52dd2a22eff5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/faults-nightly.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `smithers-orchestrator` pulled from URL/Git: `dependencies.smithers-orchestrator` = `file:../../packages/smithers` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 143599, "scanner": "repobility-supply-chain", "fingerprint": "ddfe515ac021311adda381c1164aab5a546836c25d1bfed2e9d03bd02e9c1da7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ddfe515ac021311adda381c1164aab5a546836c25d1bfed2e9d03bd02e9c1da7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dstack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `smithers-orchestrator` pulled from URL/Git: `dependencies.smithers-orchestrator` = `file:../../packages/smithers` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 143598, "scanner": "repobility-supply-chain", "fingerprint": "01ed96d879a0c8547d5423f43a4fae6693b97e7fd1e69b247609468908be9447", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01ed96d879a0c8547d5423f43a4fae6693b97e7fd1e69b247609468908be9447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kubernetes/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 143559, "scanner": "repobility-threat-engine", "fingerprint": "168ddf7f2ece3ee3c627bc7e429c13787a568915aa4f841f556640c7ab6bfec6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|168ddf7f2ece3ee3c627bc7e429c13787a568915aa4f841f556640c7ab6bfec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/hijack-session.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 143558, "scanner": "repobility-threat-engine", "fingerprint": "348eb2e6c69582db3eedd0b1b5f89bfcb30e607df0996f15003ff129db41e3e0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|348eb2e6c69582db3eedd0b1b5f89bfcb30e607df0996f15003ff129db41e3e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/docs-command.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 143557, "scanner": "repobility-threat-engine", "fingerprint": "eb895fa2110c2ded772ae24cd017b66d9a57613ebfd527bbbe9b8d2af7e8e758", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb895fa2110c2ded772ae24cd017b66d9a57613ebfd527bbbe9b8d2af7e8e758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/workflows/sync-features.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 143556, "scanner": "repobility-threat-engine", "fingerprint": "97681318a808a2403c022b9087442ab8c0f2621ae803785b324de49365e229a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97681318a808a2403c022b9087442ab8c0f2621ae803785b324de49365e229a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/workflows/sweep.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 143548, "scanner": "repobility-threat-engine", "fingerprint": "fd6ec48c5286a9e54daac2a5c678bb98bb80a09de8e6580e3ccdc02a927aa1f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.store.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd6ec48c5286a9e54daac2a5c678bb98bb80a09de8e6580e3ccdc02a927aa1f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/extract-prompt/MemoryPromptCache.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143546, "scanner": "repobility-threat-engine", "fingerprint": "7b3b8b5426a28388b2d1e619c49bd7bb1f3048de5bfc122b177c2fc9d967a405", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((r) => `- ${r.ticketId}: branch \"${r.branch}\" \u2014 ${r.status} (${r.summary}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b3b8b5426a28388b2d1e619c49bd7bb1f3048de5bfc122b177c2fc9d967a405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/workflows/kanban.tsx"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143545, "scanner": "repobility-threat-engine", "fingerprint": "cb35f6c7bdea552f89e4d9aaeab8bf076695cc96b37d9e613f9b110b4b7da8fe", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((c: string) => `- [ ] ${c}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb35f6c7bdea552f89e4d9aaeab8bf076695cc96b37d9e613f9b110b4b7da8fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/VerifiableGoals.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143544, "scanner": "repobility-threat-engine", "fingerprint": "01d45e15c89df930da34dbd75036172c20c2ee16e1f66a666aa66f785d5fc886", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f: string) => `- ${f}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01d45e15c89df930da34dbd75036172c20c2ee16e1f66a666aa66f785d5fc886"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".smithers/components/ShipTickets.tsx"}, "region": {"startLine": 139}}}]}]}]}